🔎🦶Enumeration/Foothold

Pandora from Hack the Box and created by TheCyberGeek and dmw0ng is an Easy Linux based machine. It starts with Port 161 open on UDP. Using snmp-check your able to find a password for the daniel user. Once on the box you use SSH to port-forward a locally running version of Pandora FMS. You use CVE-2021-32099 and the built-in File Manager to upload a PHP web-shell which escalates to matt. Finally you use pandora_backup running as root to escalate to the root user and finish the box.

I began this box by setting an $ip variable to the current box IP. Next I run a quick RustScan on the box to grab open ports and send it to xsltproc to convert it to HTML for easier reading:

Copy

Reviewing the results I can see only two ports open. Well nmap is finishing I navigate over to Port 80:

Website showing Panda.HTB and Play.HTB.

Website showing Panda.HTB and Play.HTB.

I noticed both play/panda being mentioned throughout the site so I add both of them to my host file:

Copy

Next I used GoBuster to kick off VHOST/sub-domain scans and a secondary nmap for UDP. The nmap scan comes back with a hit:

Copy

🔝Escalation to Daniel

I could see that Port 161 was open to SNMP so I ran snmp-check to see if I could pull any further information:

Copy

A lot of information came back which included a username/password. I tried the username and password on SSH and logged into the box:

Copy

Once on the box I looked around the /var/www directory and saw pandora_console and some .sql files. As I have python available and SSH I setup a local http.server to retrieve the database files for review:

Copy
Downloading the .SQL files to attempt to find a foothold.

Downloading the .SQL files to attempt to find a foothold.

Reviewing the files I could see the following:

Copy

I added the hash to a file and ran it with john:

Copy

I then did the same thing as above with Port 80 to hit it via my localhost:

Copy

I tried the default credentials of admin/pandora which I cracked previously and it didn’t work. Next I tried daniel's creds but was told I could only use the API:

Pandora FMS Dashboard via port-forward.

Pandora FMS Dashboard via port-forward.

Showing the daniel user can only use the API.

Showing the daniel user can only use the API.

I kicked off hydra and sqlmap and after a few attempts, I was able to get data back from sqlmap. I pulled the tpassword_history table in an attempt to login which was unsuccessful:

Copy

Next, I found the following blog Sonarsource – Pandora FMS 742 which highlighted – CVE-2021-32099. I tried the URL:

Copy
Using CVE-2021-32099 to access the Pandora FMS Dashboard.

Using CVE-2021-32099 to access the Pandora FMS Dashboard.

🔝Escalation to Matt

Going to just pandora_console after logged us in. Once on the Dashboard I navigated around until I found a File manager:

Using the File Manager to upload a PHP web-shell by WSO.

Using the File Manager to upload a PHP web-shell by WSO.

I uploaded a PHP web-shell (WSO 4.2.5) and found it within the images directory. I looked around the environment using the built in console to find pandora_backup:

Using the WSO web-shell I can usee pandora-backup running as root.

Using the WSO web-shell I can usee pandora-backup running as root.

I wanted a more stable shell to find out what pandora_backup was doing so I upgraded my shell by creating an SSH as the active user:

Creating an SSH key to login as the matt user.

Creating an SSH key to login as the matt user.

⚠ Attack Machine

Copy

🎯Victim Machine

Copy

Once logged in I checked the pandora_backup I could see it was creating a backup:

Running cat on the program I could see that tar was being executed and it was creating a backup as root. I could also see the PATH was not fully defined:

Copy

🎯Victim Machine

Copy

Rooted

Copy

Rooted

Published On: June 8th, 2022 / Categories: HTB, Technology / Tags: , , , , , , , , , , /

Leave A Comment