SYMFONOS 2
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Symfonos_2, from the VulnHub pentesting platform.
- Symfonos_2 can be downloaded from here:
https://www.vulnhub.com/entry/symfonos-2,331/
- Once the virtual machine downloaded and extracted with VirtualBox:
2 - ENUMERATION
- Scanning with Nmap:
- Connecting to the web server:
- Scanning with enum4linux we discover a shared folder named anonymous:
- Connecting with credentials anonymous:anonymous:
- Changing to folder backups and getting log.txt:
- log.txt reveals the existence of user aeolus:
3 - EXPLOITATION
- Hydra and rockyou.txt discover password sergioteamo for user aeolus:
- However direct SSH access is denied:
- Metasploit with module ssh_login yields better result:
- netstat lists open connections, for instance at port 8080:
- To access web server at port 8080 we must forward connection to another port, for instance 4444:
- Now, connection to the hidden web server is available:
- Application LibreNMS is vulnerable to this exploit:
- Looking for a related Metasploit module:
- Setting parameters and running the exploit we have a new command shell, for user named cronus:
- Improving the shell:
- Searching for cronus' sudoer privileges:
- Command mysql with option \! allows to run any \system command, as explained here:
- Running /bin/bash we get a remote root shell:
5 - CAPTURING THE FLAG
- Reading proof.txt:
