Introduction
Today I will go through the easy level HTB machine 🙂
![](http://techyrick.com/wp-content/uploads/2023/06/Pilgrimage-1024x775.png)
Nmap
As usual two ports are open 22 & 80 .
![](http://techyrick.com/wp-content/uploads/2023/06/image-38.png)
Add pilgrimage.htb to /etc/hosts .
Enumeration
Git-Dumper
While using dirb I found .git directory which is forbidden, so I thought to use git-dumper to analyze the source code.
![](http://techyrick.com/wp-content/uploads/2023/06/image-39.png)
Here is the link for the git-dumper tool : https://github.com/arthaud/git-dumper
This is dump all the .git repository from the website 🙂
![](http://techyrick.com/wp-content/uploads/2023/06/image-40.png)
While analyzing the files I found two interesting things
![](http://techyrick.com/wp-content/uploads/2023/06/image-42.png)
Location of DB ????
and magick version
![](http://techyrick.com/wp-content/uploads/2023/06/image-43.png)
Web
There is a simple web interface with file upload, login and register …..
![](http://techyrick.com/wp-content/uploads/2023/06/image-44-1024x398.png)
After analyzing I found that there is CVE related to majick version .
https://github.com/kljunowsky/CVE-2022-44268
Foothold
Clone this repo and run this exploit
python3 CVE-2022-44268.py --image imagetopoison.png --file-to-read /etc/passwd --output poisoned.png
And it worked perfectly fine.
Now upload the poisoned image.
Image uploaded successfully. Now copy the uploaded image url
![](http://techyrick.com/wp-content/uploads/2023/06/image-45.png)
![](http://techyrick.com/wp-content/uploads/2023/06/image-46.png)
Finally it worked. Now we have to read /var/db/pilgrimage that we found in our source code.
We have to make changes in script .
![](http://techyrick.com/wp-content/uploads/2023/06/image-47.png)
You will get this type of output
![](http://techyrick.com/wp-content/uploads/2023/06/image-48.png)
Just put it in a file .
![](http://techyrick.com/wp-content/uploads/2023/06/image-49.png)
After that
cat dump.sql| xxd -r -p - > sqlite.dump
Now analyze it with sqlite3 cmdline
![](http://techyrick.com/wp-content/uploads/2023/06/image-50.png)
You will get ssh pass for emily.
User
![](http://techyrick.com/wp-content/uploads/2023/06/image-51.png)
Advertisement
SSH Pass
emily:abigchonkyboi123
Root
After running pspy I found
![](http://techyrick.com/wp-content/uploads/2023/06/image-52.png)
![](http://techyrick.com/wp-content/uploads/2023/06/image-53-1024x266.png)
After analyzing the .sh script I checked the binwalk version
![](http://techyrick.com/wp-content/uploads/2023/06/image-54.png)
And it was vulnerable to CVE-2022-4510
https://www.exploit-db.com/exploits/51249
![](http://techyrick.com/wp-content/uploads/2023/06/image-56.png)
After this you will get binwalk_exploit.png ………. copy it to /var/www/pilgrimage.htb/shrunk dir
And don’t forget to start a listener 🙂
And Boom you will get the shell as root .
![](http://techyrick.com/wp-content/uploads/2023/06/image-57.png)
This was very easy machine.
Hope you enjoyed the writeup.
Conclusion
Overall this is a good machine . I would like to rate 5/10 compared to easy level.
Jai Shree Krishna ❤️