Read my writeup to Pandora machine :
TL;DR
User 1: By scanning for UDP ports we found port 161 which is SNMP service, By running snmp-check we found a running process which contains the credentials of daniel user.
User 2: By enumerating we found another web page called pandora_console, We found that the file chart_generator.php vulnerable to SQLi, Using that we got the credentials of matt user to pandora_console, Using CVE-2020-13851 we get a reverse shell as matt user.
Root: By enumerating we found binary /usr/bin/pandora_backup with SUID permission which runs tar command, By changing the PATH we create a custom tar command which let us shell as root user.