Photobomb

Personal Rating: Medium

Enumeration

sudo nmap -sV <IP>

  • nginx 1.18 with a webserver on port 80 and ssh port 22 are open

  • There was interesting info in the source code:

<p>To get started, please <a href="/printer" class="creds">click here!</a> (the credentials are in your welcome pack).</p>
<p>If you have any problems with your printer, please call our Technical Support team on 4 4283 77468377.</p>

I continued with some dir fuzzing:

fuzzing:
	/printer
	/printers
	/printerfriendly
	/printer_friendly
	/printer-friendly	
	/printer_icon
	/printer-icon
	/printerFriendly	
-> All show the same page

When giving a non existing page, there is an interesting error:

There is a JS file containing http://pH0t0:b0Mb!@photobomb.htb/printer

You can download files. If you check the request with burp and test around with different injections, there is a different output if ;something is included. So there might me a blind OS command injection.

Blind OS Command Injection

If you inject at the filetype with this payload: jpg;ping+-c+4+10.10.16.4 you can see with tcpdump that the command has been executed.

Checking different reverse shell payload, none worked. Only if you use a specific python reverse shell, url encode = and &, and replace spaces with + it works apparently

This was the payload that worked in the end:

SUID + SetEnv Script

sudo -l reveals, that /opt/cleanup.sh is an SUID binary where you also have SETENV permissions.

With setenv you can change the path for the program. Since find is called with a relative path, you can create a "find" that contains /bin/bash in the homedir of the user “wizard” and then execute the program, making use of the SUID and SETENV permissions:

sudo PATH=/home/wizard:/bin /opt/cleanup.sh

PreviousPaperNextPrecious

Last updated