Vulnhub - Symfonos-2

Today, we are going to pwn Symfonos 2 from Vulnhub.


Starting off with Nmap, using nmap -sV -sC -A -p- -T5 shows that we have FTP, SSH, HTTP and SMB port.

HTTP and FTP Enumeration

Going to the HTTP port shows a similar image that we encountered in previous symfonos machine. Nothing is there, running gobuster, dirb and other web crawlers gave nothing. So moving over to SMB, sice it has Backup folder which is publicly accessible, we can see a log.txt. It has following data:

SAO, we get know thatthere is user aeolus and the directory where backup is being stored.
So, as we knew FTP service is available which is ProFTP 1.3.5, searching for the exploit on ExploitDB. It has a exloit of mod_copy which allows you to copy files from one folder to another. @mzfr discovered it.
We tried it and we were almost close to making it work but alas, we couldn’t. It was just a silly mistake and from this point we accidentaly did the machine in a very unintended way.

site cpfr /etc/passwd
350 File or directory exists, ready for destination name
site cpto <?php phpinfo(); ?>
550 cpto: Permission denied
site cpfr /proc/self/fd/3
350 File or directory exists, ready for destination name
site cpto /var/www/test.php


I will explain the other method at last which @zayotic told @mzfr after completion of machine.

FTP Bruteforce and SSH Login

Well, from this point using THC-Hydra and rockyou.txt we got the password of user aeolus. hydra -l aeolus -P rockyou.txt ftp -t 40 reveals that the password is sergioteamo. Now, we tried it to SSH into the machine with the same creentials.

SSH Login

Privilge Escalation

With some enumeration, I foud that there are 2 users aeolus and cronus. I tried it enumerate everything I can but at the it was a wild goose chase. So @mzfr told to me check /etc/apache2 folder and checking some files from that I cme to know that there is a local web server running on the machine, to confirm this I used curl which confirms it. So using socat TCP-LISTEN:5000;fork,reuseaddr we just forked te actual port i.e. 8080 to 5000 of the actual web server, now visiting to shows that it is a LibreNMS based web application. I checked ExploitDB and it has exploit for adding a hostname that will give reverse shell, using metasploit I added the module to the ~/.ms4/exploits directory.

As the exploit will start working it will give a reverse shell as the user cronus. Using sudo -L we can see that mysql can be run as root. GTFOBins to the rescue.

That has shown that using sudo mysql '\! /bin/sh we can spawn root shell.

The Flag

Intended Way

As much as I was happy for pwning this machine but it was temporry the main learning part is missed in it by using hydra.
So as I mentioned eariler we were supposed to use that ProFTP 1.3.5 vulnerbaility which can be found here to copy files from one folder to another. From that exploit we can copy the files from any folder and copy it to /home/aeolus/share/ that will make that file publicly accessible to us via SMB. So, copying the file /var/backups/shadow.bak to /home/aeolus/share/shadow.txt. After that it will be available to SMB service which can be used to dump the users password and then cracked with john to crack the hash of the user aeolus.


ProFTP 1.3.5 - File Copy:
LibreNMS Exploit:

Thanks to


Detailed version og intended way.

The very detail version of the intended way is covered by @mzfr in his writeup.

Author: D4mianwayne
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint polocy. If reproduced, please indicate source D4mianwayne !