Symfonos: 2 - Walkthrough

# Symfonos: 2 - Walkthrough ### Machine Details #### Name: Symfonos 2 #### OS: Linux #### Platform: [Vulnhub](https://www.vulnhub.com) #### Download Link: [Symfonos 2](https://www.vulnhub.com/entry/symfonos-2,331/) ___ ### Getting started I booted up the machine and got assigned an IP addres of 192.168.50.130. Similar to [symfonos1](https://hackmd.io/@rudefish/vulnhub-symfonos-series-symfonos1-walkthrough), I added symfonos2.local to my hosts file. ``` 192.168.50.130 symfonos2.local ``` I proceeded to run a quick nmap scan on the target and obtained the result below. ![](https://i.imgur.com/0bEddNq.png) ### Paying a visit to Port 80 I opened the target on the browser and I was presented with the following page: ![](https://i.imgur.com/zYcbTZt.jpg) I ran directory enumeration on the target using dirb, but I did not obtain much result. ![](https://i.imgur.com/847ZbG5.png) ### The Good Old SMB SMB service is also running on the target and it allows anonymous share. I connected to it and downloaded a log.txt file in the backups folder. ![](https://i.imgur.com/txyGOhB.png) The log.txt file has a whole bunch of text, but what I was able to extract from it is a username: `aeolus`. ### Force them all Checking back on my brute force running in the background. I obtained a password. ``` aeolus:sergioteamo ``` ![](https://i.imgur.com/EoJE2Xo.png) Using these creds, I was able to login via SSH. Now that I am in, first thing I did was to check if I can execute commands using sudo. ![](https://i.imgur.com/BGk9sRX.png) Well, that was painful xD. ### More Enumeration Enumerating further, I checked the listening connections on the box and observed a service running locally on 127.0.0.1:8080 ``` ss -lntp ``` ![](https://i.imgur.com/NomIB7K.png) Using my current SSH connection, I tunneled the port to my local machine. ![](https://i.imgur.com/ZCDoykd.png) Visting the forwarded port on my local machine in the browser, I was presented with a new page running LibreNMS and I was able to login using `aeolus` credentials. ![](https://i.imgur.com/OjEgl2x.png) ![](https://i.imgur.com/YWpkugK.png) Searching on Google about LibreNMS exploit shows it is vulnerable to an Authenticated Remote Code Execution as seen [here](https://www.exploit-db.com/exploits/47044). ### Way to ROOT! Following the exploit code and supplying the required parameters, I obtained a reverse shell as the root user. To stabilize my shell, I added my public SSH key to the box and logged in as root. ![](https://i.imgur.com/09rnDXt.png) Hope you enjoyed reading! See you in the next one. ###### tags: `symfonos` `vulnhub` `proftpd` `smb` `librenms`