Pandora from Hack the Box and created by TheCyberGeek and dmw0ng is an Easy Linux based machine. It starts with
Port 161 open on
snmp-check your able to find a password for the daniel user. Once on the box you use
SSH to port-forward a locally running version of Pandora FMS. You use CVE-2021-32099 and the built-in File Manager to upload a PHP web-shell which escalates to matt. Finally you use
pandora_backup running as root to escalate to the root user and finish the box.
I began this box by setting an
$ip variable to the current box IP. Next I run a quick
RustScan on the box to grab open ports and send it to
xsltproc to convert it to HTML for easier reading:
Reviewing the results I can see only two ports open. Well
nmap is finishing I navigate over to
Website showing Panda.HTB and Play.HTB.
I noticed both play/panda being mentioned throughout the site so I add both of them to my host file:
Next I used
GoBuster to kick off
VHOST/sub-domain scans and a secondary
nmap scan comes back with a hit:
🔝Escalation to Daniel
I could see that
Port 161 was open to
SNMP so I ran
snmp-check to see if I could pull any further information:
A lot of information came back which included a username/password. I tried the username and password on
SSH and logged into the box:
Once on the box I looked around the
/var/www directory and saw pandora_console and some
.sql files. As I have
python available and
SSH I setup a local
http.server to retrieve the database files for review:
Downloading the .SQL files to attempt to find a foothold.
Reviewing the files I could see the following:
I added the hash to a file and ran it with
I then did the same thing as above with
Port 80 to hit it via my localhost:
I tried the default credentials of
admin/pandora which I cracked previously and it didn’t work. Next I tried
daniel's creds but was told I could only use the
Pandora FMS Dashboard via port-forward.
Showing the daniel user can only use the API.
I kicked off
sqlmap and after a few attempts, I was able to get data back from
sqlmap. I pulled the tpassword_history table in an attempt to login which was unsuccessful:
Next, I found the following blog Sonarsource – Pandora FMS 742 which highlighted – CVE-2021-32099. I tried the URL:
Using CVE-2021-32099 to access the Pandora FMS Dashboard.
🔝Escalation to Matt
Going to just
pandora_console after logged us in. Once on the Dashboard I navigated around until I found a File manager:
Using the File Manager to upload a PHP web-shell by WSO.
I uploaded a PHP web-shell (WSO 4.2.5) and found it within the
images directory. I looked around the environment using the built in console to find
Using the WSO web-shell I can usee pandora-backup running as root.
I wanted a more stable shell to find out what
pandora_backup was doing so I upgraded my shell by creating an
SSH as the active user:
Creating an SSH key to login as the matt user.
⚠ Attack Machine
Once logged in I checked the
pandora_backup I could see it was creating a backup:
cat on the program I could see that
tar was being executed and it was creating a backup as root. I could also see the
PATH was not fully defined: