Pandora

Enumeration

Ports and Services

Software Installed:

• Pandoras FMS v7.0NG.742_FIX_PERL2020

Nmap Scan Results:


Homepage:

OneSixtyOne Scan:

Initial Foothold

Snmp-Check:

SSH as daniel

Seems the web server is hosting an internal page.
/etc/apache2/sites-enabled/pandora.conf

Pandora_Console

Imersonated Admin with SQL injection.
https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities- explained
URL: http://localhost/pandora_console/include/chart_generator.php?session_id=%27%20union%20SELECT%201,2,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20–%20SgGO

Uploaded a webshell and executed it

User.txt Proof Screenshot

Privilege Escalation

Seems anything setuid while logged in as matt via nc is blocked as the apache user is blocked:

Created a ssh key and ssh as matt:

SETUID bit set on file /usr/bin/pandora_backup

Using tar to backup files

Appears they are using tar with a path

Echoed /bin/bash into a new file called /tmp/tar
added /tmp to path and re-executed pandora_backup
Looged in as root

Machine is also susceptible to CVE-2021-4034

https://github.com/joeammond/CVE-2021-4034/blob/main/CVE-2021-4034.py

RootScreenshot Here: