En este momento estás viendo Photobomb – Writeup
Nevuer Cybersecurity & Hacking

Photobomb – Writeup

  • Autor de la entrada:
  • Categoría de la entrada:Writeups
  • Comentarios de la entrada:Sin comentarios

Port scanning:

Shell
Shell

Scanning of services and versions:

Shell

Adding the IP and Host to the /etc/hosts file:

Shell

1 – Check the main website:

Accessing to http://photobomb.htb we can see the following web site:

Analyzing the web content we can see a link under the text “Click Here” which shows us a login panel:

2 – Check the source code:

Inside the source code there is a linked javascript file called photobomb.js:

The javascript code has the following content, in which we can see an authentication link containing the access credentials:

User: pH0t0

Password: b0Mb!

We can access directly using the complete link: http://pH0t0:b0Mb!@photobomb.htb/printer

After accessing, the web redirects us to the following download utility

Intercepting the download request with Burpsuite we obtain its content:

Download request intercepted with Burpsuite

We will check which of all the parameters is vulnerable to remote command execution (RCE). In this case the vulnerable parameter is filetype.

We try to check it by executing a ping to our machine:

Shell

To receive the response we must keep listening for ICMP traces with the command tcpdump:

Shell
tcpdump command

After sending the request with Burpsuite we receive the ICMP trace.

We also run a reverse shell with netcat (nc) and mkfifo to gain remote access to the machine:

Shell

We perform a TTY treatment to work more comfortably:

  1. script /dev/null -c bash
  2. Ctrl + Z
  3. stty raw -echo; fg
  4. reset xterm

At this point we can read the user flag.

PRIVILEGE ESCALATION

We check the privileges of the wizard user with the command: sudo -l

The wizard user can run the cleanup.sh script as the root user without providing a password, its contents are as follows:

This scripts contains calls to diferent system command (cat, truncate and find).

As you can see, the cat and truncate commands are called differently from the find command in the source code.

The /bin/cat/ is an Absolute call and the find is a Relative call:

The use of Relative calls makes the script have to look for the command in the system variable PATH, to find its path, this is a problem if an external user has the ability to modify the contents of the PATH. This generates the attack called Path Hijacking.

To make a Path Hijacking to the find function, we will follow the following steps:

  1. Create an evil file with named the same as the command (find)
Shell
  1. Assign execution permissions to our find file:
Shell

The SETENV variable, allows us to modify environment variables temporarily, as the PATH is an environment variable, we can modify it directly in the sudo call as follows:

Shell

At this point the script will have executed our malicious find file.

Executing Bash with -p param to run it in privilege mode:

Shell

Finally, we got root access.

Deja una respuesta