Beginner real life based machine designed to teach a interesting way of obtaining a low priv shell. SHOULD work for both VMware and Virtualbox.
- Name: symfonos: 1
- Difficulty: Beginner
- Tested: VMware Workstation 15 Pro & VirtualBox 6.0
- DHCP Enabled
Note: You may need to update your host file for symfonos.local
Enumeration
we have the following ports:
- 22
- 25
- 80
- 139/445
Let’s start by enumerating the SMB:
Here, i found anonymous and helios share,
- //<ip>/anonymous
- //<ip>/helios
Used the password “qwerty” to get access
Let’s enumerate HTTP:
- gobuster
we know that there is a wordpress on port 80, so we do wpscan
On googling, i came to know that it has LFI and SQLi,
so, let me try LFI,
Exploitation
Let’s try to use LFI for getting RCE,
no access to logs through LFI, no credentials on wp-config and even the user helios is not a wp user.
Let’s try smtp and use to get RCE
Let’s see the mail under /var/mail/helios
let’s get out reverse shell by downloading our shell code using wget
Privilege Escalation
we have a SUID file, /opt/statuscheck
let’s see how it works,
it can be using wget or curl,
let’s change the PATH environment variable
PATH=/tmp:$PATH
curl file has,
chmod +s /bin/bash
