initial nmap scan
# Nmap 7.91 scan initiated Sat Apr 23 22:30:10 2022 as: nmap -sC -sV -p- -v -oN full_tcp.nmap 10.129.164.95 Nmap scan report for 10.129.164.95 Host is up (0.047s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA) | 256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA) |_ 256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519) 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-favicon: Unknown favicon MD5: 1575FDF0E164C3DB0739CF05D9315BDF | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Late - Best online image tools Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Apr 23 22:31:40 2022 -- 1 IP address (1 host up) scanned in 89.82 seconds
Homepage of web app running on port 80.
images.late.htb so added that to
/etc/hosts and navigating to it in browser and voila! another valid vhost/subdomain
Flow: Upload image -> Creates .txt file with text that was in image
After some google fu I came across this article which seems to be doing more or less the same things and utilizing the same technologies that the web app is utilizing. (Flask + OCR + pytesseract) https://firstname.lastname@example.org/building-a-flask-web-application-to-extract-text-from-images-3f761f4880d9 shows that the text is templated in Flask. Spidey senses tingle with SSTI. So lets try to create an SSTI payload in an image? Let’s try.
Upload this picture ..
And we have SSTI!
The application sends back a txt file with the results
After some noodling I finally got OS shell commands to work. The payload is from https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2 it is context-free which was necessary since dumping all the used classes with the standard SSTI payload was not working.
Now lets try to get a reverse shell
Voila! RCE thru an image to an optical character recognition system. Who woulda thunk it.
Grab dat ssh private key
linpeas showed a weird shell script at /usr/local/sbin
reading through the shell script the idea seems to be that it alerts when someone ssh’s into the machine (hence the name).
Let use pspy to monitor if it is being run (ssh-alert.sh).
The script is writable by
svc_acc so theoretically adding
chmod u+s /bin/bash to the end of the script and then ssh’ing in, you should see that the suid bit is set on
So then just run
/bin/bash -p (-p to keep permissions) and voila! root.
- Even with new technologies like OCR, injection attacks will remain relevant due to the nature of the attacks. Injection attacks by definition occur when you (the developer) pass tainted user data to another interpreter. Interpreter in this context is any other system that cannot differentiate between data and code. A fundamental computer security issue. This is true for databases (SQLi), OS (Command Injection), templating engines (SSTI), etc.
- You shouldn’t leave scripts running as root that are writable by other users.