Photobomb

Photobomb is an easy path to root box. As matter of fact it took few minutes to get root, the only hard part was getting RCE which was not straight forward.

Enumeration

From the Nmap scan result above we can see that only two open ports were discovered on the device. we can also see a redirect to http://photobomb.htb so we have to add the domain to our host file at /etc/hosts.

The URL led to the above webpage but there isn't much on the page other than a link to http://photobomb.htb/printer which requests sign-in credentials that we don't have as seen below. Directory brute-force also didn't give us any juice.

Looking at the source code, I noticed there is a JavaScript file called photobomb.js. it only contains a function called "init" that is supposed to look for the cookie "isPhotoBombTechSupport" and if the cookie exists, allow the user login without providing credentials. The code doesn't seem to work however, it contains the username and password used to login to "/printers" directory.

Once, on the printer page as seen below, we get access to some images and ability to download them in different formats.

User Flag

I enumerated but there was no indication of exploit, nothing picked by exiftool on images downloaded either, no LFI or SQLi.

I fired up Burpsuite and look at the download request where I saw some parameters and started tweaking. tried different fuzzing payload with no luck then decided to try code execution exploit. I ran the curl command on the target while running Python3 server on my device which worked. so we have server code execution.

Now, to get a reverse shell, we need to find a working payload, lucky there is an online tool revshells that creates reverse shell payload for you.

Setting the options and placing the payload where appropriate and we have a reverse shell. As seen below we are user wizard.

Privilege Escalation

Getting root was also as straight forward as user, the first priv-esc method tried was jackpot. using the "sudo -l" I was able to see what command user wizard can run as root. as seen below, the user can run the cleanup.sh script located locally at /opt/cleanup.sh.

Basically, the script does some log clearing, name truncate and image finding, however, what really matters is that it uses the cat,truncate and find command so we can use any of these commands to escalate our privilege.

To escalate privilege, I simply exploited the cleanup.sh script by creating a simple bash file, named it find, made it executable and added the file path to PATH and run the cleanup script.