In this post, I would like to share a walkthrough of the Pikatwoo Machine from Hack the Box.


This room will be considered an Insane machine on Hack the Box

What will you gain from the Pikatwoo machine?


For the user flag, you will need to find an Android Application file that provides some useful information. I will retrieve the token for the user and try to change the password of the user. We can verify the process of changing the password by trying to authenticate the user with the new password that we can change. We are required to find the password for the users which is hidden in a different docker environment.


As for the root flag, you need to take advantage of Kerberos vulnerability which lead to obtaining a root shell

Information Gathering on Pikatwoo Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Document/htb/Pikatwoo]
└──╼ $nmap -sC -sV 10.10.11.199 -oA inital 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-16 03:32 EDT
WARNING: Service 10.10.11.199:5000 had already soft-matched rtsp, but now soft-matched sip; ignoring second value
Nmap scan report for 10.10.11.199
Host is up (0.16s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 f3:92:2d:fd:84:22:d7:8d:f6:b0:9e:78:8e:b9:3b:e7 (RSA)
|   256 01:e4:3e:c0:66:43:df:25:af:8a:71:b8:39:06:df:9f (ECDSA)
|_  256 4f:ec:39:76:4e:71:94:71:be:fa:7f:fa:a6:a8:16:74 (ED25519)
80/tcp   open  http     nginx 1.18.0
|_http-title: Pikaboo
|_http-cors: HEAD GET POST PUT DELETE PATCH
|_http-server-header: nginx/1.18.0
443/tcp  open  ssl/http nginx 1.18.0
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| ssl-cert: Subject: commonName=api.pokatmon-app.htb/organizationName=Pokatmon Ltd/stateOrProvinceName=United Kingdom/countryName=UK
| Not valid before: 2021-12-29T20:33:08
|_Not valid after:  3021-05-01T20:33:08
| tls-nextprotoneg: 
|_  http/1.1
| tls-alpn: 
|_  http/1.1
|_http-server-header: APISIX/2.10.1
|_ssl-date: TLS randomness does not represent time
5000/tcp open  rtsp
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Content-Type: text/html; charset=utf-8
|     Vary: X-Auth-Token
|     x-openstack-request-id: req-b0dcf3a3-5085-4287-99f3-703ff0b0174a
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 300 MULTIPLE CHOICES
|     Content-Type: application/json
|     Location: http://pikatwoo.pokatmon.htb:5000/v3/
|     Vary: X-Auth-Token
|     x-openstack-request-id: req-ee2ad3a7-bde4-45a2-bead-207076ce7f4b
|     {"versions": {"values": [{"id": "v3.14", "status": "stable", "updated": "2020-04-07T00:00:00Z", "links": [{"rel": "self", "href": "http://pikatwoo.pokatmon.htb:5000/v3/"}], "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}]}]}}
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, GET, HEAD
|     Vary: X-Auth-Token
|     x-openstack-request-id: req-a7429be6-2670-4fa5-874b-a99ce58ad338
|   RTSPRequest: 
|     RTSP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, GET, HEAD
|     Vary: X-Auth-Token
|     x-openstack-request-id: req-6fc5ca86-4cb4-45b2-84ab-2e988e723745
|   SIPOptions: 
|_    SIP/2.0 200 OK
|_rtsp-methods: ERROR: Script execution failed (use -d to debug)
8080/tcp open  http     nginx 1.18.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: nginx/1.18.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5000-TCP:V=7.92%I=7%D=4/16%Time=643BA48B%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,1DC,"HTTP/1\.0\x20300\x20MULTIPLE\x20CHOICES\r\nContent-Type:\
SF:x20application/json\r\nLocation:\x20http://pikatwoo\.pokatmon\.htb:5000
SF:/v3/\r\nVary:\x20X-Auth-Token\r\nx-openstack-request-id:\x20req-ee2ad3a
SF:7-bde4-45a2-bead-207076ce7f4b\r\n\r\n{\"versions\":\x20{\"values\":\x20
SF:\[{\"id\":\x20\"v3\.14\",\x20\"status\":\x20\"stable\",\x20\"updated\":
SF:\x20\"2020-04-07T00:00:00Z\",\x20\"links\":\x20\[{\"rel\":\x20\"self\",
SF:\x20\"href\":\x20\"http://pikatwoo\.pokatmon\.htb:5000/v3/\"}\],\x20\"m
SF:edia-types\":\x20\[{\"base\":\x20\"application/json\",\x20\"type\":\x20
SF:\"application/vnd\.openstack\.identity-v3\+json\"}\]}\]}}")%r(RTSPReque
SF:st,AC,"RTSP/1\.0\x20200\x20OK\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nAllow:\x20OPTIONS,\x20GET,\x20HEAD\r\nVary:\x20X-Auth-Token\r
SF:\nx-openstack-request-id:\x20req-6fc5ca86-4cb4-45b2-84ab-2e988e723745\r
SF:\n\r\n")%r(HTTPOptions,AC,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\x20t
SF:ext/html;\x20charset=utf-8\r\nAllow:\x20OPTIONS,\x20GET,\x20HEAD\r\nVar
SF:y:\x20X-Auth-Token\r\nx-openstack-request-id:\x20req-a7429be6-2670-4fa5
SF:-874b-a99ce58ad338\r\n\r\n")%r(FourOhFourRequest,180,"HTTP/1\.0\x20404\
SF:x20NOT\x20FOUND\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nVary
SF::\x20X-Auth-Token\r\nx-openstack-request-id:\x20req-b0dcf3a3-5085-4287-
SF:99f3-703ff0b0174a\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x
SF:20HTML\x203\.2\x20Final//EN\">\n<title>404\x20Not\x20Found</title>\n<h1
SF:>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20not\x20found\x
SF:20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\x20manual
SF:ly\x20please\x20check\x20your\x20spelling\x20and\x20try\x20again\.</p>\
SF:n")%r(SIPOptions,12,"SIP/2\.0\x20200\x20OK\r\n\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.55 seconds
┌─[darknite@parrot]─[~/Document/htb/Pikatwoo]
└──╼ $

Let’s access the website interface.


However, it just looks like some ordinary website interface


Let’s execute the gobuster and check on an interesting directory. Sadly, there’s a lot of directory that returns status 401


Alternatively, we should be using ffuf tool which provides us with one directory

Enumerate with Android Application


Browsing the website provides us with some information that there’s an Android application that we can download onto our attacker’s machine


Therefore, let’s download the APK file onto our machine.


As usual, we are required to decode the apk file by using the apktool software


Those files look common for any Android application.


As a pentester, we are required to analyze the source code whenever it’s available


Even though we managed to obtain the private key. Sadly, it doesn’t work at all for us.


We can change the password and authenticate the user’s credentials


At last, we managed to execute Local File Inclusion.


Before we execute the Python script, we should create a file that contains the reverse shell command


Let’s send our malicious command via burpsuite but it doesn’t work at all


It shouldn’t take a lot of time if the script has been coded properly.


It looks like a docker environment to me


We should be executing a Kerberos script which gives us a lot of information that we can use in the latter stage.


In the screenshot above, we managed to see an Admin Key and a Viewer Key. Aside from that, we also noticed the application is using the APISIX application


We should execute the command above to get a reverse shell connection


We also managed to obtain a new docker environment


Boom! We have successfully obtain a credentials for andrew


We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

A picture containing text, screenshot, font

Description automatically generated

As usual, we should look for the SUID binary by running the “sudo -l” command.


We managed to see that bash is still not given a SUID binary permission


Therefore, let’s execute the kubectl command above so that we can create a pod of sysctl-set

A screenshot of a computer

Description automatically generated with medium confidence

Sadly, it doesn’t work at first.


After a while, i managed to retrieve the SUID Binary

A black screen with green and blue text

Description automatically generated with low confidence
A picture containing screenshot, font, text

Description automatically generated
A picture containing font, screenshot, green

Description automatically generated

We can read the root flag by typing the t0x”cat root.txt” command