Pikaboo is a Hard box created by pwnmeow and polarbearer. It features poorly configured web server vulnerable to an LFI and log poisoning technique.
Pikaboo is a Hard box from HTB and created by pwnmeowand polarbearer. This box features a poorly configured web server vulnerable to an LFI and log poisoning technique. Once on the box we abuse a cron task running a exploitable perl script which extracts data from CSV‘s for root.
Before I begin each machine I kick off a full port nmap scan:
Reviewing the results I can see Ports 21,22 and 80 open. Seeing that anonymous is not available and the version of vsftpd is 3.0.3 I moved on.
Navigating to Port 80 I see a Pokatdex (which seems to be a Pokemon rip off.) website. The contact form doesn’t work so I focus on the page with the ids listed.
Highlighting each name I can see a ?id= parameter. Clicking on one also shows – PokeAPI Integration – Coming soon!. Finally nmap shows every permutation of admin hitting a 401:
Navigating to /admin/ pulls up an error and states:
This is really similar to a previous box, HTB – Seal which you do a similar attack vector on tomcat. Using that information I replace api with admin and try above. I get a hit:
Using the LFI to display some server information.
Seeing /admin_staging at the top of the list I begin there. I hit a Unable to Connect as it hits my local host. I go in and edit my hosts file:
After getting to the dashboard I noticed its a free dashboard theme and nothing is really ‘live’. I also notice at the top that I have a ?page= parameter. Blanking the parameter gives me an empty page:
Blank page showing with an empty parameter.
Next I took an LFI wordlist from PayloadsAllTheThingsand ran it through ffuf. I then used the -fw command to ignore false positive results:
Reviewing the page I can see the vsftp mentioned earlier in the nmap results log file. I can also see a user pwnmeow:
pwnmeow user coming up in the log.
Using the same link as above (in the screenshot) we can now use the LFI alongside some log poisoning to get a shell. I log into the ftp and poison the log file with a PHP execution command to load a session:
⚠ Attack Machine
⚠ Attack Machine – FTP Name
I then navigate to the page above and get a shell. I upgrade my shell and continue enumeration.
I grab the user flag from the pwnmeow directory (which is weird as I was www-data and expected a little more effort…) and continue my enumeration.
I go into the tmp directory and upload LinPEAS to the box. I run LinPEAS and review the results:
⚠ Attack Machine
🎯 Victim Machine
After running LinPEAS I noticed two things that stood out. First, the pokeapi which was mentioned previously on the website as ‘Coming Soon’:
Also that under the /etc/cron.weekly I could see root running a file called csvupdate_cron every minute:
Reviewing the pokeapi first I navigate over to the folder and see a config folder followed by settings.php inside:
Seeing LDAP database variables in the configuration I validate LDAP is running on the box and proceed to use ldapsearch to pull the whole directory tree:
A useful article I found for LDAP enumeration is @minimalist.ascent. I then decode the base64 hash.
I try SSH and come up unsuccessful. I then realize it says ftp.pikaboo.htb for the ldapsearch. Logging into the FTP is successful however I am in Pokemon directory hell. I pause and move onto the second part of the LinPEAS scan:
Reviewing the script it is a simple script calling a secondary script csvupdate. Loading that script shows:
Reviewing the code I can see that the open parameter in the script above has not be correctly sanitized for user input. More information regarding this can be found HERE.
I grab a reverse shell from PenTestMonkey and change it to include the .CSV at the end and the pipe at the start. I used the python3 version as my tty earlier worked without issue.
When the csvupdate script above tries to read this CSV file the pipe at the start will trigger the reverse shell:
⚠ Attack Machine
⚠ Attack Machine – Tab2
The nc session pops after about 30 seconds or so and I grab the flags: