SYMFONOS: 5.2 Walkthrough

Beginner real life based machine designed to teach people the importance of understanding from the interior.

Beginner real life based machine designed to teach people the importance of understanding from the interior.

Tested on VMware and Virtualbox

symfonos: 5.2
This website uses 'cookies' to give you the best, most relevant experience. Using this website means you're happy with…

Enumeration

We have ssh,http,ldap.

let’s enumerate more on the LDAP

dc=symfonos,dc=local

Let’s enumerate http 80,

  • Nikto
  • Gobuster

Exploitation

  • let’s try SQLi with wfuzz
no SQLi found

Since there is no SQLi, i started researching about OpenLDAP Exploits.

Then, i got a hunch that the login could be using the LDAP for authentication. Hence, i could use LDAP injection.

trapp3rhat/LDAP-injection
Ldap injection payloads . Contribute to trapp3rhat/LDAP-injection development by creating an account on GitHub.

Let’s use wfuzz to try LDAPi,

The redirection says that the payload bypasses — *))%00

we can login using the payload.

there seems to be a RFI
the output is being commented and not executing

Let’s see the source code of the admin.php file with the php filter -> filter://

Let’s use these credentials to dump all the information.

ldapsearch -x -LLL -h 192.168.103.137 -D ‘cn=admin,dc=symfonos,dc=local’ -w qMDdyZh3cT6eeAWD -b ‘dc=symfonos,dc=local’

Let’s do ssh into the machine with the account of zeus,

zeus:cetkKf4wCuHC9FET


Privilege Escalation

dpkg | GTFOBins
Edit description

Photo by Erik Odiin on Unsplash