In this post, I would like to share a walkthrough of the Pandora Machine from Hack the Box

This room will be considered as an Easy machine on Hack The box

What will you gain from the Pandora machine?

For the user flag, you will need to use snmpwalk for further enumeration. We need to execute some sqli attack methods to get the admin dashboard

As for the root flag, you need to access the machine using matt’s access via ssh service and then abuse one SUID file to obtain a root shell.

Information Gathering on Pandora Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Pandora machine

Let’s open the website interface

Sadly, there’s nothing that we can use by roaming the website now. As a result, let’s enumerate more with the Gobuster tool

SNMPWalk enumeration on pandora

There’s nothing that we can work on. Let’s enumerate more on UDP port scanning

We managed to notice there’s a port 161 open which it’s an SNMP service.

Based on my experience as Pentester, we can use snmpwalk tool to enumerate the SNMP a little further

** Snmpwalk should be available within Kali Linux OS by default. However, we can manually install the snmpwalk tool by running the following command (sudo apt-get install snmp) **

Oh wow! We managed to sight the username and password

We can try to access the machine via ssh

Port Forwarding on the pandora machine

Voila! However, we cannot retrieve the user flag even though we are able to access the machine via ssh.

Let’s try to see what port is been open by running netstat -an command

As a result, we can proceed with port forwarding with port 80

Pandora website interface

Finally, we can access another website interface with the port forwarding

The default credentials that have been found on the internet will not be used to access

Let’s do some research on Pandora FMS product

As a result, we have found one website that can be useful to us so that we proceed with the next step

After reading the information we received, we can try to access the php file such as /include/chart_generator.php which only give us an error that states “Access is not granted

We should be running sqlmap to get a better understanding of the vulnerability that explains on the website.

Therefore, we need to retrieve a session-id by executing the command that is used by sqlmap.

Image

At last, we managed to obtain a session id for Daniel and matt’s username.

Let’s copy-paste the session id that we found during the previous activity. The URL of the website interface can be used such as

http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=<session id>

A dashboard will appear but sadly we cannot find any useful

Therefore, we might need to get another session id that we can use to get complete usage of the Pandora website.

As we already know, the pandora website has been vulnerable to SQL Injection

The SQL Injection that can be abused will look something as below:

http://127.0.0.1:8888/pandora_console/include/chart_generator.php?session_id=' union SELECT 1,2,'id_usuario|s:5:"admin";' as data -- SgGO

The SQL syntax above shows the code before it has been encoded

 http://127.0.0.1:8888/pandora_console/include/chart_generator.php?session_id=%27%20union%20SELECT%201,2,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20--%20SgGO

Voila! We have access to the admin dashboard of Pandora FMS by using the sqli method after refreshing the URL 127.0.0.1

Gaining the Privileges Access

While analyzing the source code of the website, I notice that they are using PHP file formatting. As a result, we should be able to use a PHP reverse shell to obtain a reverse shell.

We should start our nc listener so that we can retrieve the reverse shell on our attacker’s machine

Under Admin tools, there are a few ways to upload our PHP reverse shell file on the website. However, I will use File Manager for that purpose.

The screenshot above is showing the file directory such as the images directory

Let’s upload the file as shown in the screenshot above.

The uploaded have been successful.

Therefore, we can get the reverse shell connection back to us by initializing the shell on the website’s directory

Boom! We have our reverse shell connection to us.

We have successfully accessed the machine as matt privileges access.

For us to get an actual shell, we can be running the bash -i command

We can read the user flag by running the command “cat user.txt

Escalate to Root Privileges Access

For us to obtain a proper shell on the machine, we might need to access the machine via ssh service.

Obtaining a proper ssh access

For us to access via ssh, we need to generate an ssh-keygen so that we proceed with the next step.

We need to transfer our public key into the machine by using wget command like the screenshot above

We need to move the id_rsa.pub to a different file such as authorized keys.

For us to get ssh access to work, we need to give file permission to 600

Image

Sadly, we cannot access the machine using matt privileges access via ssh service.

After talking to my friends and trying multiple ways on the machine, I managed to solve the issues by changing HackTheBox’s VPN from a release VPN to a normal VPN.

Uwu! We have successfully accessed the machine via ssh service.

Let’s search for any SUID file or weird that we can use to escalate to root privileges access. Sadly, nothing is interesting on the /var/backups directory.

As a result, we need to explore more on another directory while looking for any file that looks suspicious to us.

Finally, we found a file that look weird at least for me. There’s a file called pandora_backup which is highlighted as red.

Enumerate further with linpeas.sh

Let’s try to download linpeas.sh into the victim’s machine and give permission to the file

Let’s analyze the result while it still running in the background.

Therefore, let’s analyze the file where I might find something understandable to read.

While we are reading the file carefully, I notice there’s a line that refers to pandora-backup.tar.gz which might lead us to abuse the tar function.

I will explain each step that appears above carefully.

We manage to find a tar file inside the pandora_backup which make thinking that we can put some root privileges command into a file call tar

As a result, we are required to give permission to the tar file.

For the SUID file to work, a command to export the path is required to execute.

After that, we can execute the SUID file (/usr/bin/pandora_backup) to obtain a root shell.

Pandora Root flag

We can read the root flag by running the “cat root.txt” command

-THE END-

Happy Learning Guys!

Extra Information

We can go to /etc/shadow so that we can unlock and read the write-up

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *