PikaTwoo is an exceptionally challenging machine on Hack The Box, described as an “absolute monster of an insane box” by Sheeraz. The journey through PikaTwoo involves a series of complex steps, starting with exploiting a vulnerability in OpenStack’s KeyStone to leak a username. The attacker then discovers an Android application in OpenStack Swift object storage. This application, built with Flutter and obfuscated, poses significant difficulties in reverse engineering.
The process includes setting up an emulator to intercept application traffic, utilizing Frida to bypass certificate pinning, and uncovering an SQL injection vulnerability in the application’s API. This leads to the leakage of an email address. The attacker further exploits a vulnerability in the APISIX uri-block WAF to access private documents and reset the password for the leaked email, achieving authenticated access.
The challenge escalates with exploiting a vulnerability in the modsecurity core rule set to bypass the WAF, leading to local file inclusion in the API. The attacker then leverages nginx temporary files for a reverse shell in the API pod, leaks an APISIX secret from Kubernetes secrets, and uses it with another vulnerability for execution in the APISIX pod. Finally, credentials found in a config file allow SSH access into the host, where the Cr8Escape vulnerability is abused to achieve root execution.
This machine is notable for its breadth, requiring knowledge across a wide range of technologies and vulnerabilities, from mobile application security and API exploitation to cloud services and container escape techniques.
References