🔎🦶Enumeration/Foothold
Pandora from Hack the Box and created by TheCyberGeek and dmw0ng is an Easy Linux based machine. It starts with Port 161 open on UDP. Using snmp-check your able to find a password for the daniel user. Once on the box you use SSH to port-forward a locally running version of Pandora FMS. You use CVE-2021-32099 and the built-in File Manager to upload a PHP web-shell which escalates to matt. Finally you use pandora_backup running as root to escalate to the root user and finish the box.
I began this box by setting an $ip variable to the current box IP. Next I run a quick RustScan on the box to grab open ports and send it to xsltproc to convert it to HTML for easier reading:
Reviewing the results I can see only two ports open. Well nmap is finishing I navigate over to Port 80:
Website showing Panda.HTB and Play.HTB.
I noticed both play/panda being mentioned throughout the site so I add both of them to my host file:
Next I used GoBuster to kick off VHOST/sub-domain scans and a secondary nmap for UDP. The nmap scan comes back with a hit:
🔝Escalation to Daniel
I could see that Port 161 was open to SNMP so I ran snmp-check to see if I could pull any further information:
A lot of information came back which included a username/password. I tried the username and password on SSH and logged into the box:
Once on the box I looked around the /var/www directory and saw pandora_console and some .sql files. As I have python available and SSH I setup a local http.server to retrieve the database files for review:
Downloading the .SQL files to attempt to find a foothold.
Reviewing the files I could see the following:
I added the hash to a file and ran it with john:
I then did the same thing as above with Port 80 to hit it via my localhost:
I tried the default credentials of admin/pandora which I cracked previously and it didn’t work. Next I tried daniel's creds but was told I could only use the API:
Pandora FMS Dashboard via port-forward.
Showing the daniel user can only use the API.
I kicked off hydra and sqlmap and after a few attempts, I was able to get data back from sqlmap. I pulled the tpassword_history table in an attempt to login which was unsuccessful:
Next, I found the following blog Sonarsource – Pandora FMS 742 which highlighted – CVE-2021-32099. I tried the URL:
Using CVE-2021-32099 to access the Pandora FMS Dashboard.
🔝Escalation to Matt
Going to just pandora_console after logged us in. Once on the Dashboard I navigated around until I found a File manager:
Using the File Manager to upload a PHP web-shell by WSO.
I uploaded a PHP web-shell (WSO 4.2.5) and found it within the images directory. I looked around the environment using the built in console to find pandora_backup:
Using the WSO web-shell I can usee pandora-backup running as root.
I wanted a more stable shell to find out what pandora_backup was doing so I upgraded my shell by creating an SSH as the active user:
Creating an SSH key to login as the matt user.
⚠ Attack Machine
🎯Victim Machine
Once logged in I checked the pandora_backup I could see it was creating a backup:
Running cat on the program I could see that tar was being executed and it was creating a backup as root. I could also see the PATH was not fully defined:
