Photobomb HTB Walkthrough
Introduction
An easy rated machine, and one of my first on HTB that was recently retired. This box was pwned before I started using MarkText and adding in screenshots to my markdown notes, so I’ve only captured STDOUT here, and the entire write up is boring plain text.. sorry.
As always, I use Parrot OS Security Edition in a VirtualBox VM, with the OpenVPN client to connect to the HackTheBox VPN.
Enumeration
Nmap -sC and -sV shows 22 (ssh) and http (80) open. Navigating to http://10.10.11.182/ redirects to http://photobomb.htb. After adding this domain to /etc/hosts, we see a landing page for Photobomb franchise, with a link to http://photobomb.htb/printer – which presents a basic auth dialog.
Again, no screenshots, so you will need to use your imagination or just trust me.
Let’s start up gobuster in the background while poking around:
|
|
This only returns a favicon and /printer plus /printers, both of which require a user/pass, but if I run gobuster with the /usr/share/dirb/wordlists/big.txt
wordlist, I notice:
|
|
Manually checking some of the above:
|
|
So maybe I should look at WEBrick vulns.. but should quickly look at the rest of the site before going deep into a rabbit hole and never returning.
I found the following javascript http://photobomb.htb/photobomb.js, which is requested when visiting the home page. I basically just leave the Firefox developer tools open and see what interesting looking requests are made, but intercepting via Burp Suite and looking at the Site map is also a good option here – especially as the number of files, directories and general structure of the site become larger and more complex. Burp suite will build up a better picture of what the site looks like over time as you navigate around, fire off requests, etc.
Anyway, the javascript file in question contains:
|
|
Confirmed I am able to log in to http://pH0t0:b0Mb!@photobomb.htb/printer , which gives me a gallery of JPEG thumbnails along with a big red DOWNLOAD PHOTO TO PRINT button, and a drop-down to select the file format.
Burp suite captures the following when intercepting POST requests to download an image in a selected file format via the UI:
|
|
After logging in, I can also hit the /printers endpoint I found earlier, which indicates it’s a Sinatra app:
|
|
Foothold
I initially tried to use commix for command injection, but it kept erroring out. I then tried command injection into the photo param without any success. But then I was able to confirm command injection by sending the following payload to /printer:
|
|
So, we basically escape the file type with a semi-colon ;
, no need for quotes, double-quotes etc.
I confirmed the endpoint appeared to become unresponsive for ~15 seconds as expected. I had issues with typical bash reverse shells, and assumed injecting into the file type was working as the application maybe (?) shells out to bash to run imagemagick or similar in order to convert the image format on the fly, but I was able to use a URL encoded ruby shell from revshells.com:
|
|
When injected, by setting Burp Suite to automagically HTML encode my payload, we end up sending the following in the body of the POST request:
|
|
I confirmed I now had a reverse shell:
|
|
So I have the user flag, taken from wizard’s account!
Privilege Escalation
Now on to privilege escalation. First, let’s try the low hanging fruit:
|
|
So we can run /opt/cleanup.sh
.. Looking at this script:
|
|
The commands are absolute paths except for find
. I tried copying /bin/bash
to /tmp/find
, and running the script while
preserving my environment with the -E
flag, which disables the env_reset option:
|
|
So, when the shell attempts to run find
, it first checks the /tmp
directory, and instead would execute my copy of bash
.
However, this wasn’t working, and after a few minutes of digging through the sudo man page I noticed the env_reset in sudo -l
output will reset the path, however also noticed that SETENV is enabled. So, I was able to pick up my fake find executable with a plain old:
|
|
So the /opt/cleanup.sh
script runs as root, and locates the find
command in /tmp
, which is actually a copy of bash
– giving us a root shell.
Machine completed!
https://www.hackthebox.com/achievement/machine/329250/500
Conclusion
Quite straight forward with basic web enumeration – a javascript file with hardcoded basic auth creds, leading into a basic web app that displays a photo gallery. Looking at web requests, we can see a param for filetype in the form data which we can inject into after failing to inject into filename.
I struggled to get a basic bash reverse shell working, but knowing the app is a Ruby-based Sinatra app, we can inject a Ruby reverse shell that calls out to sh
and pipes the output to a TCP socket in order to gain foothold.
From here, we can take advantage of a script we can run as sudo
by clobbering the expected find
executable’s location in PATH
. While env_reset is enabled which causes commands to be executed with a minimal environment, the SETENV option is set, which allows us to prefix a directory to PATH – this directory is enumerated first, finding and executing our renamed bash
command as find
– giving us a root shell.
Looking forward to posting the next one!