Pandora @ Hack The Box

A write-up on HTB Pandora Box

Apr 1, 2022 6 min read writeups, htb

Pandora is a Linux box set up by dmw0ng and TheCyberGeek at Hack the Box. This machine is easy in terms of difficulty and rewards 20 points.

Reconnaissance

Starting with recon, i.e. the first phase of information gathering, we scan the machine (10.10.11.136) using nmap.

┌──(kali㉿blackbox)-[~]
└─$ sudo nmap -A -sV 10.10.11.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 17:31 UTC
Nmap scan report for 10.10.11.136
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=3/31%OT=22%CT=1%CU=35807%PV=Y%DS=2%DC=T%G=Y%TM=6245E5A
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=2%ISR=10F%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1
OS:1NW7%O6=M505ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8888/tcp)
HOP RTT       ADDRESS
1   184.56 ms 10.10.14.1
2   184.62 ms 10.10.11.136

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.46 seconds

To gain more information about the hosted pages, we brute-force the UDRs by carrying out subdomain enumeration using gobuster.

images/2_1gobuster.png

Initial foothold

Let’s particularly explore the state of the SNMP port, i.e. 161. That might not be listening to TCP traffic.

images/2_2scan.png

As we thought, now we have the open SNMP port on the remote machine, which is listening to the UDP traffic. Hence, we can try to exploit it. I am using the msfconsole for searching the exploits related to SNMP.

images/3_1msfSearch.png

Privilege escalation

I can enumerate the modules using auxiliary/scanner/snmp/snmp_enum. To use it, I have to ser the target IP address using set RHOST 10.10.11.136. We can view the setup before we exploit the system.

msf6 auxiliary(scanner/snmp/snmp_enum) > show options

Module options (auxiliary/scanner/snmp/snmp_enum):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   RETRIES    1                yes       SNMP Retries
   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      161              yes       The target port (UDP)
   THREADS    1                yes       The number of concurrent threads (max one per host)
   TIMEOUT    1                yes       SNMP Timeout
   VERSION    1                yes       SNMP Version <1/2c>

Now we are ready to enumerate all of the different processes running on the Pandora machine. Execute the exploit, which will result in something similar as below:
images/3_2msfEnum.png

I found a process named host_check to verify the login host with passed credentials. It could be helpful for us as here we can get the user credentials as mentioned in the command (below) itself.

1126                runnable            host_check          /usr/bin/host_check -u daniel -p HotelBabylon23

We already have the password for user daniel as HotelBabylon23. Hence, I tried logging into daniel’s account at Pandora over SSH, and I got the shell!!

images/4_1got_init_user.png images/4_2userSS.png

Gaining user (matt) access

Now, the first aim is the flag user.txt! I tried looking in different directories. As we can see, another user on the system named matt. I went ahead to explore matt's home directory and found the user flag right there. Unfortunately, we can not read the /home/matt/user.txt because of the access restriction.

images/4_3locatedUserFlag.png

To log into the other user’s account, I further started the search for any possible loophole. After several failed attempts, finally, I landed in /var/www/ while checking for the hosted pages. We see that there is a machine hosted with the name pandora_console. The more important part is that it’s being hosted by matt.

daniel@pandora:/var/www$ ls -la pandora/
total 16
drwxr-xr-x  3 matt matt 4096 Dec  7 14:32 .
drwxr-xr-x  4 root root 4096 Dec  7 14:32 ..
-rw-r--r--  1 matt matt   63 Jun 11  2021 index.html
drwxr-xr-x 16 matt matt 4096 Dec  7 14:32 pandora_console

I then checked its config file from /etc/apache2/:

daniel@pandora:/etc/apache2/sites-available$ ls
000-default.conf  default-ssl.conf  pandora.conf
daniel@pandora:/etc/apache2/sites-available$ cat pandora.conf 
<VirtualHost localhost:80>
  ServerAdmin admin@panda.htb
  ServerName pandora.panda.htb
  DocumentRoot /var/www/pandora
  AssignUserID matt matt
  <Directory /var/www/pandora>
    AllowOverride All
  </Directory>
  ErrorLog /var/log/apache2/error.log
  CustomLog /var/log/apache2/access.log combined
</VirtualHost>
daniel@pandora:/etc/apache2/sites-available$

images/4_4newMachFound.png

Now, to access the system as matt, we will forward pandora’s port to our local port 80 using port forwarding.

┌──(kali㉿blackbox)-[~]
└─$ ssh daniel@10.10.11.136 -L 80:localhost:80

:  it is done

images/4_5portFwd.png

Once the port forwarding is successful, we can browse the localhost for pandora_console. As we see, we get a login page for an application called Pandora FMS.

images/5_1neSite

The exciting part is that we can use Pandora FMS exploits against this application to get the shell.

I choose SQL Injection (CVE-2021-32099) to bypass the authentication process. An encoded exploit for the same can be found at this GitHub repo, which can be used hereafter easily decoding using a URL decoder. Once after browsing the exploit, revisit the Pandora FMS home. It’ll provide the admin’s account access.

images/5_2SQLi_exploited

Once logged in successfully, upload the PHP reverse shell provider file, say “revShell.php”, to the server.
One can get the PHP reverse shell script easily from open source repositories. We can verify the successful upload from the terminal instance, as well.

images/5_3_1Uploading images/5_3_3Upload_varified

As specified in the revShell.php, start listening on the dedicated port (here 4444 in my case). Everything is set for us; hence visit the PHP reverse shell script from images/revShell.php.

images/6_1GotUser.png

We can see that we got the reverse connection on our netcat listener. By visiting the home/matt/user.txt, finally, we get the user flag:
6a0c8b😈😈😈😈😈😈😈f93f6b

images/6_2gotFlag.png

Gaining root access

Once we get access to matt’s account, we start the search for loopholes to get the root. In matt’s home directory, there exists .ssh directory and .ssh/authorized_keys file. So, we can add our RSA public key to it.

I generated the RSA key pair (having the public key as id_rsa.pub). Copy the generate id_rsa.pub may be having a PASSPHRASE (in my case, it is: hackit) from the public-private key-pair in the .ssh/authorized_keys. Here are the commands:

$ pwd
/home/matt/.ssh

$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyCHEAEGfgeOiacWl4HJnaSxqHrl/UtAxV4QxUNkJQ3+ybSvh6rzRRotGQR6xa4MHGFuOmxdQ8nv/pEWcI3u6y6SEiGXiEj2rcfk22xoqj2h2l2UZx7kOmpH6XXMsm/KjCHIbdVW9sfm+ocFHK84+Lc32n5Rm7jmrofm0D+QEVG3DOmVnVA0k1DSqlJJaBISiC2oWaUcHj3CppVhT5BPobV4SAK38V5Vw+44GaFuY3Oet4OJYe2YGl+JOm/IIIUic2SGqiJ0BigfVNLvcc/zR8f0BhNobKRhWHTeVfX2rQBZ9YrJv8t5LcQxLtkj6dKOzAtCrMxL67V5sddVkh/n4u1C58HWZiLYVcsyUBqp3H7pz3Rs1JrS8TLsJozMsYKAmmschYVglL3lKDPpWdHtbFlUObWih0vvTbz0BZZFY1AyICQ3eOmfKBU1QCdQ1wzGtuS03n45ZZKJbjEib5+3hLs3hPKtmIfLxI17dIoKrwFyzj/r/0huY6V1pDhtAJDlM= kali@blackbox" > authorized_keys

To get SSH access, we need to change some permissions. Run following for the same.

$ chmod 700 .ssh
$ chmod 600 .ssh/authorized_keys

Once done, let’s try connecting over SSH. Here we quickly get the access:

images/7_1gotMattShell.png images/7_2mattProof.png

Once the matt is accessible over a remote SSH connection, I search for any existing self-executing file. It can be checked by setting the search parameter as ‘4000’ for permission access. I found some executable binaries in the system.

images/7_3permanent4000.png

We found the /usr/bin/pandora_backup that seems to be created for some specific task. On running it, I found that it takes the current of Pandora using tar, which is a binary executable file.

images/7_4autoExeTarFound.png

It means that if somehow we succeed in executing any other binary (just like tar), it can be pretty helpful for us to get the reverse shell. I implement this idea by creating a binary file in the /tmp/ directory with the reverse-shell command /bin/bash. After making it an executable and exporting it, we are all set!

images/7_5malliciousTarAdded.png

Run the /usr/bin/pandora_backup once again… and here’s the magic…..
Yes, we are root now!

images/8_1gotRoot.png

Finally, after navigating into the /root/ directory, I found the flag root.txt!

images/8_2rootFlag.png

I printed the root.txt can be printed by cat root.txt commend:
b02012😈😈😈😈😈😈😈60f6bd

cyber-security pentesting VAPT linux

Ravi Prakash Tripathi

Research Associate

A Ph.D. fellow working on “Security in Socio-industrial Metaverse” who could often be found somewhere messing up with bugs & vulnerabilities, contributing to open source or writing poems.