Hackthebox - Pilgrimage
![](/htb/machines/retired/pilgrimage/Bkrni3VOh.png)
Initial Enumeration
1 | # Nmap 7.93 scan initiated Sun Jun 25 00:32:44 2023 as: nmap -sC -sV -oN nmap/pilgrimage 10.129.67.64 |
Web
Visting the site
![](/htb/machines/retired/pilgrimage/SySvA34Oh.png)
We also see it is an php
page so lets enumerate a php in background
![](/htb/machines/retired/pilgrimage/SyguCnEO3.png)
![](/htb/machines/retired/pilgrimage/BySABEH_h.png)
![](/htb/machines/retired/pilgrimage/SyOTSVruh.png)
https://github.com/duc-nt/CVE-2022-44268-ImageMagick-Arbitrary-File-Read-PoC
![](/htb/machines/retired/pilgrimage/SkOhPErd2.png)
![](/htb/machines/retired/pilgrimage/B1b1u4HO2.png)
![](/htb/machines/retired/pilgrimage/Bk4aPNSO2.png)
![](/htb/machines/retired/pilgrimage/r14KtEHuh.png)
emily|abigchonkyboi123
sshpass -p 'abigchonkyboi123' ssh emily@pilgrimage.htb
User
![](/htb/machines/retired/pilgrimage/S1s2tESu2.png)
![](/htb/machines/retired/pilgrimage/BkPucNB_2.png)
Privilege Escalation
![](/htb/machines/retired/pilgrimage/BJVC2Nrd2.png)
![](/htb/machines/retired/pilgrimage/B1Cv0NSuh.png)
https://www.exploit-db.com/exploits/51249
![](/htb/machines/retired/pilgrimage/Hk6s1BHO2.png)
![](/htb/machines/retired/pilgrimage/S1B61HBO3.png)