Post

HTB Linux Easy: Photobomb

Photobomb is an Easy rated Linux machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Linux Easy: Photobomb

Nmap

Pasted image 20240715104806.png

Edit the hosts file and add the photobomb.htb domain: Pasted image 20240715104802.png

Initial Foothold

Enumerating HTTP (port 80)

Webpage. Pasted image 20240715104757.png

Pressing the click here button redirects to a /printer page that asks for credentials. Pasted image 20240715104751.png

The error page reveals sinatra is running on the system. Pasted image 20240715104746.png

In the photobomb.js file we find credentials: pH0t0:b0Mb!. Pasted image 20240715104740.png

After logging into the /printer page we find a webpage that allows us to download images. Pasted image 20240715104736.png

Using burpsuite to capture the request we can test for RCE, setting sleep for 5 seconds after the filetype makes the response time longer (6.633 millis instead of 1.633 millis). Pasted image 20240715104732.png

Gain shell

URL encode key characters in the payload. Pasted image 20240715104724.png

Shell. Pasted image 20240715104720.png

Priv Esc

Sudo -l output. Pasted image 20240715104715.png

The cleanup.sh script executes /opt/.bashrc. Pasted image 20240715104708.png

In .bashrc the enable -n command is used, this command disables the built-in shell command (in this case [), this means that it will look through the path to find the command. Pasted image 20240715104911.png

Craft payload with the name [ (chmod +x). Pasted image 20240715104658.png

Become root: Pasted image 20240715104648.png

User.txt

Pasted image 20240715104643.png

Root.txt

Pasted image 20240715104639.png

You have PWNED

Pasted image 20240715104632.png

Sources

CTF, HTB
Linux Easy
This post is licensed under CC BY 4.0 by the author.