![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/late.png?w=1024)
Run nmap scan to see which ports are open and which services are running on those ports.
- -sC: run default nmap scripts
- -sV: enumerate service version
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-11.43.39.png?w=1024)
The result shows that three ports are open.
- Port 22 running SSH
- Port 80 running HTTP
Visit the HTTP service.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-11.44.11.png?w=1024)
Check the page source and get the domains.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-11.45.17.png?w=1024)
Add the domains into the hosts file.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-11.51.03.png?w=1022)
Visit images.late.htb. We see that there is image to text convertor. The app parses the text in an uploaded image and returns meta data.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-11.51.22.png?w=1024)
Because the app uses Flask, it might be vulnerable to “Server Side Template Injection-SSTI“.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-11.52.34.png?w=1024)
To examine whether it is vulnerable to SSTI, we create the payload.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-11.55.21.png?w=1024)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-11.56.16.png?w=1024)
We get back the following output. So the output is calculated as 49.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.04.30.png?w=876)
We also identified that jinja2 is used as template engine and it is vulnerable to SSTI.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.05.15.png?w=1024)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.07.19.png?w=1024)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.07.54.png?w=1024)
We get a hold of the /etc/passwd file.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.08.26.png?w=1024)
Identify the users.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.09.46.png?w=1024)
We create a new payload that read the user svc_acc.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.10.03.png?w=1024)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.10.49.png?w=1024)
Get the private key.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.11.16.png?w=1024)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.11.45.png?w=991)
SSHing as user svc_acc.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.12.34.png?w=1024)
Successfully obtain the user flag.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.12.51.png?w=936)
PRIVILEGE ESCALATION
Time to escalate our privileges. To do so; we download linpeas.sh script to enumerate the box.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.13.44.png?w=1024)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.14.52.png?w=1024)
One interesting file. Let’s review it.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.28.45.png?w=1024)
It runs every time when SSH connection is established.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.29.15.png?w=1024)
Look at the permissions of the file, however the permissions do not allow us to write to it.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.29.45.png?w=1024)
Check the file attributes by using lsattr to find out more.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.30.28.png?w=1024)
Even though we are not able to write to the file, are able to append to it. So, we create a new file that contains reverse shell payload and use it to append it to the file.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.49.51.png?w=1024)
Our netcat is on the duty on port 9898.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-13.02.55.png?w=1024)
Let’s SSH into the box again in order to trigger the execution of the SSH alert file by root.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.49.58.png?w=1002)
We get reverse shell back.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.50.31.png?w=888)
Successfully get the root flag.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-19-at-12.50.44.png?w=738)
Thank you for your time.