# Pit -- HTB machine Writeup <Unfinished> ###### tags: `pentest log` ## Step 1. Info Gathering ### Nmap ![](https://i.imgur.com/CyPPJVh.png) ![](https://i.imgur.com/GhqGanh.png) ### Nitko ![](https://i.imgur.com/hQDrYRI.png) ## Step 2. Vulnerability Analysis :::success SNMP不僅可使用於網路設備之日常維運作業,亦可提供網路維運人員即時監控設備異常事件發生及因應處理。 SNMP運作於 OSI App layer,管理端經由UDP傳送request至代理者(port 161),代理者透過來源埠傳送response至管理端。此外,當被監控設備發生異常事件時,例如cold start或link down,代理者可經由UDP主動傳送notification至管理端(port 162)。 ![](https://i.imgur.com/SjC2zPx.png) 惡意無線基地台(Rogue AP)是指在網路管理員未知情且未予以授權之情況下,逕自將(AP)私接於組織內部有線網路以提供或使用無線網路服務,形成一個嚴重威脅安全的問題。 ![](https://i.imgur.com/d4VdmD2.png) SNMP Agent是以變數方式呈現被管理裝置的相關資訊,每個變數皆有其唯一的物件識別碼(Object Identifier; OID),而OID是以階層方式被描述於管理資訊庫(Management Information Base; MIB),例如OID為1.3.6.1.4.1.9代表Cisco公司。 ::: First, we use `snmpwalk` and `snmp-chek` to walkthrough whole system. However, nothing worth mentioning. ![](https://i.imgur.com/bIdh51f.png) ![](https://i.imgur.com/Sk2AkO4.png) Thus we use another [opensource snmp enumeration perl script](https://link.zhihu.com/?target=https%3A//github.com/dheiland-r7/snmp) to scan it. ![](https://i.imgur.com/wfQXlcj.png) ![](https://i.imgur.com/IvGrMnY.png) :::info **CVE-2019-12744** ![](https://i.imgur.com/kojkqP8.png) ::: ## Step 3. Exploit It With result of ![](https://i.imgur.com/Je9765v.png) ![](https://i.imgur.com/5HFAe5n.png) ## Step 4. Privilege Escalation ![](https://i.imgur.com/LIOFk4u.png) :::success **setuid** ![](https://i.imgur.com/5T6MB4A.png) :::