In this post, I would like to share a walkthrough of the Photobomb Machine from Hack the Box
This room will be considered an Easy machine on Hack the Box
What will you gain from the PhotoBomb machine?
As for the root flag, you need to take advantage of a script that can be executed as root privileges which it can use with the path hijacking method. It will lead us to retrieve a root flag that way
Information Gathering on Photobomb Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -P
Let’s access the website interface
Sadly, the website URL has redirected to a valid domain
Enumerate on the website interface
At last, we managed to access the valid domain, and nothing can be found over here except the link that we can press to analyze the link.
However, we are required to enter the credential to proceed
Oh wow! We managed to retrieve some credentials over here.
As a result, we can access it by key-in the credentials that we found earlier.
Finally, we managed to access the printer directory
Let’s download the picture with the larger size on our attacker’s machine
The response looks something fishy over here
When trying some command injection after the filetype png/jpg, we managed to see an error saying “Failed to generate a copy of <Filename>”
Therefore, let’s insert some reverse shell which I take it from here and try to encode it. After a while, the response didn’t reply at all.
However, the reverse shell connection has come back to us.
We can read the user flag by typing “cat user.txt”
Escalate to Root Privileges Access
We should be enumerated manually by running the “sudo -l” command
The screenshot above shows the code that resides inside the /opt/cleanup.sh file
Let’s create some script that will try to escalate to root privileges access
Once completed with the script, let’s compile it as shown above.
As a result, let’s upload the compiled script into the victim’s machine
Let’s run the command above to obtain a root shell
We can read the root flag by running the “cat root.txt” command