Nmap scan
sudo nmap -p- -sS -n -Pn — min-rate 5000 -vvv — open 10.129.207.40
Let’s check with version and service Detection.
sudo nmap -sCV -p 22,80 10.129.207.40
Using what web we see that there is a redirection to http://photobom.htb which means that virtual hosting is being implemented.
So we add it to /etc/hosts.
10.129.207.40 photobom.htb
We proceed with the scanning of the page and we see that nginx is being used in its version 1.18.0 and if we use searchsploit to search for possible exploits we see that they do not exist.
If we enter the platform from our favorite browser we find this but the interesting thing is that if we click on “click here!” we are redirected to an authentication panel.
Where unfortunately we don’t have valid login credentials, so we’ll try to see if we find anything interesting in the platform files with the inspector.
Something interesting i found may be username and password .
Wow! if the credentials are correct, it redirects us to this panel of images from which we can download it.
in the Platform it is implemented with sinatra. Sinatra is a DSL for quickly building Ruby web applications with minimal effort.
If we look for possible vulnerabilities we find that it is possibly vulnerable to an LFI.
But unfortunately the version in which the platform is made was patched that vulnerability 😞
If we take a good look at the requests, we see that there is an Authorization header that we can use to refuzz directories.
We find that there is only the /printer route where it returns a status code of 200, so this leads us to the fact that in this route we can find a vulnerability to gain access to the system.
If we intercept the download request we see that it is possible to inject bash code
Trying to send 10 icmp traces to my attacker computer to see if there is any connectivity between the two.
ping -c <ip>
The request we can encode with ctrl+u
We see that if there is connectivity between the victim and attacker machine.
So what we’re going to do is create a reverse shell and listen on any port with netcat and using rlwrap which allows us to manipulate input with the arrow keys.
sudo rlwrap ncat -lvnp 443
Now one way to create a reverse shell is to create an html file since if we use curl and the pipe | bash this can be interpreted as a system command.
we can find the user flag in home directory .
if we use sudo -l we see that LD_PRELOAD can be invoked with sudo so we will use it to escalate privileges
LD_PRELOADcan be invoked with sudo, let’s create a simple PE shell to exploit this.
We compile it and upload it to our victim machine.
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
To upload it to our victim machine I will use the same server that we had created a while ago python3
Give the permission chmod 777 shell.sosudo LD_PRELOAD=/home/wizard/shell.so /opt/cleanup.sh
Thanks !
