top of page
Image by Blake Cheek
  • Writer's pictureBeri Contraster

Photobomb - HackTheBox Walkthrough



Linux . Easy

Created by slartibartfast

Released on 08 Oct 2022


Welcome Reader, Today we'll hack Photobomb from HackTheBox. It's an easy Linux machine. Let's start with an Nmap scan.


Nmap Scan


A web server is running on Nginx 1.18.0. Going over to the web server redirects to the photobomb.htb let's add it to the /etc/hosts and refresh the site.



Nothing is interesting on the website except the "click here!" which redirects to a login prompt but we don't have the credentials yet. The credentials are stored in the welcome pack.


I found an interesting file on the website source page. It's always a good idea to take a look at the source page.



Let's take a look at the photobomb javascript file.



There are plain text credentials stored in this file that we can use to log in.



Command Injection

After logging in we are represented with this page where we can download the image to print. Let's fire up Burp and capture the request. I tried command injection and successfully achieved command execution.



The filetype is vulnerable to command injection. We confirmed it using the sleep command. Let's get a reverse shell.



USER

We can use the following command. Don't forget to fire up the Netcat listener. We can use ctrl+u to URL encode our command.




ROOT


We can run /opt/clean.sh as root and set new PATH variables. Let's take a look at the file contents.



The find does not use an absolute path we can do path hijacking and execute a malicious file named find. Let's create a file with the name "find" under /tmp.



Let's execute the file.



We are now root.

Thanks for reading. Happy Hacking :)


-- bericontraster

3 views0 comments

Recent Posts

See All

Kommentare


bottom of page