An easy Linux box from HackTheBox, enumerating SNMP for initial access, then using a kernel exploit for root.

Recon

All port nmap scan to start, make a coffee

nmap -sV -sC -p- -oA nmap/pandora 10.10.11.136

Nmap scan report for 10.10.11.136  
Host is up (0.035s latency).  
Not shown: 65533 closed tcp ports (conn-refused)  
PORT   STATE SERVICE VERSION  
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)  
| ssh-hostkey:    
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)  
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)  
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)  
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))  
|_http-title: Play | Landing  
|_http-server-header: Apache/2.4.41 (Ubuntu)  
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Didn’t find anything, just a web server

Navigating to it, find a contact form, and some mention of another app called Play

Try to see if the contact form is sql injectable after saving the request sent when submitting the form with burp

sqlmap -r contact.req

Unfortunately, none of the parameters are injectable

Also tried to enumerate vhosts with gobuster

gobuster vhost --follow-redirect -u http://panda.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million  
-20000.txt -o ~/Documents/htb/pandora/gobuster/pandora.vhost

But didn’t find anything, absolutely stumped, guess I’ll go back to nmap

Lets try enumerating UDP services

sudo nmap -sU 10.10.11.136

We find that there is a snmp service (Simple Network Monitoring Protocol) running on port 161 with UDP, finally

Now can use snmpenum to enumerate whatever is going on with that port, public is the community, and linux.txt is the config file to access (don’t need to make it yourself, it’s just linux.txt)

snmpenum 10.10.11.136 public linux.txt

The output leaks a username, daniel

sshd: daniel [priv]  
sshd: daniel@pts/1

The output is long and formatted badly, so use snmpwalk to enumerate it better

snmpwalk -c public -v2c -On 10.10.11.136 > pandora.walk

Its a yuge dump, so grepping through it to find high-entropy strings, things like “-u” and “-p” for logins, ssh commands etc, end up finding daniel’s password

.1.3.6.1.2.1.25.4.2.1.5.1118 = STRING: "-u daniel -p HotelBabylon23"
.1.3.6.1.2.1.25.4.2.1.5.19258 = STRING: "-k start"
.1.3.6.1.2.1.25.4.2.1.5.19283 = STRING: "-u daniel -p HotelBabylon23"

With which we can ssh in with

Exploitation

After ssh’ing in with the creds, run a python server and deliver linpeas.sh into the /tmp directory, and run it

The box is exploitable with CVE-2021-4034

git clone into host, then wget the folder as the target, run it to get root