Late

Introduction

Late is an Interesting and yet daunting machine probably because the approach to getting RCE is not so conventional and require thinking outside the box. Created by Kavigihan


First Thing First

So, after connecting to the HTB VPN I ran Nmap against the site and all I got was port 80 and 22 which indicates a web server is running as well as an SSH service.

From the above Image we can see that the web server is an Nginx version 1.14.0 and OS is Ubuntu but there is no vulnerability here.

I decided to leave the below Nmap scan running to scan all open TCP port in case I missed one.

nmap -sC -sV -p- 10.10.11.156

I decided to proceed to the web page see what is there.

After a little enumeration and a closer look I noticed the website is a form of OCR which allows you to upload image with text and converts the image to text.

On the home page, there was a link to a subdirectory images.late.htb however since this can't be resolved to an IP address we have to manually create an entry in the hosts file located in /etc/hosts

Foothold

Clicking the link takes us to a page that allows us to upload images and convert it to text

There was no visible way to exploit the upload feature, I tried normal techniques like:

  • Simply uploading ".php" file instead of ".jpg" file.

  • use double extension like "image.jpg.php"

  • intercepted upload in burp to change Content-Type: txt/php to image/jpg

  • Changed the Magic number of the php file to that of a jpeg image (FF D8 FF E0)

The above methods failed so I decided to approach the problem from another angle, what if it executes code/command in the image?

Since the app was created with Flask (Jinja), I looked up vulnerabilities that could possibly be exploited and discovered it is vulnerable to SSTI (Server Side Template Injection), I took a screenshot of the below code to simply multiply the figures and see if SSTI is indeed applicable in this case and...


Viola!

As you can see, the web application is vulnerable to SSTI as it multiplied and gave us the product of the 6*656.

I found a custom SSTI payload online online that allows us to interact with the app

{{ self._TemplateReference__context.cycler. init . globals .os.popen(‘id’).read() }}

the above snippet display the user id as "svc_acc"

Now, we need to get RCE, I swept the internet for a working reverse shell but they all failed to pop a shell so I decided to just dump the SSH key of the user.

this gave me the ssh key which I added to my ~/.ssh id_rsa and hence RCE

Now to escalate our privilege.. I used python http server to upload Awseome Script (linpeas.sh) and from there we found out foothold.

with Linpeas we found a 95% PE vector which is a sure PE

The privilege escalation state wasn't actually straight forward for me as I struggled with exploiting the code found in /usr/local/sbin

With the help pspy, I learned how the code was being executed (as you can see above)

the command lsattr lets you know the attributes of a file and in this case:

svc_acc@late:/usr/local/sbin$ lsattr ssh-alert.sh

-----a--------e--- ssh-alert.sh

the "a" attribute indicates that we can append to the file.