So , First lets run our nmap Scan , To find out which services are running on the Pandora machine.
Enumeration
nmap -sC -sV -p- {machine ip} -oN pandorascan.txt
Scan reveals that port 22 and 80 are open . So , i went to browser to check out the website , but nothing very interesting there,after that i also tried disturber but did not found any useful directories .
--min-rate=1000 flag 
Snmp is the only port That is open .
SNMP Enumeration
SNMP is a Simple Network Management Protocol is a protocol used to monitor different devices in the network.
nmap 10.10.11.136 -sU --min-rate=1000 -p 161 --script=snmp-bruteScrolling through the output we found a username daniel .
After that i used a nmap script to brute-force defaults passwords of snmp.
After that i found a valid password for Daniel so i used that password to do a SSH login to the machine Pandora .
Post Exploitation
i did not found any user.txt file in daniel user directory so i checked there was another user Matt who was having access to user.txt file , so after some enumration i found /var/www/html and /var/www/pandora there were two interesting folder , html one was visible to us but Pandora one was new .
So we have to do port forward to see open pandora_console in our browser .
ssh -L 80:127.0.0.1:80 [email protected]now we are able to open http://127.0.0.1/pandora_console
after little burp and source code inspection i found the version the PandoraFMS
pandora fms v7.0 ng.742_fix_perl2020
so i searched on google for exploit and found that it is vulnerable to unauthenticated SQL injection. so after reading about the vulnerability i found http://127.0.0.1/pandora_console/include/chart_generator.php?session_id= was vulnerable to sql injection so i ran sqlmap.
so we can now directly use this session cookies to login as matt . yea i am able to see the matt’s dashboard now .
now using the guide https://www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilities i tried to spawn a shell using the event feature of the cms.
so i capture the req using burp of events > view events
so now lets remove the useless part of the request and put the code for spawning a reverse shell
nc -nlvp 9090now we got our reverse shell finally . Now just go to the user directory of matt and cat user.txt to get the user flag of pandora machine.
so now i checked for suid files permissions for privilege escalation.
so we se a pandora_backup file which is very interesting.so i downloaded the file and saw that it was using tar application so we added temp directory to path and made a file tar there which will spawn a shell as superuser.
Conclusion
so , thank you guys for reading my Pandora hackthebox writeup , pandora was a fun box to solve . Happy Hacking friends : ) .
Nice post!