Symfonos 4

Symfonos 4 Vulnhub Walkthrough

Enumeration

nmap

nmap -sC -sV oA nmap/sym4 192.168.1.136
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 23:43 EDT
Nmap scan report for 192.168.1.136
Host is up (0.00021s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey: 
|   2048 f9:c1:73:95:a4:17:df:f6:ed:5c:8e:8a:c8:05:f9:8f (RSA)
|   256 be:c1:fd:f1:33:64:39:9a:68:35:64:f9:bd:27:ec:01 (ECDSA)
|_  256 66:f7:6a:e8:ed:d5:1d:2d:36:32:64:39:38:4f:9c:8a (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:DA:3F:AA (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.27 seconds

As usual port 80 is open and we can put our IP at the web browser

Let's put to dirb

Dirb

We can see there is a /robots.txt

We don't have permission to access this file, so I use nikto to enumerate

Nikto

We can see that there is /atlantis.php inside the robots.txt

Saw a login form, all I can think of is SQL injection.

After some tries, I can bypass the login form using this command at the username form

I can't seem to find anything. I even tried the LFI to ../../../../../../etc/passwd but does not work. So I went to more enumeration.

Gobuster

Ah, we can see that there is a /gods

This is where the log file is stored. But then I realize this is the log file, then it seems like we can do ../../../../../../var/log/auth.

But if we do in the proper way, things will be like this

Exploitation

Wfuzz

We will use Wfuzz.

First, we need to use burp to intercept to get the PHPSESSID

Then, I use

But first I didn't get the thing I wanted, soon, I check the wordlists and surprisingly the file does not include ../../../../../../../var/log/auth.

So I add in myself, then we can run the command again

We need to hide the word that have the length of 39

Run it again then we got this

We can see the log file now, then we can actually poison the LFI

Then we can go to end of the URL and add &c=id;whoami;

We can now get the reverse shell from it

Our machine

At the end of the URL

We got a shell !

Then we can type

After some digging we can use

to get what port is running on the machine

As we can see there is another port that is running.

Port Forward

We can port forward the port to get access it, since this only can locally port forward so we need to use socat.

Then we can access it with port 8888

Then click the Main page

Since it mentioned about cookie, let's check for cookie

We can decode the password with this website and we got this

After some researching, it is a jsonpickle exploit. We can read these 3 website

jsonpickle documentationjsonpickle.github.io
LogoJSON Pickle Exploitation | Python's Pickle Module | VerSpriteVerSprite, Threat Modeling and Pentesting Services
Logojsonpickle should more clearly warn about security hazard · Issue #178 · jsonpickle/jsonpickleGitHub

to get an idea how it works

The code looks like this

Then we can encode using base64 and put it at the cookies and get a reverse shell

Remember to set up a listener at our machine first

And then refresh the page, we got root !

Navigate to /root and get the flag.txt

Congratulation!

PreviousSymfonos 3NextDC

Last updated

Was this helpful?