Today we are solving symfonos 5 walkthrough Vulhub CTF
symfonos VM is made by Zayotic. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. symfonos 5 walkthrough
It is of Beginner real-life based and is very handy in order to brush up your skills as a penetration tester.
identifies the target IP address we will initiate with netdiscover.
advance network scanning using the Nmap Aggressive scan. All port and services.
We see the target system port 21 ssh, 80 HTTP, 389 LDAP, service is running.
we got the port 80 open, we decided to open the IP address in the web browser.
I am adding our target VM IP Address our /etc/hosts file symfonos.server
we chose DIRB for directory brute force attack finding server all directory
After brute-forcing the directory we see a admin.php directory now open the directory any web browser
I am using firefox and I see the simple login page I tried password brute burp suite but no correct credential found i try to open home directory but the home page is redirecting admin page
I try to open home page source code Using curl tool get the target home page source code
we see the home.php URL is redirecting localhost php file
Try LFI with curl tool
We see the target passwd mean target is vulnerable LFI
Try reading source code admin.php file
we got an LDAP username and password
$bind = ldap_bind($ldap_ch, "cn=admin,dc=symfonos,dc=local", "qMDdyZh3cT6eeAWD");
I run the Nmap script to login with username and password
nmap --script ldap-search --script-args 'ldap.username="cn=admin,dc=symfonos,dc=local",ldap.password="qMDdyZh3cT6eeAWD"' 192.168.0.104 -p389
try to log in the credentials ssh connection
mail: [email protected]
- username: zeus
- password: cetkKf4wCuHC9FET
run sudo -l to check for commands that can run as sudo. It looks like dpkg can run as sudo.
TF=$(mktemp -d) echo 'exec /bin/sh' > $TF/x.sh
fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF
After generating dpkg file download the target /tmp directory I star our Simple python server and wget to download the file target system
I run the dpkg package and our shell is changed normal user to root user
sudo dpkg -i x_1.0_all.deb