Read my write-up to Photobomb machine:
TL;DR
User: Locate the credentials for the /printer
endpoint in the HTML source code. Utilize command injection on the image download request’s filetype
argument to obtain a reverse shell.
Root: Executing the command sudo -l
reveals that the script /opt/cleanup.sh
can be run as the root
user and the environment variables can be altered. Upon examining the script, it is observed that the find
command is not executed with its full path. Taking advantage of this, we craft our own find command and gain a reverse shell as the root
user.