Symfonos:1 CTF

Today I decided to check Symfonos:1 CTF shared by VulnHub. Here we go...
We will start here:

During the scan I tried gobuster against the target host:

Not much. Checking SMB:

Ok that file got my attention. ;] Checking:

So we got (at least) 'few passwords' to check. Cool. Then I tried another open port - 25/tcp:

As you can see using 'unprotected' VRFY command we can enumerate users on remote box. More:

So as you can see I tried helios username also for smbclient:

Hint from attention.txt file was good. ;] Next:

 We found some txt files. todo.txt could be one of the file when we can find some hints. My favourite was /helios link. Checking:

 Great, Wordpress. Using wpscan to enumerate the page:

 More:

And we found some bugs:

 Hints from the source (line 4 ;)):

Checking the bug:

Let's try it:

Great, checking apache2 config:

 Next I was looking for the way to inject some code and get (reverse?) shell. Checking access.log:

Nope. But then I realised that maybe we (as user helios) can access our email(-file-on-remote-box)?
Checking:

Get emails:

 Good, next:

 Maybe we can read our new email too:

 Great :) I prepared a reverse_shell using metasploit (just like during last CTF):

 File is there:

 We can proceed:

Cool. :) Let's look around in the target box:


That's how I found some new passwords:

Ok, our session is ready, we can move on:

Looking for interesting (suid) files:

 And there is something in /opt/ directory, let's check it:

Reading ELF with strings:

Ok, so maybe if the binary is looking for curl and in the strings's listing we can find system (I assumed that this is a function name ;)), maybe there is a simple way: overwrite the binary in current PATH:

Indeed:)

I must say it was very interesting CTF. :) Big thanks goes to Zayotic for preparing this game!

See you next time!

Cheers