Machine Synopsis

PikaTwoo is an insane difficulty Linux machine that features an assortment of vulnerabilities and misconfigurations. By enumerating the ports and endpoints on the machine, a downloadable `Android` app can be found that is susceptible to a Man-in-the-Middle (MITM) attack by reversing and modifying some of the bytecode of the `Flutter` app, bypassing the certificate pinning protection mechanism. Interception of the app's requests reveals an API subdomain that is protected by the `ModSecurity` Web Application Firewall (WAF), whose ruleset can be bypassed by abusing trailing pathname information. One of the API's endpoints is vulnerable to Local File Inclusion (LFI), which can then be leveraged into Remote Code Execution (RCE) by using `Nginx`-generated temporary files, resulting in a foothold inside a `Kubernetes` pod. Leaking the pod's namespace's secrets reveals an `APISIX` admin key, which, in conjunction with a vulnerable version of the service, results in RCE and subsequently a shell on the `APISIX` pod. From there, SSH credentials for the machine's main user can be uncovered. Finally, a vulnerable `minikube` version leads to escalated privileges through a slight variation of the `cr8escape` vulnerability, forfeiting `root` access to the machine.