• Donald Ashdown

Hack the Box - Late

Engagement flow

Enumeration

We start off with a standard enumeration phase where we have a narrow attack surface. We know this will result in some type of web exploitation. It is very rare that port 22 is ever exploited when compared to port 80. Port 22 is typically an entry point with compromised credentials. It will rarely be exploited via CVE

Image - Port Scanning results


Before we dive into the website, it is often wise to run a auto enumeration tool which can collect more indepth information and can take up to 30-40 minutes to finish. This can greatly insist our engagement by finding hidden directories, version numbers, application info and obscure ports.

A good tool autorecon, is found on github and will be used in this engagement.

Image - autorecon


With auto recon gathering information in the background our efforts are best directed towards reviewing the website. Typically we will identify a web application which upon further investigation will reveal a function or version that is vulnerable. Browsing over to our target we can see the website is very basic.

Image - Landing page on port 80


Reviewing the website reveals a link that directs us to a photo editing tool.

Image - Photo editor hyperlink


In order to successfully browse to this website we have to add the resolving name in the URL, into our /etc/hosts file. This forces our DNS to resolve images.late.htb to our target IP address.








Image - resolving name


Having forced our DNS to use our custom resolve we are presented with the online photo editing tool.

Image - Image convert application


Web App Enumeration

Using Burpsuite, a web application testing tool, we can look further into the web site and application. intercept this get request and learn that our image converter is relying on Flask in the backend.

Image - Burpsuite scanner button


We observe that the Flask web application framework is running in the backend. A big reason people use flask, is because it is a python micro framework designed to keep things simple.

Image - Flask application reference


Next we have a interactive element on the website. This will most likely be the target of our focus. I do want to point out that we see the application is running with Flask which is displayed in the top right.

Image: Convert image to text



Server side template injection - Testing

With flaks running, there is a strong change we are dealing with Server side template injection or SSTI for short. We can test this by following a common methodology found here.

https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee


By the looks of this website, it offers to turn our image into a text document. So this suggests that if we send our txt file to the application, it will parse our image and create a .txt document.


Although we can assume this is the function, we will still test and play around with the web application. We will do this, by creating a txt file, taking a screenshot and changing the extension to .png. This should consequentially result in the app returning a text document with the characters found in our png.


I created an image by using the snipping tool flame shot which allowed me to type into a .txt file and snip a screen shot. Saving this to a .png file originally didn't work, however when I increased the font size, it worked.

Image - Test payload


We upload this to our image converter and execute the scan image function.

Image - Convert image to text


This results in a file being downloaded that shows our image content in .txt format.

Image - results.txt


With a base understanding that our web application will parse images and extract characters, representing them in a .txt file, there is a bit of an assumption or speculation that flask templates


The way to do this would be to pass the most basic SSTI testing payload. Which is {{7*7}}.

Image - SSTI testing


With the use of Burpsuite, we can already see that the web app has parsed our information {{7*7}}.

Image - Burp request of SSTI test


Uploading and scanning this on the web application provides a results.txt file showing 49, which means we have code execution.

Image - SSTI results.txt


Server Side Template Injection - Execution

We are able to reference payload all things in order to narrow down and select our tailored payload for this jinja2 template engine running within flask. We receive and error to do with the application parsing at address 43. So counting from 0, I arrived at the second of the 2 single quotes which was quite odd.

Image - Payload testing


Next we will test this by removing the quotes and seeing what happens.

Image - Payload testing



Removing the parenthesis allowed it to render as it is not trying to pass a variable or expression that has to be executed.

Image - Payload testing



We re-append the quotes and upload the image and we can confirm the quotes were not a problem.

Image - Payload testing



From here I added the parenthesis back without the additional whitespace and it worked! We have command execution.

Image - Payload testing



From here we have several options, we can go straight for a reverse shell, either with or without a callback to our listening server. Or we can enumerate the host with read commands, or even attempt to upload a webshell. In this exercise, we will view the /etc/passwd file to learn which users are on this machine.

Image - Payload testing



By checking for a ssh key under the user, we are able to gain access via ssh.

Image - Payload testing


We connect in via SSH for user access.


Privilege escalation

This if par for the course to transfer lineas to help with the internal enumeration process.

Image - Linpeas internal enumeration


The linpeas.sh script is transferred via a python3 http server on our local host, and copied with the wget command from our compromised host.

Image - Linpeas internal enumeration


As we review the results of linpeas, we noticed that a script "ssh-alert.sh" has been flagged.

Image - Linpeas internal enumeration


Reviewing this script reveals that it is a script designed to alert on a successful ssh connection.

Image - ssh-alert script


We also notice a cron job executed by root.

Image - Cron Job executed by root


Running PSPY allows us to learn what is executing on the box and when.

Image - Loading PSPY


We can see that user root UID=0 is executing ssh-alert.sh.

Image - PSPY

We simply append a bash shell into ssh-alert.sh and wait for it to execute with a listener on the other end.

Image - Appending reverse shell


Image - Root


9 views0 comments

Recent Posts

See All