SYMFONOS: 3.1 Walkthrough

Intermediate real life based machine designed to test your skill at enumeration. If you get stuck remember to try different wordlist, avoid…

Intermediate real life based machine designed to test your skill at enumeration. If you get stuck remember to try different wordlist, avoid rabbit holes and enumerate everything thoroughly. SHOULD work for both VMware and Virtualbox.

symfonos: 3.1
This website uses 'cookies' to give you the best, most relevant experience. Using this website means you're happy with…

Enumeration

no Anon login possible and no hints
no hints
gobuster to find hidden directories and files

Here, i missed the -f flag hence i could not find the 403 status code dirs.

found out that it has cgi scripts running,

After some search on google, i found a nice blog which explains about a vulnerability — shellshock

ShellShocked - A quick demo of how easy it is to exploit - Surevine
I just knocked up a simple proof of concept for ShellShocked to prove to myself what a danger it is. Prerequisites…
Shellshock Attack on a remote web server
CGI runs bash as their default request handler and this attack does not require any authentication that’s why most of…

Exploitation

this will give you the reverse shell @ 4444

we are cerberus


Privilege Escalation

Being cerberus sucks,

he has permission to tcpdump tool by having the group pcap,

so, we need to use this tool lateral movement.

  • Found nothing critical with the linpeas.sh script

However, there was some indication of loopback communication

hades account in logging into ftp with some cron…

Let’s run pspy64

/bin/sh -c /usr/bin/python2.7 /opt/ftpclient/ftpclient.py → Run by root

let’s use tcpdump to sniff the data,

Photo by $OY BOY on Unsplash

using the credentials, we can try to change to hades user.

and it is successful

let’s do linpeas on user hades:

seems like there is reason hades god ;)

From the pspy, we know that root is running /opt/ftpclient/ftpclient.py

let’s check the code and inject out malicious code into it.

let’s inject a file called ftplib inside /var/lib/python2.7,