Thursday, February 10, 2022



- Layout for this exercise:


 - The goal of this exercise is to develop a hacking process for the vulnerable machine Symfonos_1, from the VulnHub pentesting platform.

Symfonos_1 can be downloaded from here:,322/

- Once the virtual machine downloaded and extracted with VirtualBox:


- Discovering IP with netdiscover:

- Scanning ports with Nmap:

- Enumerating with enum4linux:

- So there is one user named helios and two shared folders named helios and anonymous.

- Accessing to anonymous and getting file attention.txt:

- Reading attention.txt we discover 3 potential passwords:

- The 2nd password qwerty allows access for user helios to shared folder helios, where there are two files research.txt and todo.txt:

- Reading research.txt and todo.txt, we will focus our attention on folder /h3l105:

- Browsing the web server:

- Going to /h3l105 we find a Wordpress site:

- Scanning the site with Wpscan we find a folder /uploads:

- Going to /uploads there is siteeditor:


- Site Editor 1.1.1 is a Wordpress plugin vulnerable to a LFI exploit:

- Copying as URL the Proof of Concept we check that Symfonos1 is vulnerable to LFI:

- Now, let's try to include a PHP command through the STMP server:

- Adapting the exploit's Proof of Concept to command pwd:

- Same thing with command id:

- Finally let's try to execute a Netcat reverse shell:

- Setting a listener session:

- Passing the exploit to the URL and running it:

- As a consequence a remote shell is triggered:

- Improving the shell and changing to user helios' home folder:


- Looking for files with bit Setuid:

- Exploring /opt/statuscheck:

- Applying command strings to /opt/statuscheck:

- So it happens that /opt/statuscheck runs curl directly, with no path. 

- The idea to Privilege Escalation would be to redo curl as a bash script, store it at /tmp, and change the variable PATH so that curl is run directly from /tmp.

- The original path for curl:

- Going to /tmp and creating a new curl:

- Editing PATH by including /tmp to the beginning:

- Now /opt/statuscheck calls curl inside /tmp and a root shell is achieved:


- Reading proof.txt: