Photobomb

#Linux #Enumeration #Command-Injection #SUDO-Exploit #Path-Hijacking

Photomomb is an easy-rated Linux machine from HackTheBox, created by slartibartfast. In the current post, my IP is 10.10.14.56, and the target IP is 10.129.228.60

Recon

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

Local Terminal
$ ping -c 1 10.129.228.60

Pinging 10.129.228.60 with 32 bytes of data:
Reply from 10.129.228.60: bytes=32 time=197ms TTL=63
Reply from 10.129.228.60: bytes=32 time=194ms TTL=63
Reply from 10.129.228.60: bytes=32 time=197ms TTL=63
Reply from 10.129.228.60: bytes=32 time=185ms TTL=63

Ping statistics for 10.129.228.60:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 185ms, Maximum = 197ms, Average = 193ms

By the TTL, we can assume that is a Linux Machine.

Local Terminal
$ nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.228.60 -oN Ports

Nmap scan report for 10.129.228.60
Host is up, received echo-reply ttl 63 (0.23s latency).
Scanned at 2023-06-08 11:19:12 Pacific SA Standard Time for 17s
Not shown: 65436 closed tcp ports (reset), 97 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 17.16 seconds
           Raw packets sent: 80781 (3.554MB) | Rcvd: 78472 (3.139MB)

If you search for "OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 launchpad", you can find the specific machine type, in this case the result was: "Ubuntu Focal". It could be useful to find an vulnerability for a certain version.

Information that we have now: It's a website (port 80) that use nginx/1.18.0,

Because of the following message "Did not follow redirect to http://photobomb.htb/" we have to add the IP to /etc/hosts/

Nothing unusual.

  • Browser > http://photobomb.htb/

view:source, there is an interesting JavaScript URL.
URL with possible credentials, using the structure http://user:pass@url pH0t0:b0Mb!

Login, you can see that there are a lot of images, download one with the "downloader" bellow and analyze with exiftool,

Nothing here,

Reverse Shell [wizard]

let's intercept with Burpsuite the download process.

Here we can find 3 parameters, maybe it's using a command from a shell, to test if it's vulnerable to a Command Injection you can simply add ;sleep+5 at the end.

At it fails at photo, but works at filetype.

It took 5 seconds to respond, works!

Here we can test if it's possible to the target to connect with our machine, using netcat.

Reverse Shell Cheat Sheetpentestmonkey
Request content, with the previous payload

And your local terminal is [www-data]

Alternative

But, what if the target machine doesn't have netcat installed? First, you can test the connection by using curl with an http.server

If the http.server receive a response, you can do the following to connect:

  1. Create a file with vi index.html

  1. Open an http.server

  1. Send a requet with the following payload

Privileges Escalation

Once inside the machine, do a Bash Upgrade before anything.

There is a custom sudo file there, let's see what's inside with cat /opt/cleanup.sh

In Linux, the sign [ is a command, you can see with which [ if exist.

Well, here that command and find are called in a relative way, this means that we can change the path to execute another command

And now we change the path of the command, remember that thanks to SETENV we can change the environment.

PreviousOpenAdminNextPrecious

Last updated