Certified Defensive Security Analyst by Academy. Get started now!
Pikaboo is a Hard Linux machine where only FTP, SSH, and Web services are exposed. The website is hosting on Apache a pokatmon collection page. Common misconfigurations in the NGINX proxy server allow performing a path traversal attack. Exploiting this, it is possible to get access in the administration panel where a vulnerable to LFI page gives the opportunity to perform FTP Log poisoning and gain a foothold to the system. Performing basic enumeration it is possible to locate a cron job where a Perl script with root privileges is running periodically. By further enumerating the system it is also possible to get valid LDAP credentials. Using them to enumerate local LDAP service reveals the credentials for user pwnmeow. These can be used to log in to the FTP server where it is possible to create and upload malicious files that can exploit a Perl function vulnerability in the script in order to execute code and get a reverse shell as root.