symfonos: 1

[ vulnhub  boot2root  walkthrough  ]

Goal

root

Download

https://www.vulnhub.com/entry/symfonos-1,322/

Walkthrough

nmap
alt text

default 80
alt text

dirb…nothing
alt text

enum4linux shows some shares and a user
alt text
alt text
alt text

smb to anonymous reveals password hint
alt text

smb to helios is accessible via one of the passwords revealed. gives web directory
alt text

wordpress revealed. updated hosts file as all links were symfonos.local
alt text

wpscan reveals no security vulnerabilities, but a plugin mailmasta
alt text
alt text

quick google found local file inclusion exploit
alt text

with exploit, able to read /etc/passwd
alt text

able also read the mail log for helios
alt text

with port 25 open, we send a php command one liner to get rce
alt text

rce working as /etc/passwd can be read using cat
alt text

setup listener and call invoke, we have a reverse shell
alt text
alt text

looking at system, we find a suid file /opt/statuscheck
alt text

checking file it calls a web page and further with strings, it’s a curl command
alt text
alt text

creating a file named curl in /tmp to call /bin/bash and updating path, we get root
alt text

root flag
alt text

Written on October 8, 2019
Share on: