SYMFONOS: 3.1 Walkthrough
Intermediate real life based machine designed to test your skill at enumeration. If you get stuck remember to try different wordlist, avoid…
Intermediate real life based machine designed to test your skill at enumeration. If you get stuck remember to try different wordlist, avoid rabbit holes and enumerate everything thoroughly. SHOULD work for both VMware and Virtualbox.
Enumeration
Here, i missed the -f flag hence i could not find the 403 status code dirs.
found out that it has cgi scripts running,
After some search on google, i found a nice blog which explains about a vulnerability — shellshock
Exploitation
this will give you the reverse shell @ 4444
we are cerberus
Privilege Escalation
Being cerberus sucks,
he has permission to tcpdump tool by having the group pcap,
so, we need to use this tool lateral movement.
- Found nothing critical with the linpeas.sh script
However, there was some indication of loopback communication
Let’s run pspy64
/bin/sh -c /usr/bin/python2.7 /opt/ftpclient/ftpclient.py → Run by root
let’s use tcpdump to sniff the data,
using the credentials, we can try to change to hades user.
and it is successful
let’s do linpeas on user hades:
From the pspy, we know that root is running /opt/ftpclient/ftpclient.py
let’s check the code and inject out malicious code into it.
let’s inject a file called ftplib inside /var/lib/python2.7,