In this post, I would like to share a walkthrough of the Pandora Machine from Hack the Box
This room will be considered as an Easy machine on Hack The box
What will you gain from the Pandora machine?
For the user flag, you will need to use snmpwalk for further enumeration. We need to execute some sqli attack methods to get the admin dashboard
As for the root flag, you need to access the machine using matt’s access via ssh service and then abuse one SUID file to obtain a root shell.
Information Gathering on Pandora Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s open the website interface
Sadly, there’s nothing that we can use by roaming the website now. As a result, let’s enumerate more with the Gobuster tool
SNMPWalk enumeration on pandora
There’s nothing that we can work on. Let’s enumerate more on UDP port scanning
We managed to notice there’s a port 161 open which it’s an SNMP service.
Based on my experience as Pentester, we can use snmpwalk tool to enumerate the SNMP a little further
** Snmpwalk should be available within Kali Linux OS by default. However, we can manually install the snmpwalk tool by running the following command (sudo apt-get install snmp) **
Oh wow! We managed to sight the username and password
We can try to access the machine via ssh
Port Forwarding on the pandora machine
Voila! However, we cannot retrieve the user flag even though we are able to access the machine via ssh.
Let’s try to see what port is been open by running netstat -an command
As a result, we can proceed with port forwarding with port 80
Pandora website interface
Finally, we can access another website interface with the port forwarding
The default credentials that have been found on the internet will not be used to access
Let’s do some research on Pandora FMS product
As a result, we have found one website that can be useful to us so that we proceed with the next step
After reading the information we received, we can try to access the php file such as /include/chart_generator.php which only give us an error that states “Access is not granted“
We should be running sqlmap to get a better understanding of the vulnerability that explains on the website.
Therefore, we need to retrieve a session-id by executing the command that is used by sqlmap.
At last, we managed to obtain a session id for Daniel and matt’s username.
Let’s copy-paste the session id that we found during the previous activity. The URL of the website interface can be used such as
http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=<session id>
A dashboard will appear but sadly we cannot find any useful
Therefore, we might need to get another session id that we can use to get complete usage of the Pandora website.
As we already know, the pandora website has been vulnerable to SQL Injection
The SQL Injection that can be abused will look something as below:
http://127.0.0.1:8888/pandora_console/include/chart_generator.php?session_id=' union SELECT 1,2,'id_usuario|s:5:"admin";' as data -- SgGO
The SQL syntax above shows the code before it has been encoded
http://127.0.0.1:8888/pandora_console/include/chart_generator.php?session_id=%27%20union%20SELECT%201,2,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20--%20SgGO
Voila! We have access to the admin dashboard of Pandora FMS by using the sqli method after refreshing the URL 127.0.0.1
Gaining the Privileges Access
While analyzing the source code of the website, I notice that they are using PHP file formatting. As a result, we should be able to use a PHP reverse shell to obtain a reverse shell.
We should start our nc listener so that we can retrieve the reverse shell on our attacker’s machine
Under Admin tools, there are a few ways to upload our PHP reverse shell file on the website. However, I will use File Manager for that purpose.
The screenshot above is showing the file directory such as the images directory
Let’s upload the file as shown in the screenshot above.
The uploaded have been successful.
Therefore, we can get the reverse shell connection back to us by initializing the shell on the website’s directory
Boom! We have our reverse shell connection to us.
We have successfully accessed the machine as matt privileges access.
For us to get an actual shell, we can be running the bash -i command
We can read the user flag by running the command “cat user.txt“
Escalate to Root Privileges Access
For us to obtain a proper shell on the machine, we might need to access the machine via ssh service.
Obtaining a proper ssh access
For us to access via ssh, we need to generate an ssh-keygen so that we proceed with the next step.
We need to transfer our public key into the machine by using wget command like the screenshot above
We need to move the id_rsa.pub to a different file such as authorized keys.
For us to get ssh access to work, we need to give file permission to 600
Sadly, we cannot access the machine using matt privileges access via ssh service.
After talking to my friends and trying multiple ways on the machine, I managed to solve the issues by changing HackTheBox’s VPN from a release VPN to a normal VPN.
Uwu! We have successfully accessed the machine via ssh service.
Let’s search for any SUID file or weird that we can use to escalate to root privileges access. Sadly, nothing is interesting on the /var/backups directory.
As a result, we need to explore more on another directory while looking for any file that looks suspicious to us.
Finally, we found a file that look weird at least for me. There’s a file called pandora_backup which is highlighted as red.
Enumerate further with linpeas.sh
Let’s try to download linpeas.sh into the victim’s machine and give permission to the file
Let’s analyze the result while it still running in the background.
Therefore, let’s analyze the file where I might find something understandable to read.
While we are reading the file carefully, I notice there’s a line that refers to pandora-backup.tar.gz which might lead us to abuse the tar function.
I will explain each step that appears above carefully.
We manage to find a tar file inside the pandora_backup which make thinking that we can put some root privileges command into a file call tar
As a result, we are required to give permission to the tar file.
For the SUID file to work, a command to export the path is required to execute.
After that, we can execute the SUID file (/usr/bin/pandora_backup) to obtain a root shell.
We can read the root flag by running the “cat root.txt” command
-THE END-
Happy Learning Guys!
Extra Information
We can go to /etc/shadow so that we can unlock and read the write-up
No responses yet