As always the first step for any box is to see what is available to access, running

$ nmap -sC -oA nmap-alltcp
Starting Nmap 7.92 ( ) at 2022-10-13 19:17 AEDT
Nmap scan report for
Host is up (0.011s latency).
Not shown: 998 closed tcp ports (conn-refused)
22/tcp open  ssh
| ssh-hostkey:
|   3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
|   256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_  256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open  http
|_http-title: Did not follow redirect to http://photobomb.htb/

Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds

Not much to see here in the way of services, just a plain http website at http://photobomb.htb/ and ssh access

looking around the website there is a login on /photobomb that requires basic autentication to access taking a look around at the included java script file we find some intersting content.

// Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me

With this we now have the creds and can log into the /printer page this page gives us access to a form that we can use to get a file from the server. this form turns out to be vunerable to injection in the filetype paramter.

Using this knowledge we can inject the command for a reverse shell in to this paramter, using a python 3 reverse shell from we can gain shell access to the server, and with this access read the user flag.


looking for Privesc we see that we can run a single command using sudo with no password /opt/ reading this file we see it runs a number of system commands using relative paths, giving us the oppertunity to use $PATH hijacking to run arbitary code as root

by creating /tmp/find we can use this to read the root flag, to do this we make the file with the following content

cat /root/root.txt

with this in place running sudo PATH=/tmp/:$PATH /opt/ we get the root flag printed to the console for us, resulting in a system own.