SYMFONOS: 3.1 Walkthrough

Intermediate real life based machine designed to test your skill at enumeration. If you get stuck remember to try different wordlist, avoid rabbit holes and enumerate everything thoroughly. SHOULD work for both VMware and Virtualbox.

symfonos: 3.1

Enumeration

no Anon login possible and no hints

no hints

gobuster to find hidden directories and files

Here, i missed the -f flag hence i could not find the 403 status code dirs.

found out that it has cgi scripts running,

After some search on google, i found a nice blog which explains about a vulnerability — shellshock

ShellShocked - A quick demo of how easy it is to exploit - Surevine

Shellshock Attack on a remote web server

Exploitation

this will give you the reverse shell @ 4444

we are cerberus

Privilege Escalation

Being cerberus sucks,

he has permission to tcpdump tool by having the group pcap,

so, we need to use this tool lateral movement.

• Found nothing critical with the linpeas.sh script

However, there was some indication of loopback communication

hades account in logging into ftp with some cron…

Let’s run pspy64

/bin/sh -c /usr/bin/python2.7 /opt/ftpclient/ftpclient.py → Run by root

let’s use tcpdump to sniff the data,

Photo by $OY BOY on Unsplash

using the credentials, we can try to change to hades user.

and it is successful

let’s do linpeas on user hades:

seems like there is reason hades god ;)

From the pspy, we know that root is running /opt/ftpclient/ftpclient.py

let’s check the code and inject out malicious code into it.

let’s inject a file called ftplib inside /var/lib/python2.7,