Open in app

Sign in

Write

Sign in

HackTheBox : Pandora

0liverFlow
11 min readFeb 1, 2025

--

Pandora is a Linux machine that covers a various interesting techniques. Initial foothold is obtained by enumerating the SNMP service, which reveals cleartext credentials for user daniel. Host enumeration reveals Pandora FMS running on an internal port, which can be accessed through port forwarding. Lateral movement to another user called matt is achieved by chaining SQL injection; RCE vulnerabilities in the PandoraFMS service. Privilege escalation to user root is performed by exploiting a SUID binary for PATH variable injection.

Reconnaissance

Nmap

TCP full scan
UDP top 50 ports scan

SSH -TCP/22

In this section, we wil check for ssh vulnerabilities using ssh-audit :

Auditing SSH

HTTP — TCP/80

First and foremost, let’s take a quick glance at the website using our browser :

Main web page

I found nothing really interesting on this webpage. We may need to perform further enumeration to see if we can get more information.

Technology profiling

Website technologies enumeration

From the output above, we can see that the target seems to run wordpress. Let’s check it out !

Checking if the website is running Wordpress

As shown above, the target is not running wordpress. Hence, let’s try to crawl the website to see if we can find some interesting information.

Crawling

In this section, I am going to use ReconSpider :

Crawling results

This also led me nowhere. I got the same result when I performed a directory and vhost fuzzing using ffuf

Directory fuzzing

Vhost fuzzing

Well, let’s move with SNMP enumeration with the hope to find something.
SNMP can sometimes reveal a lot of data, including device names, IP addresses, software versions, and uptime statistics if misconfigured.

SNMP — UDP/161

Simple Network Management Protocol (SNMP) is a protocol that facilitates the management and monitoring of networked devices, such as routers, switches, servers, and printers.
It is used to manage network devices and modify their information to change device behavior. The current version of SNMP is SNMPv3.

Prior that we had SNMPv1 and SNMPv2c. Feel free to check this blog post for more information.

First thing I generally do is to check if there is any use of default community strings such as public or private .

You can see community strings as passwords that are used to determine whether the requested information can be viewed or not.

To check that, I am gonna use a tool called snmpwalk which extracts detailed information from SNMP-enabled devices using OIDs (Object Identifiers).

Running snmpwalk

Here is a quick breakdown of the command :

  • -v2c : used to specify the SNMP version
  • -c : used to specify the community string (here public)

As you can see, it seems that we found some credentials. Let’s see if we can authenticate to the target using ssh.

Initial Access

In this section, we will try to authenticate to the target system using the credentials obtained when enumerating the SNMP protocol :

SSH authentication succeeded

First and foremost, let’s generate a pair of ssh keys, then add our public key to the target’s authorized_keys file using ssh-copy-id :

We can use ssh-copy-id only if we already know the target user’s password.

If that is not the case (e.g : after getting a reverse shell via an RCE) we should add our public key manually by editing the target authorized_keys file.

SSH Public key authentication succeeded

Note : Only the public key is copied to the server. The private key should never be copied to another machine.

That said, let’s now enumerate the compromised account :

Enumerating the working directory
Enumerating users with a shell
Enumerating SUID/SGID binaries

As you can see, we found a binary /usr/bin/pandora_backup with SUID bit set. Nevertheless, we don’t have the permissions to execute it.

Hence, let’s check what we can see in the web configuration files. Checking the website configuration files should be one of the first things we should do after compromising a target that runs a web server. Indeed, we may sometimes find database credentials that could help us move laterally or access other internal websites not available from the outside using port forwarding. Let’s start by taking a look at the web root directory /var/www :

Interesting ! We have two directories. This made me think that there was probably another website running on the target. To confirm that, I took a look at the /etc/apache2/sites-enabled directory :

Let’s check the configuration files :

000-default config file

This is the configuration file of the public facing website that we enumerated above.

pandora config file

Awesome ! As you can see, there is indeed a website running locally on the target server with /var/www/pandora as a document root. To access this website, we will use port forwarding. Nevertheless, let’s take a quick look at the services running on the machine :

Enumerating the listening ports on the target system

There is a database running locally. Let’s see if we can access it using the default credentials :

MySQL authentication failed

Port Forwarding

In this section, we are going to use SSH local port forwarding to get access to the target’s internal web server :

SSH local port forwarding

After that, we should normally access the internal website from our attacker machine on port 8081 :

At the bottom of the page, you can see a version :

Pandora FMS’ version
Technology profiling

Pandora FMS is an open source monitoring application that monitors networks, applications, servers, web, and other specific data sources such as logs, WMI or SNMTP traps.

Well, let’s try see if we can find default credentials for pandora FMS :

Pandora FMS’ default credentials

Interesting ! Nevertheless, none of these credentials worked for me.

Therefore, I searched for exploits related to the version identified earlier :

Vulnerability research

As you can see, Pandora FMS version v7.0NG.742 is vulnerable to an authenticated remote code execution. That’s great but unfortunately we cannot use it because we have no valid credentials. Let’s see if we can find an unauthenticated exploit related to the running version :

Unauthenticated exploit found

Fantastic ! We found an unauthenticated exploit related to our version of Pandora FMS. Let’s download the exploit :

Downloading the python exploit

This exploit takes advantage of a SQL injection vulnerability affecting the get parameter session_id of the chart_generator.php webpage as you can see in the code :

session_id parameter to SQLi

After exploiting the SQLi, it takes advantage of a RCE vulnerability to allow us to execute commands on the target system.
Let’s now run the exploit against the target :

SQLi + RCE
user.txt flag

Lateral Movement (Daniel -> Matt)

As you already know it guys, we cannot do anything really interesting with the terminal above. Therefore, we will need to switch to a more stable terminal. One way to do that consists of adding manually our generated public key (id_rsa.pub) to matt’s .ssh/authorized_keys file. However, let’s first of all create a .ssh folder see that it doesn’t exist :

Creating /home/matt/.ssh

Once done, let’s url-encode the special characters (e.g : the + character) of our public key see that we’re sending a GET request to the server. To do that, we can use cyberchef :

Url-encode the public key content

We can then add the url-encoded public key to matt’s .ssh/authorized_keys file using the following command :

Adding the url-encoded public to matt’s .ssh/authorized_keys

Let’s check if our public key was successfully added :

Fantastic ! Our public key was successfully added. Let’s now try to authenticate as matt using ssh :

Wonderful ! We’ve been able to successfully authenticate to matt’s account using ssh.

From here, we will try to escalate our privileges to root.

Privilege Escalation

If you remember well, we found in the initial access section this SUID binary : /usr/bin/pandora_backup that was only executable by root and matt. Let’s take a look at it :

I tried to execute the binary to see what it does and it seems that it performs a backup of the files in /var/www/pandora.

Trying to execute pandora_backup binary

Well, let’s try to perform a static analysis of the binary using the strings command :

See that strings is not installed on the target machine, we will need to transfer the binary on our local machine. One way to do that is to base64 encode the binary content, then copy it to a file on our local system after :

Encode the binary in base64

Once the binary encoded, we can decode it and paste into a file on our local system. Here is the command that I used to do that :

echo '<BASE64_ENCODED_BINARY>' | base64 -d > pandora_backup.sh

After that, I checked if the two files had the same hash to make sure that the binary was the same :

As you can see, the binaries are similar.

Let’s now use the strings command to retrieve the printable characters from the binary :

Retrieving the binary’s printable characters using strings

Haha, the binary is vulnerable to path injection. Indeed, it’s executing the tar command without specifying the absolute path. We can then leverage that to get a shell as root. Here are the following steps to exploit this vulnerability :

1/ Create the following file named tar :

Note : It’s important to create your file in a directory where you have write permissions. Here, I directly used matt’s home directory see that I am authenticated as matt. You could also use /tmp or /dev/shm for instance.

2/ Give the execution permission to the tar file :

3/ Once done, let’s add the directory where we created our tar file to the beginning of the PATH environment variable :

4/ Finally, we can exploit the path injection by executing the vulnerable binary :

Hoorah \0/ , we got a shell as root.

Let’s retrieve the root flag. Shall we ?

root.txt flag

Key Techniques Used

Here are the following techniques we used to solve this box :

  • SNMP enumeration with snmpwalk
  • Internal reconnaissance (enumeration of web configuration files)
  • Port forwarding to access internal website not available from the outside
  • Move laterally after exploiting a vulnerable version of Pandora FMS
  • Escalate our privileges after exploiting a path injection vulnerability.

Lessons Learned

1/ To get our initial access, we exploited a SNMP server that was using a default community string. This allowed us to retrieve sensitive information such as daniel’s credentials. Then, using these credentials, we have been able to authenticate to his account. To fix that, we recommend to change the default community strings and use complex values.

2/ To authenticate as matt, we exploited a vulnerable and outdated version of Pandora FMS using a public exploit that we found on GitHub. To remediate that, we recommend to update always your software. Refer here for more information.

3/ To escalate our privileges, we exploited a binary that was vulnerable to path injection. Furthermore, the binary has the suid bit set, which allowed us to get a shell as root. To fix that vulnerability, we recommend you to use the absolute path when calling programs in your binary in addition to apply the least privilege principle.

Wrap Up

That’s it guys. Congrats on having made it so far 👏

I hope you enjoyed the writeup.

If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles !

Resources

https://www.sonarsource.com/blog/pandora-fms-742-critical-code-vulnerabilities-explained/
https://pandorafms.com/community/knowledge-base/what-are-the-pandora-fms-default-credentials/
https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticatedhttps://www.exploit-db.com/exploits/50961
https://github.com/pandorafms/pandorafms
https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/

Contact

GitHub : https://github.com/0liverFlow

Hackthebox
Pandora
Snmp
Path Injection
Oscp Preparation

--

--

0liverFlow
0liverFlow

Written by 0liverFlow

144 Followers
3 Following

Pentester | Enjoy breaking and building stuffs

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams