Symfonos 5 <NOT WORKING>
Symfonos 5 Vulnhub walkthrough
Enumeration
nmap
nmap -sC -sV -oA nmap/sym5 192.168.1.112Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-27 20:52 EDT
Nmap scan report for 192.168.1.112
Host is up (0.00019s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 16:70:13:77:22:f9:68:78:40:0d:21:76:c1:50:54:23 (RSA)
| 256 a8:06:23:d0:93:18:7d:7a:6b:05:77:8d:8b:c9:ec:02 (ECDSA)
|_ 256 52:c0:83:18:f4:c7:38:65:5a:ce:97:66:f3:75:68:4c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
636/tcp open ldapssl?
MAC Address: 00:0C:29:A0:E6:96 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.25 seconds
nmap -p- -Pn 192.168.1.112Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-27 20:54 EDT
Nmap scan report for 192.168.1.112
Host is up (0.00064s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
389/tcp open ldap
636/tcp open ldapssl
MAC Address: 00:0C:29:A0:E6:96 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.85 secondsAs usual[, let's put the IP to the web browser
Dirb
dirb http://192.168.1.112-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed May 27 20:55:53 2020
URL_BASE: http://192.168.1.112/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.112/ ----
+ http://192.168.1.112/admin.php (CODE:200|SIZE:1650)
+ http://192.168.1.112/index.html (CODE:200|SIZE:207)
+ http://192.168.1.112/server-status (CODE:403|SIZE:278)
==> DIRECTORY: http://192.168.1.112/static/
---- Entering directory: http://192.168.1.112/static/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Wed May 27 20:55:59 2020
DOWNLOADED: 4612 - FOUND: 3
Gobuster
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url http://192.168.1.112/ -x php===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.112/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/05/27 20:57:40 Starting gobuster
===============================================================
/home.php (Status: 302)
/admin.php (Status: 200)
/static (Status: 301)
/logout.php (Status: 302)
/portraits.php (Status: 200)
/server-status (Status: 403)
===============================================================
2020/05/27 21:01:07 Finished
===============================================================We can see there is /admin.php, /portraits.php, /home.php
A login form! I tried some common usernames and passwords but it doesn't work. I also tried some SQL injection but still no luck.
When I navigate to /home.php, it redirects me back admin.php
Then I use burp to intercept the network and then change the admin.php to home.php
Then click send and we can see the response, there is one line it has a URL
Last updated
