HackTheBox

Writeups for the Hack The Box machines

View on GitHub

https://www.hackthebox.com/machines/Photobomb

image

Enumeration

Initial scan showed 2 open ports, 22 & 80 : image image

Found photobomb.htb from the scan & added it to the host configuration file.

Checked for the vhosts, but didn’t found anything!

image

Gobuster returned the 401 results for all of the results :

image

ffuf return the same result as well:

image image

Checked for the page source & found the photobomb.js file in the configuration : image

Photobomb.js file contains this user:id password structure: image

Tried those credentials in SSH but no luck 😕

- http://pH0t0:b0Mb!@photobomb.htb/printer
- pH0t0:b0Mb!@photobomb.htb

image

When checked the page hosted on http://photobomb.htb, found this page : image

The gathered credentials from the photobomb.js led to this page: image image

Now, after moved onto the page, I can access all of the pages for which previously I got the 401 response in the domain subdomain enumeration.

- /printers:

image

image

For all of the subdomains found the same html source page.

Initial access

Fired the burp & checked for the responses in it. While checking for the requests checked for the download option from the page & it seems like the ‘file-type’ parameter is vulnerable to the command-injection.

Injected the python3 payload from pentetmonkey after the URL encode & received the connection back on my host.(pwned!🙂)

image image image

And got the user flage in the ‘wizard user’ folder.

image

Privlege escalation

Nowm we can check for the sudo permissions using ‘sudo -l’ :

image

We got one cleanup script which we can run with sudo access, while checking that script found out that it’s running the find command without any absolute path.

image

We can abuse that find path & create our own find file in ‘/tmp’ directory & change the excecution path to our own find file.

- echo '/bin/bash'> find
- chmod +x find

Then after creating the file we can change the execution path for that cleanup script.

- sudo PATH=$PWD:$PATH /opt/cleanup.sh

Then we will run that script with sudo privlege for which we already have the access.

- sudo /opt/cleanup.sh

After running this script we will get the sudo access immediately. (pwned!🙂)

image