Pikaboo is a Hard box from HTB and created by pwnmeow and polarbearer. This box features a poorly configured web server vulnerable to an LFI and log poisoning technique. Once on the box we abuse a cron task running a exploitable perl script which extracts data from CSV‘s for root.

Reviewing the results I can see Ports 21,22 and 80 open. Seeing that anonymous is not available and the version of vsftpd is 3.0.3 I moved on.

Navigating to Port 80 I see a Pokatdex (which seems to be a Pokemon rip off.) website. The contact form doesn’t work so I focus on the page with the ids listed.

Highlighting each name I can see a ?id= parameter. Clicking on one also shows – PokeAPI Integration – Coming soon!. Finally nmap shows every permutation of admin hitting a 401:

Navigating to /admin/ pulls up an error and states:

Port 81 standards out as its not a default port. What is also weird is that says Apache/2.4.38 and nmap says nginx 1.14.2. A bit of research leads me this – Common Nginx misconfigurations that leave your web server open to attack article.

This is really similar to a previous box, HTB – Seal which you do a similar attack vector on tomcat. Using that information I replace api with admin and try above. I get a hit:

Using the LFI to display some server information.

Seeing /admin_staging at the top of the list I begin there. I hit a Unable to Connect as it hits my local host. I go in and edit my hosts file:

After getting to the dashboard I noticed its a free dashboard theme and nothing is really ‘live’. I also notice at the top that I have a ?page= parameter. Blanking the parameter gives me an empty page:

Blank page showing with an empty parameter.

Next I took an LFI wordlist from PayloadsAllTheThings and ran it through ffuf. I then used the -fw command to ignore false positive results:

Reviewing the page I can see the vsftp mentioned earlier in the nmap results log file. I can also see a user pwnmeow:

pwnmeow user coming up in the log.

Using the same link as above (in the screenshot) we can now use the LFI alongside some log poisoning to get a shell. I log into the ftp and poison the log file with a PHP execution command to load a session:

I then navigate to the page above and get a shell. I upgrade my shell and continue enumeration.

I grab the user flag from the pwnmeow directory (which is weird as I was www-data and expected a little more effort…) and continue my enumeration.

I go into the tmp directory and upload LinPEAS to the box. I run LinPEAS and review the results:

After running LinPEAS I noticed two things that stood out. First, the pokeapi which was mentioned previously on the website as ‘Coming Soon’:

Also that under the /etc/cron.weekly I could see root running a file called csvupdate_cron every minute:

Reviewing the pokeapi first I navigate over to the folder and see a config folder followed by settings.php inside:

Seeing LDAP database variables in the configuration I validate LDAP is running on the box and proceed to use ldapsearch to pull the whole directory tree:

A useful article I found for LDAP enumeration is @minimalist.ascent. I then decode the base64 hash.

I try SSH and come up unsuccessful. I then realize it says ftp.pikaboo.htb for the ldapsearch. Logging into the FTP is successful however I am in Pokemon directory hell. I pause and move onto the second part of the LinPEAS scan:

Reviewing the script it is a simple script calling a secondary script csvupdate. Loading that script shows:

Reviewing the code I can see that the open parameter in the script above has not be correctly sanitized for user input. More information regarding this can be found HERE.

I grab a reverse shell from PenTestMonkey and change it to include the .CSV at the end and the pipe at the start. I used the python3 version as my tty earlier worked without issue.

When the csvupdate script above tries to read this CSV file the pipe at the start will trigger the reverse shell:

The nc session pops after about 30 seconds or so and I grab the flags: