In this post, I would like to share a walkthrough of the Pilgrimage Machine from Hack the Box


This room will be considered an Easy machine on Hack the Box

What will you gain from the Pilgrimage machine?


For the user flag, you will need to abuse a website that reduces the image size. We managed to find an exposed Git Repo by using Gobuster. After analyzing the git repo, we managed to find an Image Magick version which led to a file read vulnerability. I will use the vulnerability on CVE-2022-44268 to retrieve a plaintext password which we pull from the /var/db/pilgrimage file.


As for the root flag, you only need to find a process monitor which is located at /usr/sbin/malwarescan.sh file which the script will run a binwalk. As a result, we use the vulnerability in CVE-2022-4510 in binwalk to get the root shell

Information Gathering on Pilgrimage Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Documents/htb/Pilgrimage]
└──╼ $ nmap -sC -sV 10.10.11.219 -oA initial 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-18 00:17 EDT
Nmap scan report for pilgrimage.htb (10.10.11.219)
Host is up (0.020s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 20be60d295f628c1b7e9e81706f168f3 (RSA)
|   256 0eb6a6a8c99b4173746e70180d5fe0af (ECDSA)
|_  256 d14e293c708669b4d72cc80b486e9804 (ED25519)
80/tcp open  http    nginx 1.18.0
| http-git: 
|   10.10.11.219:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Pilgrimage image shrinking service initial commit. # Please ...
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Pilgrimage - Shrink Your Images
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds
┌─[darknite@parrot]─[~/Documents/htb/Pilgrimage]
└──╼ $ 


Let’s access the website interface


However, we managed to upload an image on the web application


Therefore, let’s use git-dumper to download the git folder from the web application.


As a result, the file that we obtained looks like something as shown above.


We have sighted the version of the magick such as 7.1.0-49


Inside the file named index.php, we managed to notice some vulnerability


Let’s download the exploit from GitHub


Let’s use the Python script to get the /etc/passwd from the machine which the malicious file will be saved in png format


We are required to upload the malicious file where it will shrink by the application itself.


At last, we are provided with a different link to the file that has been shrunk.


It’s just an image that means nothing at this point. However, let’s download the png file into our attacker’s machine and renamed it as result.png


The content looks gibberish to me at this point.


We managed to retrieve a file that had been encoded in hex format


After analyzing using the cyberchef, we successfully decode it with plain text which we can read.


Finally, we have two usernames that we can take advantage of later on.


While analyzing the file that we had downloaded previously, we managed to sight a new path which /var/db/pilgrimage


We should re-run the same process as before.


From the cyber chef analysis, we managed to find a credential that we can use to access the machine via SSH service.

Escalate to Root Privileges Access


As usual, we should be getting some binary with the command “sudo -l” but sadly we didn’t manage to obtain anything from there.


Therefore, let’s start linpeas.sh script to obtain any useful information on the machine


After a while, we managed to notice that there was a file called malwarescan.sh which stored in /usr/sbin directory


However, we don’t have any permission to execute the binary.


As a result, let’s analyze the source code of the file and we have sighted a new file which is called binwalk


We managed to run the binary of “binwalk” as shown above. At this point, i don’t have any clue about the exploitation that we can use with Binwalk


After doing some research, we managed to find an exploitation such as CVE-2022-4510


Therefore, let’s download the exploit from here and use it to obtain the root shell


We should execute the shell python script as shown above.


Therefore, let’s upload the binwalk_exploit.png to the victim’s machine


Let’s start our listener connection on our attacker’s machine.


After a while, we managed to retrieve the reverse shell connection back to us.


We can read the root flag by typing the “cat root.txt” command

Extra Information