🔎🦶Enumeration/Foothold
Pandora from Hack the Box and created by TheCyberGeek and dmw0ng is an Easy Linux based machine. It starts with Port 161
open on UDP
. Using snmp-check
your able to find a password for the daniel user. Once on the box you use SSH
to port-forward a locally running version of Pandora FMS. You use CVE-2021-32099 and the built-in File Manager to upload a PHP web-shell which escalates to matt. Finally you use pandora_backup
running as root to escalate to the root user and finish the box.
I began this box by setting an $ip
variable to the current box IP. Next I run a quick RustScan
on the box to grab open ports and send it to xsltproc
to convert it to HTML for easier reading:
Reviewing the results I can see only two ports open. Well nmap
is finishing I navigate over to Port 80
:
I noticed both play/panda being mentioned throughout the site so I add both of them to my host file:
Next I used GoBuster
to kick off VHOST/sub-domain
scans and a secondary nmap
for UDP
. The nmap
scan comes back with a hit:
🔝Escalation to Daniel
I could see that Port 161
was open to SNMP
so I ran snmp-check
to see if I could pull any further information:
A lot of information came back which included a username/password. I tried the username and password on SSH
and logged into the box:
Once on the box I looked around the /var/www
directory and saw pandora_console and some .sql
files. As I have python
available and SSH
I setup a local http.server
to retrieve the database files for review:
Reviewing the files I could see the following:
I added the hash to a file and ran it with john
:
I then did the same thing as above with Port 80
to hit it via my localhost:
I tried the default credentials of admin/pandora
which I cracked previously and it didn’t work. Next I tried daniel's
creds but was told I could only use the API
:
I kicked off hydra
and sqlmap
and after a few attempts, I was able to get data back from sqlmap
. I pulled the tpassword_history table in an attempt to login which was unsuccessful:
Next, I found the following blog Sonarsource – Pandora FMS 742 which highlighted – CVE-2021-32099. I tried the URL:
🔝Escalation to Matt
Going to just pandora_console
after logged us in. Once on the Dashboard I navigated around until I found a File manager:
I uploaded a PHP web-shell (WSO 4.2.5) and found it within the images
directory. I looked around the environment using the built in console to find pandora_backup
:
I wanted a more stable shell to find out what pandora_backup
was doing so I upgraded my shell by creating an SSH
as the active user:
⚠ Attack Machine
🎯Victim Machine
Once logged in I checked the pandora_backup
I could see it was creating a backup:
Running cat
on the program I could see that tar
was being executed and it was creating a backup as root. I could also see the PATH
was not fully defined: