Late
Last updated
Last updated
Date: 22/05/2022
Difficulty: EASY
CTF: https://app.hackthebox.com/machines/Late
Let’s start sending a ping to the target IP:
We receive the ping back and we can see that ttl value is 63, so the target machine is a linux.
Let’s scan all TCP ports of the target IP machine and see which ones are open:
It reports us 2 open ports: 22 (probably ssh) and 80 (probably http).
Let’s run some basic enumeration scripts to detect the services and their versions that are running in these ports:
The port 22 is running OpenSSH 7.6p1. If we do a quick search of that version on launchpad:
We can see that the target machine may be running an ubuntu bionic. We’ll see later if it matches.
The port 80 is running a HTTP service and it appears to be using nginx 1.14.0. Let’s launch a whatweb scan to that service:
At email, we can see that it’s using the domain late.htb, so let’s add it to the /etc/hosts file in our machine:
Now, let’s visit the webpage with the IP and with the domain late.htb to see if there is any difference (in this case the page displayed seems to be the same).
Taking a look to the main webpage I discover a link that redirect us to the subdomain images.late.htb:
Let’s add it to the /etc/hosts file and visit it:
Interesting, it seems to be an online service for converting image to text using a tool named Flask. There is a field where we can select a file of our machine and a button that will start the scan process…
Let’s test it with a valid image with text to see what happens:
I have uploaded a PNG file with the text ”Hi, I’m Angel LM!” and after clicking on SCAN IMAGE button the site asks me to download the results… Let’s see what’s inside:
Pretty close to the text!
Let’s investigate about Flask. According to Wikipedia, Flask is a micro web framework written in Python that allows to create web apps.
As we saw earlier, this app is getting an image, finding the text inside it, and sending us the result in an HTML way <p> THE RESULT </p>
Maybe we can inject code as a file, inside the file name or in a image as text.
Let’s use Burp Suite to intercept a petition and see more info:
Apparently it is sending the data image by POST to /scanner.
Let’s try to upload a TXT file to the form.
An error “invalid extension” shows up any time I try to upload any file that hasn’t an image file extension.
What if I change the extension to .jpg, creating a non valid image?
Mmm… there is some information leakage? Apparently there is a user named svc_acc in the target machine. The files I send to scanner are being saved in /home/svc_acc/app/uploads/ folder.
Ok, so there is no way to upload a malicious file. What about injecting the code inside the image? If we create an image of a code that could be executed by the framework we get an RCE and maybe we can get a Reverse Shell after.
I found this interesting article from hacktricks: https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection.
The first step is to know if there is an Server Side Template Injection (SSTI) vulnerability.
To do so, I prepared this image:
And received this response from the scan web tool:
Apparently, the strings {{7*7}} are being executed, so it is vulnerable to SSTI. Nice.
Now, let’s do some more checks to identify the template engine.
Apparently, Flash uses Jinja2 by defect, but let’s check it:
Seems to be Jinja2.
In the hacktricks article, there are some examples of reading remote files exploiting jinja2:
And examples of RCE:
The scanning app doesn’t recognize the text very well and it drop errors everytime I try to upload an image with executable code, and it’s hard to know where it failed. To deal with this, I removed the {{ }} from the text and modify the size of the text one time after another until the text I wrote is the same I received.
Monospace 36 with kerning adjustments in some parts.
I tried to launch a reverse shell in multiples ways: bash, python, netcat… but no one succeded, so I’ll do manual enumeration via SSTI i guess…
