PIkaboo Write-up by evyatar9

Read my write-up for Pikaboo machine:

User: By browsing to http://pikaboo.htb/admin we get 401 Unauthorized, Using gobuster we found another web page (Also returned 401 Unauthorized) http://pikaboo.htb/admin/server-status, Using Path traversal via misconfigured NGINX alias we bypass the authorization by browsing to http://pikaboo.htb/admin…/server-status, From http://pikaboo.htb/admin/server-status page we found another web page http://pikaboo.htb/admin/server-status which we can access to this web page like before http://pikaboo.htb/admin…/admin_staging, Found LFI on that page, Reading /var/log/vsftpd.log file by accessing to http://10.10.10.249/admin…/admin_staging/index.php?page=/var/log/vsftpd.log, poisoning the log file and we get a shell as www-data.

Root: By reading the file /opt/pokeapi/config/settings.py we found ftp credentials, Founding intresting files on /usr/local/bin directory: csvupdate and csvupdate_cron, Using perl open() for Command Execution to get a shell as root.