HTB - Writeups

🐧 Pandora

Sun Jul 31, 2022
Machine Hackthebox Linux Easy Web Outdated Software SNMP Pivot RCE Path Hijacking SQL Injection

This is my writeup for the Pandora machine on the Hackthebox plateform.

Let’s start with an nmap scan to enumerate the different ports that are open.

  • Port 22 (SSH)
  • Port 80 (HTTP)

Nmap

UDP port scan finds port 161 open. This is the default SNMP port.

Nmap2

SNMP

You can scan port 161 with the snmpwalk tool to find important information. There are credentials that are used to launch a program: /usr/bin/host_check.

snmpwalk -v2c -c public 10.10.11.136

Udp

username: daniel  
password: HotelBabylon23

With these credentials, we can connect in SSH. On the server is the binary host_check that we can recover on our host in order to decompile it with ghidra.

SSH

Ghidra

By decompiling the program, we learn that a Pandora FMS runs locally on port 80. We can forward it with SSH and access the web application.

Ghidra

Pivot

The website is the default Pandora FMS page. To access the dashboard, you need a login and password.

Pandora

After some research, this version of Pandora FMS has a vulnerability. It is vulnerable to SQL injections because of the chart_generator.php file. It is the session_id parameter that is vulnerable.

SQL-Error

You can use sqlmap to dump the entire database and retrieve the information you want.

Sqlmap

A pandora database table (tsessions_php) contains users’ PHP session cookies. Unfortunately, it does not contain that of the administrator but only those of daniel and matt.

sqlmap --url [http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=](http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=) -D pandora -T tsessions_php --dump --batch

id_usuario|s:6:"daniel";  
id_usuario|s:4:"matt";

Exploitation

I created this script in order to retrieve the administrator’s cookieupload a php file where we can inject commandsand thus have a reverse-shell.

POC

Privesc

After enumerating the SUID files, we find pandora_backup which has these permissions. We recover it on our host to decompile it with the ghidra tool.

SUID

This program launches the tar command to create an archive of the Pandora FMS. The problem is that it uses a relative path instead of an absolute path (/usr/bin/tar). We can exploit this with a writable path abuses : link

Ghidra

In order for it to work correctly, I added my public SSH key in the ssh folder of matt that I created. This allows me to connect in SSH instead of the reverse-shell and to have a more stable shell.

Root