Symfonos2

SMB server contains a file called "log.txt". log file contains SMB share configuration settings and reveals a username called aeolus. We can bruteforce the password for aeolus using Hydra. ftp and login through SSH using those same credentials. Once ssh'ed into the box we find a web server hosting LibreNMS listening internally on port 8080. We forward this to our kali and are able to login to LibreNMS using the credentails for aeolus. Authenticated RCE expoit used from searchsploit that gains us a shell as user cronus

// Some code
smbclient //192.168.1.169/anonymous
/home/aeolus/share
sergioteamo

we find a user called aeolus in the backup file

ssh -L 8888:127.0.0.1:8080 aeolus@192.168.1.169

check the site:

searchsploit librenms

use exploit/linux/http/librenms_addhost_cmd_inject

cat /opt/librenms/config.php

linpeas also showed that cronus is able to run mysql without any password (using sudo)

become root by able to run sudo mysql and then escape into a shell

#root!