Pandora - [HTB]

Cover Image for Pandora - [HTB]
Marmeus
Marmeus

Introduction

Pandora is an easy Linux machine from HackTheBox where you will enumerate the snmp service in order to find a command with credentials pass as parameters. These credentials can be used to gain access to the machine as daniel. Then, there is a Pandora service only available through localhost requiring port forwarding in order to exploit several vulnerabilities for the pandora's version. Finally, you will have to exploit a path hijacking weakness on a SUID to become root.

Enumeration

As always, let's start scanning all opened ports in the box with Nmap.

Then, we continue with a deeper scan of every opened port, getting more information about each service.

Looking for domains on the web page for being added to /etc/hosts, we obtain the following.

Accessing the web page, we can read about a monitoring solution.

Panda web page

Because the UDP port 161 is open, let's use snmpwalk to enumerate the service, finding a command with some credentials as parameters.

These credentials can be used for access as the user Daniel through SSH.

Privilege Escalation 1

We can find a virtual host only available via localhost by enumerating the machine.

To do so, we need to execute the following command.

Now we have access to pandora's console.

Pandora console

As we can see above, the pandora's version number is on the landing page. So looking for vulnerabilities, you can find the following post, which explains the SQLi login bypass. However, it doesn't show the payload in the Proof Of Concept.

There are two ways of exploiting this part:

  1. Thanks to the SQLi, we can obtain mat's PHPSESSIONID, leading us to log in as matt. Then, we will need to use another exploit to get RCE.
  2. Thanks to the SQLi and the PHP deserialisation, we can log in as admin, uploading a PHP reverse shell.

Exploitation 1

The payload to log in as matt is the following.

Then, this post explains how to obtain Remote Command Execution Via the Events Feature

Exploitation 2

The payload to log in as admin is the following:

Now, if we access to Admin tools/File Manager we can upload any file like /usr/share/laudanum/php/php-reverse-shell.php that will be stored under the /images/ directory.

Privilege Escalation

Thanks to linpeas, we can see a SUID binary that can only be executed as the user matt.

With ltrace, we can see that it doesn't use an absolute path for executing the tar command. Hence, we can do path hijacking to become root.

However, we need to access the machine as matt through SSH in order to make it work.

Finally, once logged in, we can become root executing the following commands.