Vulnhub – Symfonos 2 Walkthrough

We start by scanning the target with nmap –A –T4 –p- 192.168.1.9 –vv

Viewing smb shares with smbclient -L \\\\192.168.1.9 anf then connecting to it with smbclient \\\\192.168.1.9\\anonymous and downloading a file log.txt

Ok from the log file we got a username aeolus:

We can use hydra to brute force ssh after confirming the user aeolus have ssh privilege:

Hydra –l aeolus –P /root/pass/rockyou.txt ssh://192.168.1.9 –f –vV

Now we login with ssh using the password sergioteamo:

Using LinEnum.sh script we can see there is port 3306 mysql is running let’s explore it more:

Now we got a file in apache directory with the name librenms where we can see there is a service is running on port 8080:

Now what we can do is open a tunnel to port 8080 using ssh tunneling like ssh –L 8080:127.0.0.1:8080 aeolus@192.168.1.9 and use the password for the user aeolus as before and we got it but this time there is a tunnel to the port 8080

Now we browse to the page localhost:8080 and we got a new service  which is librenms, searching for it on searchsploit we get a metasploit exploit for it so let’s start metasploit:

In metasploit use exploit/linux/http/librenms_addhost_cmd_inject

Ok we got in as user cronus this time now this user got sudo privilege:

Ok the command will be sudo -u root /usr/bin/mysql mysql -e ‘\! /bin/sh’

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s