> For the complete documentation index, see [llms.txt](https://p1yushsecurity.gitbook.io/offsec/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://p1yushsecurity.gitbook.io/offsec/machines/hack-the-box/late.md). # Late ## Recon ### nmap scan ``` PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA) | 256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA) | 256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519) 80/tcp open http syn-ack ttl 63 nginx 1.14.0 (Ubuntu) |_http-favicon: Unknown favicon MD5: 1575FDF0E164C3DB0739CF05D9315BDF |_http-title: Late - Best online image tools | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: nginx/1.14.0 (Ubuntu) ``` ### Mannual Analysis ``` • email → support@late.htb • added images.late.htb and late.htb to /etc/hosts • designed by “kavi.gihan” • I used Whatweb to identify what services the web application is using and got : root@Offsec:~/Desktop/machine# whatweb http://late.htb http://late.htb [200 OK] Bootstrap[3.0.0], Country[RESERVED][ZZ], Email[#,support@late.htb], Google-API[ajax/libs/jquery/1.10.2/jquery.min.js], HTML5, HTTPServer[Ubuntu Linux][nginx/1.14.0 (Ubuntu)], IP[10.10.11.156], JQuery[1.10.2], Meta-Author[Sergey Pozhilov (GetTemplate.com)], Script, Title[Late - Best online image tools], nginx[1.14.0] root@Offsec:~/Desktop/machine# whatweb http://images.late.htb http://images.late.htb [200 OK] Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.14.0 (Ubuntu)], IP[10.10.11.156], JQuery[3.4.1], Script[text/javascript], Title[Image Reader], X-UA-Compatible[ie=edge], nginx[1.14.0] ``` #### I visited “images.late.htb” ![](/files/L27utiLZi7vAcMdG07TJ) #### It looks like we can upload images on the site .. I uploaded a simple a simple image First and some malicious also but this is not that vulnerablity which I was thinking of. I reaserched online and got that this type of vulnerability call SSTI (Server Side Template Injection) / from Here I used the this screenshot to upload to the server .
![](/files/aDFTqLFXDFhnUDXk6kSv) and boom!! magic we got our maths calculated . ![](/files/9ovuEZBrCd7NEzdSrAxf) And after turning off the intercept from burp and moving to the webpage we will be awarded with a “results.txt” file. ![](/files/TRQP4wJfr1dN6UQ7YMb8) which contains the same data which we get from repeater . ![](/files/sL9EJZpA9coqOhmFZFEq) So, This is the time to move Forward with this attack . Now I used This :thumbsup: ![](/files/jPBOwSDc4brkc8xxetp0) to see if we can read the content of passwd file and we succeded. ``` root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin svc_acc:x:1000:1000:Service Account:/home/svc_acc:/bin/bash rtkit:x:111:114:RealtimeKit,,,:/proc:/usr/sbin/nologin usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin avahi:x:113:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin cups-pk-helper:x:114:117:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin saned:x:115:119::/var/lib/saned:/usr/sbin/nologin colord:x:116:120:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin pulse:x:117:121:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin geoclue:x:118:123::/var/lib/geoclue:/usr/sbin/nologin smmta:x:119:124:Mail Transfer Agent,,,:/var/lib/sendmail:/usr/sbin/nologin smmsp:x:120:125:Mail Submission Program,,,:/var/lib/sendmail:/usr/sbin/nologin ``` after this I thought Can we Get Any Private SSH keys to get initial foothold on the machine. and use this :thumbsup::thumbsup: ![](/files/kMccjBIb2C5vEpx95pfq) and got : ``` -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAqe5XWFKVqleCyfzPo4HsfRR8uF/P/3Tn+fiAUHhnGvBBAyrM HiP3S/DnqdIH2uqTXdPk4eGdXynzMnFRzbYb+cBa+R8T/nTa3PSuR9tkiqhXTaEO bgjRSynr2NuDWPQhX8OmhAKdJhZfErZUcbxiuncrKnoClZLQ6ZZDaNTtTUwpUaMi -----------------Sorry I can't Show The Whole Key----------------------- -----END RSA PRIVATE KEY----- ``` ![](/files/QevaRMvkWzA0xJIWyWL8) ### Now time to Escalate Our Privs: I used Linpeas after hard manual Try and Got ![](/files/PIldgbVuSgEWFM7HOWzW) this is a script which is owned by root . After Looking at the script content I got That this Script runs every time anyone Logins through SSH . ![](/files/6vLIBwKmIIMepJeOD4L6) That is Good News For Us So Let's Write Something Malicious to it . I tried to overwrite it but failed But I was able to append data to it Soo........ ![](/files/pc9PC2Hj769LjM2Zdc2p) after this , logging in to the machine from other terminal. and Lets Move to /tmp Directory to see If we got Success or not ?? Ohh Yaahhh !!! BOOoom #------Bling Bling-------- We are success!!! ![](/files/BfhoOWUlw7mLdYTY25h9) the dash file is here so It's time to become The All Mighty “ROOT” ![](/files/accODF0aGB5I85Fyivxq) \========================================================== --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://p1yushsecurity.gitbook.io/offsec/machines/hack-the-box/late.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.