Virtual Host
PEAS initially picked up the presence of the virtual host. I will confirm it and get to the bottom of that
daniel@pandora:/var/www$ grep -v '^#' /etc/apache2/sites-enabled/pandora.conf
<virtualhost localhost:80>
ServerAdmin admin@panda.htb
ServerName pandora.panda.htb
DocumentRoot /var/www/pandora
AssignUserID matt matt
<Directory /var/www/pandora>
AllowOverride All
</Directory>
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>According to the Apache configuration file at /etc/apache2/sites-enabled/pandora.conf
- The virtual host is
pandora.panda.htb - it’s hosted over
localhost:80 - The web root located at the
/var/www/pandoradirectory - The
mattuser is assigned for the running process
pandora.panda.htb
daniel@pandora:/var/www/pandora$ ll
total 16
drwxr-xr-x 3 matt matt 4096 Dec 7 2021 ./
drwxr-xr-x 4 root root 4096 Dec 7 2021 ../
-rw-r--r-- 1 matt matt 63 Jun 11 2021 index.html
drwxr-xr-x 16 matt matt 4096 Dec 7 2021 pandora_console/
daniel@pandora:/var/www/pandora$ cat index.html
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">The web root directory has a single static HTML file, which is pointing to the pandora_console directory
daniel@pandora:/var/www/pandora$ cd pandora_console/ ; ll
total 1596
drwxr-xr-x 16 matt matt 4096 Dec 7 2021 ./
drwxr-xr-x 3 matt matt 4096 Dec 7 2021 ../
-rw-r--r-- 1 matt matt 3746 Jan 3 2020 ajax.php
drwxr-xr-x 6 matt matt 4096 Dec 7 2021 attachment/
-rw-r--r-- 1 matt matt 1175 Jun 17 2021 audit.log
-rw-r--r-- 1 matt matt 534 Jan 3 2020 AUTHORS
-rw-r--r-- 1 matt matt 585 Jan 3 2020 composer.json
-rw-r--r-- 1 matt matt 16003 Jan 3 2020 composer.lock
-rw-r--r-- 1 matt matt 14875 May 17 2019 COPYING
-rw-r--r-- 1 matt matt 506 Jan 3 2020 DB_Dockerfile
drwxr-xr-x 2 matt matt 4096 Dec 7 2021 DEBIAN/
-rw-r--r-- 1 matt matt 3366 Jan 3 2020 docker_entrypoint.sh
-rw-r--r-- 1 matt matt 1263 Jan 3 2020 Dockerfile
drwxr-xr-x 11 matt matt 4096 Dec 7 2021 extensions/
drwxr-xr-x 4 matt matt 4096 Dec 7 2021 extras/
drwxr-xr-x 2 matt matt 4096 Dec 7 2021 fonts/
drwxr-xr-x 5 matt matt 4096 Dec 7 2021 general/
drwxr-xr-x 20 matt matt 4096 Dec 7 2021 godmode/
drwxr-xr-x 21 matt matt 36864 Dec 7 2021 images/
drwxr-xr-x 21 matt matt 4096 Dec 7 2021 include/
-rw-r--r-- 1 matt matt 52704 Dec 2 2021 index.php
-rw-r--r-- 1 matt matt 42398 Jan 3 2020 install.done
drwxr-xr-x 5 matt matt 4096 Dec 7 2021 mobile/
drwxr-xr-x 15 matt matt 4096 Dec 7 2021 operation/
-rw-r--r-- 1 matt matt 1302 Apr 20 07:54 pandora_console.log
-rw-r--r-- 1 matt matt 234 May 17 2019 pandora_console_logrotate_centos
-rw-r--r-- 1 matt matt 171 May 17 2019 pandora_console_logrotate_suse
-rw-r--r-- 1 matt matt 222 May 17 2019 pandora_console_logrotate_ubuntu
-rw-r--r-- 1 matt matt 4883 May 17 2019 pandora_console_upgrade
-rw-r--r-- 1 matt matt 1168598 Jan 3 2020 pandoradb_data.sql
-rw-r--r-- 1 matt matt 160283 Jan 3 2020 pandoradb.sql
-rw-r--r-- 1 matt matt 476 Jan 3 2020 pandora_websocket_engine.service
drwxr-xr-x 3 matt matt 4096 Dec 7 2021 tests/
drwxr-xr-x 2 matt matt 4096 Dec 7 2021 tools/
drwxr-xr-x 11 matt matt 4096 Dec 7 2021 vendor/
-rw-r--r-- 1 matt matt 4856 Jan 3 2020 ws.phpI guess that is is where the web application is.
Pandora FMS
daniel@pandora:/var/www/pandora/pandora_console$ cat composer.json
{
"name": "pandorafms/console",
"description": "Pandora Flexible Monitoring System ",
"authors": [
{
"name": "Artica",
"email": "info@artica.es"
}
],
daniel@pandora:/var/www/pandora/pandora_console$ grep 'version*' install.done
* @version 1.0.0
* as published by the Free Software Foundation for version 2.
$version = '7.0NG.742_FIX_PERL2020';
$banner = "v$version Build $build";
If you want to upgrade from Pandora FMS 4.x to 5.0 version, please use the migration tool inside /extras directory in this setup.
$res += check_variable(phpversion(), '7.0', 'PHP version >= 7.0', 1);Checking some files revealed that it’s Pandora FMS(Flexible Monitoring System)
The version seems to be 7.0NG.742_FIX_PERL2020
pandora fms (Pandora Flexible Monitoring System) is software for monitoring computer networks. Pandora FMS allows the visual monitoring of the status and performance of several parameters from different operating systems, servers, applications and hardware systems such as firewalls, proxies, databases, web servers or routers.
In order to access the web application from my browser, the socket needs to be tunneled.
Vulnerability
While Pandora FMS 742 console has so many vulnerabilities, the 4 critical vulnerabilities above are found to be the attack vectors that I can take as some of those don’t require authentication
SSH Tunneling
┌──(kali㉿kali)-[~/archive/htb/labs/pandora]
└─$ ssh -l 127.0.0.1:8008:localhost:80 daniel@$IP -N -f
The authenticity of host '10.10.11.136 (10.10.11.136)' can't be established.
ed25519 key fingerprint is sha256:yDtxiXxKzUipXy+nLREcsfpv/fRomqveZjm6PXq9+BY.
this host key is known by the following other names/addresses:
~/.ssh/known_hosts:108: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
warning: Permanently added '10.10.11.136' (ED25519) to the list of known hosts.
daniel@10.10.11.136's password: HotelBabylon23since ssh is available, i will just use that to tunnel the internal socket to kali’s 127.0.0.1:8008
i should now be able to access the web application remotely from kali’s 127.0.0.1:8008
Browsing to the web root, I get redirected to the login page at the /pandora_console/index.php file
since i have already identify the vulnerabilities for this particular instance, i will start by [[pandora_cve-2021-32099#cve-2021-32099|bypassing the authentication]]