HackTheBox Writeup — Late

Faisal Husaini
4 min readSep 6, 2022

--

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is 10.10.11.156

Port Scan / Enumeration

nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.11.156

Way to User

Since we found Port 80 Open for Web, I checked the web part running on the machine

Scrolling down below, we found two hostnames, one on the text link and other on the support details, i.e, late.htb and images.late.htb

Adding the two hosts to my hosts files on my local kali

Accessing the images.late.htb host, we get a new webpage containing a file image upload which converts images to text and also looking closely it says that it uses Flask to do it

I am uploading a test image which contains some text to test how the functionality works

After uploading and scanning, the web downloads a text file and contains the text which was on the image, although from the test image which I uploaded had more text but the functionality couldn’t render it all

Since it uses Flask to convert the image to text so it gave me a hint to test for a potential SSTI, so I used an online text to image to create a payload for SSTI on an image

Now uploading the image created to the file upload

It downloads a new file as results.txt like before

From the output we can see that our SSTI payload worked and it got executed

So I created a new payload which will perform a remote code execution by running the id command

Getting the file, we can see our code execution worked successfully as we got the output for id command

Now modifying the payload to get a reverse shell and uploading the image

Checking back the netcat listener, we got the reverse shell successful

Getting the user flag from the home directory of the user

Way to Root

Running linpeas, I found some writeable paths

Also running PSPY, I noticed that the script ssh-alert.sh is running whenever someone connects with ssh

There was a same replica script on the user’s home directory as well, from the code we can see that

Since we had writable permissions over the file and path, I appended my reverse shell code on the bash script

Now using my private ssh keys to connect to the machien through SSH and we can see some weird behaviour

Checking back my netcat listener, I got reverse shell as root

The flag is located at root’s home directory

--

--

Faisal Husaini

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover