Vulnhub – Symfonos 1 Walkthrough

Scanning the box with nmap -A -T4 -p- –vv

The host is running smb service that we can scan and list the shares:

So we got a file named attention.txt:

We can now login using helios username and one of these passwords which will be qwerty (after testing each one):

Let’s download these two files research.txt and todo.txt:

The new path /h3l105 is a WordPress site and also change the hosts file to symfonos.local

wpscan –url -e p:

It says that the upload directory is listing enabled so we check it out and found 3 sub directories:

So i googled it and i found an exploit for it:

And the exploit is LFI command that we use to display the /etc/passwd file:

Ok at this point , back when i was doing enumeration the port 25 is poen and had now use till now, we can use SMTP log poison method:

Then we put this line in the address:


And we get something like this:

Now to get a shell we put this command:

Let’s use “find” to find SUID files: find / -perm -u=s -type f 2>/dev/null

There is a file /opt/statuscheck where we can abuse using path abuse:

cd /tmp

echo “/bin/sh” > curl

chmod 777 curl

echo path

export PATH=/tmp:/$PATH


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s