HackTheBox – Photobomb

NMAP Scanning

Added address in /etc/hosts and open the web page

Upon clicking the link it asks for credentials.

As we do not have any credentials I got the page below.

I tried to view the source code and found the photobomb.js file.

After opening that file I got the credentials.

Username: pH0t0

Password: b0Mb!

I logged in using the above credentials.

Upon logging using above credentials we saw it is an image downloading service.

So we intercepted the request and began testing of all 3 parameters. I have enabled the http.server and tried to inject a curl command.

For the photo parameter I got the response and it seems that it is not vulnerable.

For the filetype parameter I got the response on our server. So this might be vulnerable.

So I decided to generate a reverse shell command and enabled netcat.

After injecting the above snippet I got the user shell.

I got the user flag.

Privilege Escalation

I began with the sudo -l command and checked the cleanup.sh file.

Add /bin/bash in cd file and give all permissions

I also create find file because if one failed we have backup to get shell as root

Now just run that file with sudo permission and set the PATH to /temp directory

I got root.