Read my writeup to Pandora machine :
TL;DR
User 1: By scanning for UDP ports we found port 161
which is SNMP
service, By running snmp-check
we found a running process which contains the credentials of daniel
user.
User 2: By enumerating we found another web page called pandora_console
, We found that the file chart_generator.php
vulnerable to SQLi, Using that we got the credentials of matt
user to pandora_console
, Using CVE-2020-13851 we get a reverse shell as matt
user.
Root: By enumerating we found binary /usr/bin/pandora_backup
with SUID permission which runs tar
command, By changing the PATH
we create a custom tar
command which let us shell as root
user.