Symfonos 5 <NOT WORKING>

Symfonos 5 Vulnhub walkthrough

Enumeration

nmap

nmap -sC -sV -oA nmap/sym5 192.168.1.112

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-27 20:52 EDT
Nmap scan report for 192.168.1.112
Host is up (0.00019s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 16:70:13:77:22:f9:68:78:40:0d:21:76:c1:50:54:23 (RSA)
|   256 a8:06:23:d0:93:18:7d:7a:6b:05:77:8d:8b:c9:ec:02 (ECDSA)
|_  256 52:c0:83:18:f4:c7:38:65:5a:ce:97:66:f3:75:68:4c (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
389/tcp open  ldap     OpenLDAP 2.2.X - 2.3.X
636/tcp open  ldapssl?
MAC Address: 00:0C:29:A0:E6:96 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.25 seconds

nmap -p- -Pn 192.168.1.112

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-27 20:54 EDT
Nmap scan report for 192.168.1.112
Host is up (0.00064s latency).
Not shown: 65531 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
389/tcp open  ldap
636/tcp open  ldapssl
MAC Address: 00:0C:29:A0:E6:96 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.85 seconds

As usual[, let's put the IP to the web browser

Dirb

dirb http://192.168.1.112

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed May 27 20:55:53 2020
URL_BASE: http://192.168.1.112/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.112/ ----
+ http://192.168.1.112/admin.php (CODE:200|SIZE:1650)                                                                                                                                             
+ http://192.168.1.112/index.html (CODE:200|SIZE:207)                                                                                                                                             
+ http://192.168.1.112/server-status (CODE:403|SIZE:278)                                                                                                                                          
==> DIRECTORY: http://192.168.1.112/static/                                                                                                                                                       
                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.112/static/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Wed May 27 20:55:59 2020
DOWNLOADED: 4612 - FOUND: 3

Gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url http://192.168.1.112/ -x php

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.112/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2020/05/27 20:57:40 Starting gobuster
===============================================================
/home.php (Status: 302)
/admin.php (Status: 200)
/static (Status: 301)
/logout.php (Status: 302)
/portraits.php (Status: 200)
/server-status (Status: 403)
===============================================================
2020/05/27 21:01:07 Finished
===============================================================

We can see there is /admin.php, /portraits.php, /home.php

A login form! I tried some common usernames and passwords but it doesn't work. I also tried some SQL injection but still no luck.

When I navigate to /home.php, it redirects me back admin.php

Then I use burp to intercept the network and then change the admin.php to home.php

Then click send and we can see the response, there is one line it has a URL

PreviousW34KN3SS NextDelivery (Easy)

Last updated 5 years ago

Was this helpful?