Nmap scan results:
The website was some form of corporate website.
However, checking for directories or other web exploits was rather unsuccessful, as I did not find anything of use.
Because we couldn't find anything with the TCP ports, we could enumerate the UDP ports and hopefully find something:
So port 161 for SNMP was open. We can then use snmpwalk to enumerate this further.
Redirecting this output to a file, I was able to find some credentials within the contents:
With these credentials, we can SSH in as the daniel user.
As Daniel, we didn't have much permissions over the machine. However, we were able to head to the /var/www/pandora directory to find another potential website that was up:
Checking the apache2 config files reveals that the user matt was running the other web server:
So, I started an SSH tunnel using the credentials for daniel, and we can forward port 80 to our machine.
We can enumerate from the machine that this was a Pandora FMS instance.
Pandora FMS was vulnerable to many types of exploits, one of which was CVE-2021-32099, which would leverage SQL Inejction on the /include/chart_generator.php endpoint to bypass authentication and allow attackers to login as the admin.
Then, we would gain access to the Pandora Dashboard.
I did more research and found this repository, which allowed us to make use of the SQL Injection to upload any web shell of our choosing to the server:
Then, we can gain a reverse shell via a Python3 shell.
I ran another LinPEAS as matt, and found that the root user was running some processes.
I also found this one SUID binary called pandora_backup.
Running pandora_backup would call tar as per the process we found. The fact that tar did not use the absolute path means that we can create our own malicious tar script that would give us RCE as root because an SUID binary was in use here.
We can run these commands for a shell:
