Photomomb is an easy-rated Linux machine from HackTheBox, created by slartibartfast. In the current post, my IP is 10.10.14.56, and the target IP is 10.129.228.60
Recon
The first steps are about getting basic information about the target, by using nmap and searching information from the website.
$nmap-sCV-p22,80,3306010.129.167.56-oNTargetStartingNmap7.92 ( https://nmap.org ) at 2023-06-08 11:19 Pacific SA Standard TimeNmapscanreportfor10.129.228.60Hostisup (0.18s latency).PORTSTATESERVICEVERSION22/tcpopensshOpenSSH8.2p1Ubuntu4ubuntu0.5 (Ubuntu Linux; protocol2.0)|ssh-hostkey:|3072e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)|25604:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)|_25620:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)80/tcpopenhttpnginx1.18.0 (Ubuntu)|_http-title:Didnotfollowredirecttohttp://photobomb.htb/|_http-server-header:nginx/1.18.0 (Ubuntu)ServiceInfo:OS:Linux; CPE:cpe:/o:linux:linux_kernelServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.Nmapdone:1IPaddress (1 hostup) scanned in 14.27 seconds
If you search for "OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 launchpad", you can find the specific machine type, in this case the result was: "Ubuntu Focal". It could be useful to find an vulnerability for a certain version.
Information that we have now: It's a website (port 80) that use nginx/1.18.0,
Because of the following message "Did not follow redirect to http://photobomb.htb/" we have to add the IP to /etc/hosts/
let's intercept with Burpsuite the download process.
Here we can find 3 parameters, maybe it's using a command from a shell, to test if it's vulnerable to a Command Injection you can simply add ;sleep+5 at the end.
At it fails at photo, but works at filetype.
Here we can test if it's possible to the target to connect with our machine, using netcat.