SYMFONOS_5
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Symfonos_5, from the VulnHub pentesting platform.
- Symfonos_5 can be downloaded from here:
https://www.vulnhub.com/entry/symfonos-52,415/
- Once the virtual machine downloaded and extracted with VirtualBox
- Browsing the web server:
- Dirbusting the web server we find admin.php:
- Connecting to admin.php there is a Login form:
3 - EXPLOITATION
- Wfuzz and wordlist SQL.txt bruteforce the Login application:
- There is a successful 302 response for Payload "*", what we should try at the Login form:
- The Login is successful and we are presented with the page home.php:
- View-sourcing home.php there is an interesting URL that leads to the idea of LFI (Local File Inclusion):
- Checking the URL it connects to the localhost 127.0.0.1 and the page portraits.php:
- Finally we discover that the webpage is vulnerable to RFI, because we can read /etc/passwd:
- Going to admin.php:
- View-sourcing admin.php we discover credentials admin:qMDdyZh3cT6eeAWD for LDAP:
- ldapsearch opens a connection to LDAP server at port 389 and provides a Base64 encrypted password Y2V0a0tmNHdDdUhDOUZFVA== for user zeus:
- Decrypting Y2V0a0tmNHdDdUhDOUZFVA==
- Now we can SSH:
4 - PRIVILEGE ESCALATION
- User zeus has got suder privilege for /usr/bin/dpkg:
- dpkg is a tool to manage Debian packages, so the idea for Privilege Escalation could to run a deb package containing a script to run /bin/bash as a root.
- fpm builds different types of packages like deb, rpm, etc..:
- Writing a simple exploit.sh:
- fpm creates a deb package for exploit.sh:
- Transferring exploit_1.0_amd64.deb:
- Running exploit_1.0_amd64.deb with /usr/bin/dpkg we get a root shell:
5 - CAPTURE THE FLAG
- Reading proof.txt:
