Pandora – HackTheBox Writeup

So , First lets run our nmap Scan , To find out which services are running on the Pandora machine.


nmap -sC -sV -p- {machine ip} -oN pandorascan.txt
nmap scan pandora hackthebox writeup

Scan reveals that port 22 and 80 are open . So , i went to browser to check out the website , but nothing very interesting there,after that i also tried disturber but did not found any useful directories .

pandora hackthebox writeup website
only useful thing on the website was Panda.htb domain name which i added to /etc/hosts file. After trying many thing i finally tried udp port scan , but as udp scans are very slow so i used --min-rate=1000 flag
pandora hackthebox writeup udp scan

Snmp is the only port That is open .

SNMP Enumeration

SNMP is a Simple Network Management Protocol is a protocol used to monitor different devices in the network.

 nmap -sU --min-rate=1000 -p 161 --script=snmp-brute

Scrolling through the output we found a username daniel .

pandora hackthebox writeup user

After that i used a nmap script to brute-force defaults passwords of snmp.

After that i found a valid password for Daniel so i used that password to do a SSH login to the machine Pandora .

Post Exploitation

i did not found any user.txt file in daniel user directory so i checked there was another user Matt who was having access to user.txt file , so after some enumration i found /var/www/html and /var/www/pandora there were two interesting folder , html one was visible to us but Pandora one was new .

So we have to do port forward to see open pandora_console in our browser .

ssh -L 80: [email protected]

now we are able to open

pandora hackthebox writeup Pandora FMS

after little burp and source code inspection i found the version the PandoraFMS

pandora fms v7.0 ng.742_fix_perl2020

so i searched on google for exploit and found that it is vulnerable to unauthenticated SQL injection. so after reading about the vulnerability i found was vulnerable to sql injection so i ran sqlmap.

pandora hackthebox writeup sql tables
pandora hackthebox writeup sql sessions

so we can now directly use this session cookies to login as matt . yea i am able to see the matt’s dashboard now .

dashboad pandora

now using the guide i tried to spawn a shell using the event feature of the cms.

so i capture the req using burp of events > view events

pandora hackthebox burpsuite

so now lets remove the useless part of the request and put the code for spawning a reverse shell

and to forget to url encode the shell command . and setup a listener
nc -nlvp 9090

now we got our reverse shell finally . Now just go to the user directory of matt and cat user.txt to get the user flag of pandora machine.

so now i checked for suid files permissions for privilege escalation.

Pandora - HackTheBox Writeup

so we se a pandora_backup file which is very i downloaded the file and saw that it was using tar application so we added temp directory to path and made a file tar there which will spawn a shell as superuser.

pandora hackthebox root


so , thank you guys for reading my Pandora hackthebox writeup , pandora was a fun box to solve . Happy Hacking friends : ) .

1 thought on “Pandora – HackTheBox Writeup”

Leave a Comment