Today I decided to check Symfonos:1 CTF shared by VulnHub. Here we go...
We will start here:
During the scan I tried gobuster against the target host:
Ok that file got my attention. ;] Checking:
So we got (at least) 'few passwords' to check. Cool. Then I tried another open port - 25/tcp:
So as you can see I tried helios username also for smbclient:
Hint from attention.txt file was good. ;] Next:
And we found some bugs:
Checking the bug:
Let's try it:
That's how I found some new passwords:
Ok, our session is ready, we can move on:
Looking for interesting (suid) files:
Reading ELF with strings:
Ok, so maybe if the binary is looking for curl and in the strings's listing we can find system (I assumed that this is a function name ;)), maybe there is a simple way: overwrite the binary in current PATH:
I must say it was very interesting CTF. :) Big thanks goes to Zayotic for preparing this game!
See you next time!