SYMFONOS: 1 Walkthrough

Beginner real life based machine designed to teach a interesting way of obtaining a low priv shell. SHOULD work for both VMware and Virtualbox.

• Name: symfonos: 1
• Difficulty: Beginner
• Tested: VMware Workstation 15 Pro & VirtualBox 6.0
• DHCP Enabled

Note: You may need to update your host file for symfonos.local

symfonos: 1

Enumeration

we have the following ports:

1. 22
2. 25
3. 80
4. 139/445

Let’s start by enumerating the SMB:

Here, i found anonymous and helios share,

• //<ip>/anonymous

• //<ip>/helios

Used the password “qwerty” to get access

found a Hidden folder, hopefully

Let’s enumerate HTTP:

• gobuster

we know that there is a wordpress on port 80, so we do wpscan

found we have mail-masta

On googling, i came to know that it has LFI and SQLi,

so, let me try LFI,

Exploitation

Let’s try to use LFI for getting RCE,

no access to logs through LFI, no credentials on wp-config and even the user helios is not a wp user.

Let’s try smtp and use to get RCE

SMTP Log Poisoning through LFI to Remote Code Execution

Let’s see the mail under /var/mail/helios

let’s get out reverse shell by downloading our shell code using wget

Privilege Escalation

we have a SUID file, /opt/statuscheck

let’s see how it works,

it can be using wget or curl,

curl, it is

let’s change the PATH environment variable

PATH=/tmp:$PATH

curl file has,

chmod +s /bin/bash

Photo by Lidya Nada on Unsplash