Writeup Pilgrimage - Hack The Box

Writeup Pilgrimage - Hack The Box
HTB Pilgrimage card

This writeup will detail the exploration and exploitation of the "Pilgrimage" Hack The Box machine. This machine presents an intriguing journey through various stages of penetration testing, involving web application vulnerabilities, image manipulation, and database exploitation. In this writeup, we will delve into the step-by-step process of dissecting the machine, from initial reconnaissance to obtaining user privileges.

Machine information

Machine: Pilgrimage
IP Address:
OS Type: Linux

Initial Reconnaissance

Upon conducting a scan using Nmap, the following open ports were identified:

  • Port 22: SSH
  • Port 80: HTTP

Attempting to access the web page at automatically redirects to http://pilgrimage.htb. To resolve the domain name, the /etc/hosts file is modified:

echo " pilgrimage.htb" | sudo tee -a /etc/hosts

Upon reloading the webpage, its content becomes visible.

Exploiting File Upload Vulnerability

The webpage provides an option to upload files. The goal is to exploit this feature by injecting PHP code into an image.

The Burp Suite is used for this purpose.

If you require guidance on installing Burp Suite, you can find a installation guide in the following article.
Install Burp Suite in Manjaro
In this guide, I’ll walk you through the process of installing Burp Suite 2023.8.1-1 on Manjaro. I’ve found Burp Suite to be a fantastic tool for spotting and addressing potential vulnerabilities in web apps. I’ll break down the installation steps in a way that’s easy to follow. Whether

A helpful guide for file upload vulnerabilities can be found at:

How to Exploit File Upload Vulnerabilities (and How to Fix Them!) | we45 Blogs
File upload vulnerabilities arise when a server allows users to upload files without validating their names, size, types, content etc. In this article, we will learn common attack vectors that can be used to exploit improper file upload functionality and bypass common defense mechanisms.

After trying various approaches including uploading a PHP file with a .png extension and modifying image files using exifTool, it is determined that these methods are not effective.

Exploring Hidden Folders and Files

To explore hidden folders and documents on the webpage, gobuster is utilized to perform directory brute-forcing:

gobuster dir -u http://pilgrimage.htb -w /home/albert/Documents/utils/gobuster-wordlist/filenames.txt

The output reveals the presence of a .git folder. This allows the possibility of cloning the project using git-dumper:

git-dumper http://pilgrimage.htb/.git/ git

This provides access to the source code, specifically the index.php file responsible for uploading images using ImageMagick.

Exploiting ImageMagick

Since the image upload functionality uses ImageMagick, an attempt is made to find an exploit.

GitHub - duc-nt/CVE-2022-44268-ImageMagick-Arbitrary-File-Read-PoC: CVE-2022-44268 ImageMagick Arbitrary File Read - Payload Generator
CVE-2022-44268 ImageMagick Arbitrary File Read - Payload Generator - GitHub - duc-nt/CVE-2022-44268-ImageMagick-Arbitrary-File-Read-PoC: CVE-2022-44268 ImageMagick Arbitrary File Read - Payload Gen…

The approach involves crafting a specially crafted PNG image using pngcrush and then manipulating the image to execute arbitrary commands on the server.

Commands are injected into the PNG image using pngcrush:

pngcrush -text a "profile" "/etc/hosts" image.png

After uploading the manipulated PNG (pngout.png) and downloading it, the following command can be executed to analyze the output:

identify -verbose 689242645632.png 

The output should be copied and converted to a string format using CyberChef.

User Enumeration

Inspecting /etc/passwd using the previous method doesn't provide valid output since trying to get the /home/emily/user.txt doesn't work.

A different approach is needed. By examining the source code, the dashboard.php file reveals the use of a SQLite database located at /var/db/pilgrimage.

To obtain the database file:

pngcrush -text a "profile" "/var/db/pilgrimage" image.png

Obtaining Credentials

By accessing the SQLite database, the password for the user "emily" can be retrieved:

User flag

Using Emily's credentials, SSH into the machine:

ssh [email protected]

Navigate to the user's directory and retrieve the user flag:

cat user.txt


The Pilgrimage machine involved exploiting a file upload vulnerability, investigating hidden files using gobuster, exploiting ImageMagick to execute commands, analyzing SQLite databases, and finally obtaining user credentials to access the machine and retrieve the user flag. This step-by-step process demonstrated a variety of techniques and tools used in a penetration testing scenario.