Today, We are going to pwn Symfonos 1 by Zayotic from Vulnhub
Beginner real life based machine designed to teach a interesting way of obtaining a low priv shell. SHOULD work for both VMware and Virtualbox. Name: symfonos: 1 Difficulty: Beginner Tested: VMware Workstation 15 Pro & VirtualBox 6.0 DHCP Enabled Note: You may need to update your host file for symfonos.local
Download Link : https://www.vulnhub.com/entry/symfonos-1,322/
Lets Begin with our Initial Scan
Nmap Scan Results:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA) | 256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA) |_ 256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519) 25/tcp open smtp Postfix smtpd |_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, | ssl-cert: Subject: commonName=symfonos | Subject Alternative Name: DNS:symfonos | Not valid before: 2019-06-29T00:29:42 |_Not valid after: 2029-06-26T00:29:42 |_ssl-date: TLS randomness does not represent time 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP) MAC Address: 08:00:27:42:7C:AD (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 2h00m23s, deviation: 3h27m50s, median: 23s |_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.5.16-Debian) | Computer name: symfonos | NetBIOS computer name: SYMFONOS\x00 | Domain name: \x00 | FQDN: symfonos |_ System time: 2020-03-08T00:09:12-06:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-03-08T06:09:12 |_ start_date: N/A
I started with
SMB we can use
smbmap to see is there any files available.
smbmap - SMB enumeration tool
-H HOST IP of host
anonymous are there and also
There is a tool called
smbclient which helps to access to the server.
smbclient - ftp-like client to access SMB/CIFS resources on servers
First I tried with
helios I can’t login without password, So next is
anonymous which I get logged in without password.
attention.txt to my machine.
This file contains a warning to the users to not use these password.
I tired again
helios with these 3 passwords.
smbclient //192.168.1.101/helios -U helios
-U, –user=USERNAME Set the network username
I logged in with
qwerty and found 2 files, Downloaded them to my machine.
Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.
1. Binge watch Dexter 2. Dance 3. Work on /h3l105
todo.txt told us to work on
/h3l105 it may be a directory. So I checked it in the webpage.
So Its a
Wordpress site. We can use
wpscan to enumerate users and plugins.
Found 2 plugins, I searched for any exploits available for them.
wpscan –url http://symfonos.local/h3l105/ –enumerate p
Found this LFI
Now time to change LFI to RCE, we can do it by
Log poisoningso I tried to access
/var/log/apache2/access.log but its not working.
We know port
SMTP is open.
The Simple Mail Transfer Protocol is a communication protocol for electronic mail transmission.
So the user might have a mail and I found SMTP Log poisoning
Found users mail log
By following the article, Payload is injected
Now we can get reverse shell
Uploaded my Enumeration Script to the machine and found a
When I run the file it prints the header of the webpage, and I did
curl is working and its path is not fully defined.
So I checked where is
curl and its is in
So we can create a file to give us shell and placed it in
/tmp and name it as
curl and change the PATH to
This command will make the PATH to search in
Once I execute the
curl checks in
/tmp first and it will make use of our file and give us root.