Hack the box late

 Hack The Box - Late Walkthrough.

Today, we are going to look at one of the easy machines from Hack The Box’s platform. When approaching machines like this, where we have no information about it (sort of a black box pentesting), it is best to use your notekeeping skills & write down any information that might be useful in the future exploitation.

Let’s start off, by first connecting to the HTB openvpn & verifying that we can ping the machine. I like to always add the IP address of the machine to my environment variables & then use it in my active scanning.

Time for initial scanning. I always like to quickly scan through all the open ports.

Once I know the open ports, I will scan them thoroughly. I like using the -A flag with nmap, as it enables OS detection, version detection, script scanning and traceroute. This will give us enough information for further research.

After a thorough scan, we always want to go for the more “juicy” potential weaknesses. We know that SSH is usually not very vulnerable and is more of a low-hanging fruit, however this machine is running a website on port 80. We also know that it is running on nginx (v1.14.0) and the Operating system is Ubuntu.

Let’s now further have a look at the website and try to find potential vulnerabilities. Usually what I will do in this case is, start Burp Suite & crawl the website, then go through all the findings to find potential vulnerabilites. I would also fire up gobuster and try to find any directories that might be of interest. However, in this case, navigating through the website & looking through the source code, we can see a link:

Obviously, navigating to this link will give us a page not found. This is because, that is a sub-domain of the website. To access it, we have to edit our hosts file in kali, like so:

This has to be done with root privileges, as a normal user cannot edit this file. For a more detailed explanation, please refer to the below link:

hosts File Format for TCP/IP.

Now it is time to navigate to the webpage.

Okay, first things first. This webpage already has a vulnerability — information disclosure. We know that this image to text convertor uses Flask . Before we explore any vulnerabilites, we want to know how this works, what kind of files it accepts, the different filters that we have to go through and the potential way to use this image to text converter to either expose sensitive information or get a shell into the server.

Let’s download a normal picture with text and see the output that we will get. I use the below picture (png format).

I want to upload it & see what will the website do for me. The website processes the picture and returns a results.txt file with the below output:

This straightaway has to ring a bell in your head. This Flask application processes the text in the image and returns it inside an HTML paragraph. Well, if you have some programming knowledge of Python (Django & Flask), then you will know that we can have Python syntax within HTML, using the double-curly braces. This is similar to JSX in React, where you can use JavaScript inside HTML with single curly braces.

Let’s see if what we actually think is true, and create an image of our own. I will open LibreOffice Writer and write >. In Kali we can use the pre-installed “screenshot” application to take a screenshot of the picture and save it. Once we upload the image, if the application is vulnerable it should return a results.txt with 49, however it does not.

We get back the following output:

It looks like the first curly braces have been read by the application as an “L” and the last ones as “5”. Let’s play with the styling in LibreOffice writer and make the text bigger and more clearly readable. I use the “Fira Code” font (as the text looks clearly readable) with a font size of 36pt.

We upload again, and voila:

Since we can use Python that the web application will process - we will need to do some research into this vulnerability and find out how we can use it to our advantage. If you have been in the penetration testing field for some time, you will know that this vulnerability is called SSTI(Server-side Template Injection). A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

Anyways, knowing what the vulnerability is and the fact that it exists, doesn’t mean by itself that we can just magically exploit the server. A “one size fits all” approach will not be sufficient.

Deep-diving further into the “hacktricks”. We come across some quite useful information. There are a few SSTI examples for Mako, Jinja2 & Tornado (these are templating engines used in Python applications). We should know, that jinja2 is the most common templating engine used in Flask applications. This is why I will try to use tricks for arbitrary command execution in the jinja2 templating engine.

We have the following options:

Dump all used classes , Dump all config variables, Read remote file, Write into remote file, Remote Code Execution, Exploit the SSTI by calling subprocess.Popen & more.

To exploit the SSTI by calling subprocess.Popen, there is a very good video by John Hammond, who walks you through the finding of the subprocess & exploiting it for remote code execution to gain access to the server.

If you do not know what subprocesses are in Python, refer to the documentation:

Hack The Box - Late Writeup.

HTB - Late - 10.10.11.156 Overview This supposedly ‘Easy’ difficulty Linux machine Late from https://hackthebox.com was both simple to figure out, and incredibly challenging to pull off. Patie.

How to use GitHub Pages to host a blog with Jekyll Chirpy theme.

I meant to publish these instructions for myself when I first moved over to jekyll and Github Pages for hosting for posterity, but now I have to rebuild my development VM…and I have forgotten how t.

Hack The Box - Acute Writeup.

HTB - Acute - 10.10.11.145 Overview This Hard-difficulty Windows machine from https://hackthebox.com was quite a challenge! It required some very specific enumeration to be done, otherwise key.

Hack The Box - Catch Writeup.

HTB - Catch - 10.10.11.150 Overview This medium-difficulty machine by MrR3boot from https://hackthebox.com was a very interesting challenge. It was made much harder than it should have been by.

Hack The Box - Attended Writeup.

HTB - Attended Overview Short description to include any strange things to be dealt with Useful Skills and Tools Useful thing 1 description with generic example Useful thing 2 https://net2.

How to Zip and Unzip Files Using PowerShell.

Recently, while working on the Hack the Box machine Sharp I encountered a situation where I needed to exfiltrate a whole directory full of files and sub-folders back to my machine. Rather than try.

Using GitHub Issues for Blog Comments Using utteranc.es.

Migrating my blog When I migrated my blog to GitHub Pages, one of the features I wanted to bring was the ability for readers to give feedback. This site is all about collaboration and learning, b.

Hack the Box - Sharp Writeup.

HTB - Sharp Overview This hard-difficulty Windows machine from Hack the Box was both challenging and fun. As the name suggests, it focuses on a few user-made code projects that use the C Sharp.

Upgrade a Windows reverse shell to a fully usable shell.

Upgrading remote shells (Windows machines) In a previous article I wrote about upgrading limited Linux shells to a fully usable TTY shell. Usually, after catching a reverse shell from a Windows.

Upgrade a linux reverse shell to a fully usable TTY shell.

Upgrading remote shells (Unix machines only) Usually, after catching a shell through netcat you are placed in a shell that has very limited functionality. The features I miss the most are comman.