Skip to content

[Hack The Box][Machine][Easy] - šŸ§ Pandora

This is my writeup for the Pandora machine on the Hackthebox plateform.

Letā€™s start with anĀ nmap scanĀ to enumerate the different ports that are open.

  • Port 22 (SSH)
  • Port 80 (HTTP)

Nmap

AĀ UDPĀ port scan findsĀ port 161Ā open. This is the defaultĀ SNMP port.

Nmap2

SNMP

You can scan port 161 with theĀ snmpwalk toolĀ to find important information. There areĀ credentialsĀ that are used to launch a program:Ā /usr/bin/host_check.

snmpwalk -v2c -c public 10.10.11.136

Udp

username: daniel  
password: HotelBabylon23

With these credentials, we can connect in SSH. On the server is the binaryĀ host_checkĀ that we can recover on our host in order to decompile it withĀ ghidra.

SSH

GHIDRA

By decompiling the program, we learn that aĀ Pandora FMSĀ runs locally onĀ port 80. We canĀ forwardĀ it with SSH and access the web application.

Ghidra

PIVOT

The website is the default Pandora FMS page. To access the dashboard, you need a login and password.

Pandora

After some research, this version of Pandora FMS has aĀ vulnerability. It isĀ vulnerable to SQL injectionsĀ because of theĀ chart_generator.phpĀ file. It is theĀ session_idĀ parameter that is vulnerable.

SQL-Error

You can useĀ sqlmapĀ to dump the entire database and retrieve the information you want.

Sqlmap

A pandora database table (tsessions_php) contains usersā€™ PHP session cookies. Unfortunately, it does not contain that of the administrator but only those ofĀ danielĀ andĀ matt.

sqlmap --url [http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=](http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=) -D pandora -T tsessions_php --dump --batch

id_usuario|s:6:"daniel";  
id_usuario|s:4:"matt";

EXPLOITATION

I created this script in order to retrieve theĀ administratorā€™s cookie,Ā upload a php fileĀ where we canĀ inject commandsand thus have aĀ reverse-shell.

POC

PRIVESC

After enumerating theĀ SUID files, we findĀ pandora_backupĀ which has these permissions. We recover it on our host toĀ decompileĀ it with theĀ ghidra tool.

SUID

This program launches theĀ tar commandĀ to create an archive of the Pandora FMS. The problem is that it uses aĀ relative pathĀ instead of anĀ absolute pathĀ (/usr/bin/tar). We can exploit this with aĀ writable path abusesĀ :Ā link

Ghidra

In order for it to work correctly, I added my public SSH key in the ssh folder of matt that I created. This allows me to connect in SSH instead of the reverse-shell and to have a more stable shell.

Root