# Pandora HTB

## Enumeration

Using nmap enumeration:

```
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

```

```
PORT    STATE SERVICE
161/udp open  snmp

```

There is a website on port : ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-c1d140566ac36859a34e0a0da7ce53b7d8cfd896%2F9457ccc4fcad46b3ef953f9e2c878b6c.png?alt=media) Using gobuster found some directories but wasnt useful Using snmpwalk walk to enumerate: `snmpwalk -c public -v2c 10.10.11.136` Found Credentials on snmpwalk: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-a88f2612395991e14dcb55df80b003fb7e44700e%2F2cf415ddb15dda623626fd3573b667ad.png?alt=media) daniel : HotelBabylon23

## Exploitation

Logging in using ssh found one more user matt in home directory.

Checking apache servers in `/etc/apache2/sites-available`: pandora.conf ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-6e984941e564b113b0ad092bc0915eb80fa2efef%2F6fb80239754c882b332e5c13e1a070a8.png?alt=media) The port is on localhost so forwarding is needed. Using \~ to give command in ssh and then type "C" to give additional arguments `ssh daniel@10.10.11.136 -L 8000:127.0.0.1:80` Visiting 127.0.0.1:8000![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-3a96026e16b6a187cdae5b778da8c2e0de3403da%2F28e7844ceb216305d69d2ad75df86921.png?alt=media)

Using this [exploit](https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated/tree/master) And uploading [php reverse shell](https://github.com/pentestmonkey/php-reverse-shell) Using linpeas ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-f065670a2b0b261a9bb3d2be055410a4e20586d7%2F0d5f6bc3dd1f3d9b9b9da6d91e032c19.png?alt=media) Now analysing the file pandora\_backup located at /usr/bin/pandora\_backup ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-1314a05cd67db66a70feffa4b1b5e3ec4baa0d10%2F6d050742a93f467fc5562f5a6d41ac6e.png?alt=media)Using ghidra we can see![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-f53da8c5865e54f0faa200f71fa2707710a154b1%2F0dae855f17d3bdd40d2359f3c8e21029.png?alt=media) Now doing a path hijack

```
echo /bin/bash > tar

export PATH=/home/matt:$PATH

chmod +x tar

```

![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-be335d6becca7a1e928a064a2b9c7203383828f1%2Fba81078df96261572b00b38fc67bba6f.png?alt=media)

This doesn't work due to an error with sudo![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-71b7d53bef993a6b94fb31f156887955ac7d9d03%2Fb16bf8752ebe98e920ee1204b92ebd44.png?alt=media)

It doesn't run from this shell so getting an ssh shell. To get a ssh shell in matt:

* generate key pair with `ssh-keygen`
* drop public key into `/home/matt/.ssh/authorized_keys`
* Give appropriate permissions

```
chmod 700 /home/matt/.ssh
chmod 600 /home/matt/.ssh/authorized_keys
```

* `ssh -i id_ed25519 matt@10.10.11.136` Login using ssh Now `sudo -l` works with ssh: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-29e2a0f3fad3f7595c767ce7ef18cb69162829ca%2F3bba022f24f9bc5648054235e729b843.png?alt=media) Now running pandora\_backup we get root: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-8ac3874aadd271f0f029882f3386e34d15070dae%2Fb9794c793cce227eb25dfb814fbcff68.png?alt=media)

## Beyond Root

To trace back the process we did `echo $$` first and went back from there in `ps -ef`

SUID binaries failed to run due to the pandora.conf in apache2: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-ab1b8ef2118b3f21fa3b2575a7d1dba3ce5da3b8%2F6070d5e7a81781f39c11d37bd381cb66.png?alt=media) It runs as user matt and group matt The /etc/apache2/mods-enabled directory shows the various modules that are enabled, and mpm-itk is there (typically items in the \*-enabled directories are symbolic links to items in the \*-available directories):