#HacktheBox PhotoBomb
Author: slartibartfast
Initial Enumaration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-12 11:23 IST
Nmap scan report for photobomb.htb (10.129.227.64)
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
| 256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_ 256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Photobomb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.69 seconds
|
Web
Checking the Page we see
Opening the page we see a basic cred page.
Checking the calls we see an photobomb.js
Command Injection on filetype;
Using Bash Reverse Shell
Privileage Escalation
checking sudo -l
Checking the script
Lets create a symlink of /etc/crontab to /home/wizard/photobomb/log/photobomb.log.old
And create a /tmp/rev.sh
and echo '* * * * * root /tmp/rev.sh&' > photobomb.log
in the photobomb.log
and running sudo /opt/cleanup.sh it will update the crontab
