Return to forum
HTB Late [Discussion]
by - Thursday, January 1, 1970 at 12:00 AM
BreachForums User
VIP
Posts: 213
Threads: 0
Joined: N/A
Reputation: 56

#1
April 23, 2022 at 6:58 PM
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
|   256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_  256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Reply
BreachForums User
VIP
Posts: 213
Threads: 0
Joined: N/A
Reputation: 56

#2
April 23, 2022 at 7:20 PM
http://images.late.htb/ looks interesting.
Reply
Member
Member
Posts: 42
Threads: 0
Joined: N/A
Reputation: 1

#3
April 24, 2022 at 1:38 AM
upload an image with text, look at how the output is in

... create an image with "{{7*7}}" to test for SSTI and be pleasantly delighted at the output of 49...
Reply
Elite User
Elite
Posts: 166
Threads: 0
Joined: N/A
Reputation: 5

#4
April 24, 2022 at 1:39 AM
its imagemagick ? idk i think i have to put some code in jpeg i see when i upload a jpeg image its return a txt with a html code idk.[hr][quote="qwerty173" pid="37165" dateline="1650764303"]upload an image with text, look at how the output is in

... create an image with "{{7*7}}" to test for SSTI and be pleasantly delighted at the output of 49...[/quote]Nice will try now... thanks :D
Reply
Member
Member
Posts: 27
Threads: 0
Joined: N/A
Reputation: 0

#5
April 24, 2022 at 2:54 AM
i am stuck at image upload part any nudges
Reply
BreachForums User
VIP
Posts: 213
Threads: 0
Joined: N/A
Reputation: 56

#6
April 24, 2022 at 10:25 AM
(April 24, 2022, 02:54 AM)Polypopy Wrote: i am stuck at image upload part any nudges


SSTI.
When you upload an image which reads {{7*7}} then the result will be 49.
Reply
Member
Member
Posts: 5
Threads: 0
Joined: N/A
Reputation: 0

#7
April 24, 2022 at 2:54 PM
root id_rsa ::

-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQEAuDUCfyBofVqk+Qilst0xDnhScDu+kSmXHYBcL1iwxajW5SWp
oGqD39nBh/AzQYcQk4t5xIV8eUlda0zD1pjfPYAOHt9efDSxWaJQ91P5L+qlsCii
efP8M0zlWgN8nzII9MSrRSU7I7iVYaYLawl82JhnoTSt1CoexSDT0T23DPOr2KC/
8XBlIFgZN/pyri0qtG3n3r1lRBQFj1eDMwd2AeeOL+AQUz7b7v5xqErTNvRjC2Yf
xqmIEaqgvTWsxZL2oCJbv9pJ3+ApGaxLJyZgvXMI39ubndiatITMiGbwE61kMV+D
r8d8LKpHBRBTKOzo9VV8dHFhN9KYAFKbAatpKwIDAQABAoIBAGnHdxGNiLNDVCz1
vEFEJ6GJkr2EcWBmo7J7PXSq14gJ9q1LvWazA9uN7kajtqtQZkJz+47QoLP9Xzn4
sRUQYFGusW0lE9r7X0R7o0cD37qWYmMQUoz5gL/szl+sVOoOD3qPXVKtmJJgsteK
RFBI+HpgulGmMJP/RAArY7dqWy2B3XniUWZY+IjOdHYBQSNFbc6kYrwDcpYn1rHt
fwq55t7nyXho25paTbmwRBhBwNA4fK/Kzkbct4bvx1GRxdctqa4NbvoPVTNJ0tnY
7kFn4V6rBV8LiZP9tI5eLWNh+yid7Sca2TgUqQdfcFePD6GnW9qydgTs32fAwbsL
nqNHH1ECgYEA73dBhgBnvvkSDRUBjJV94q+jeE+7oh2WOOCcMAtu4vQ6Z6ZA1im6
c0bETk3FyNTtrIq+NxqqXvDz15u5IferwPT5jYyi6/5g2wfmrt0K9qYmCk0g/TFJ
ab6Zbz57eVzjZnZLSsaCyPsJqRGMAb+kPmszhseeXp82cwLmH0BBfCcCgYEAxO0D
IJPrqjyA/O/f95okskHqW0/kstPQCMazsxf4qtQ4G0j/UTbE054T+nRJvnEJd+68
MWsmXechRKASK8FZcVBJMPlJB9qetCXanZDnthHUOZ4ASMyWGUY5GnqdiD8WWyI+
WpqQ3YEaXhj2C507yS1RsZnr1iUvt+ic6xqimV0CgYBbJnfIfAsBhGk8lYxbaOPc
D6MXvrHbSYvO5qBNIWz58qDwpzXyzztrebprW+s3QOWfUciJzRqgvPL0VRApP88e
yaDcInY5gkB33xAN65GqxR+huC4gckxRdf2NfKkfTx43+Ds8oUdTHUtWEZnLaJkq
MUARw5YiylO9f5L8vkau7QJ/BuxOL9cDcfiukDXeqdXBdILculkUsTTBG43gw2sU
Uu0jC9KFJ1XFlar5CNUNwqQ2sQCznQknUCXQBZmbCe7CNjmcWRxqdNw6uBqclO2D
N+Nokp37ZJPMsxbE6ylkYGXXY1zQ1F6auS7Qvn4iKEZe07PEK3o90El+Y/jJi3pk
PQKBgQC0AIdrkyGdIiPSHJHmiOpGyE85Hl8McQZoTwAlacTm9HYiQycQoraFwAmK
yHYDDSiJznWLqU58gdLybuTU4eWkWd/NaPOSrrUpHdIWTS8+nWJiu1BPowKaGMdP
9WnDQAEXbK24DiX2WGioLX11x3Qn/W+Y9ZCrYYC1mKjOAbIJsQ==
-----END RSA PRIVATE KEY-----

====================================================================

svc_acc id_rsa

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqe5XWFKVqleCyfzPo4HsfRR8uF/P/3Tn+fiAUHhnGvBBAyrM
HiP3S/DnqdIH2uqTXdPk4eGdXynzMnFRzbYb+cBa+R8T/nTa3PSuR9tkiqhXTaEO
bgjRSynr2NuDWPQhX8OmhAKdJhZfErZUcbxiuncrKnoClZLQ6ZZDaNTtTUwpUaMi
/mtaHzLID1KTl+dUFsLQYmdRUA639xkz1YvDF5ObIDoeHgOU7rZV4TqA6s6gI7W7
d137M3Oi2WTWRBzcWTAMwfSJ2cEttvS/AnE/B2Eelj1shYUZuPyIoLhSMicGnhB7
7IKpZeQ+MgksRcHJ5fJ2hvTu/T3yL9tggf9DsQIDAQABAoIBAHCBinbBhrGW6tLM
fLSmimptq/1uAgoB3qxTaLDeZnUhaAmuxiGWcl5nCxoWInlAIX1XkwwyEb01yvw0
ppJp5a+/OPwDJXus5lKv9MtCaBidR9/vp9wWHmuDP9D91MKKL6Z1pMN175GN8jgz
W0lKDpuh1oRy708UOxjMEalQgCRSGkJYDpM4pJkk/c7aHYw6GQKhoN1en/7I50IZ
uFB4CzS1bgAglNb7Y1bCJ913F5oWs0dvN5ezQ28gy92pGfNIJrk3cxO33SD9CCwC
T9KJxoUhuoCuMs00PxtJMymaHvOkDYSXOyHHHPSlIJl2ZezXZMFswHhnWGuNe9IH
Ql49ezkCgYEA0OTVbOT/EivAuu+QPaLvC0N8GEtn7uOPu9j1HjAvuOhom6K4troi
WEBJ3pvIsrUlLd9J3cY7ciRxnbanN/Qt9rHDu9Mc+W5DQAQGPWFxk4bM7Zxnb7Ng
Hr4+hcK+SYNn5fCX5qjmzE6c/5+sbQ20jhl20kxVT26MvoAB9+I1ku8CgYEA0EA7
t4UB/PaoU0+kz1dNDEyNamSe5mXh/Hc/mX9cj5cQFABN9lBTcmfZ5R6I0ifXpZuq
0xEKNYA3HS5qvOI3dHj6O4JZBDUzCgZFmlI5fslxLtl57WnlwSCGHLdP/knKxHIE
uJBIk0KSZBeT8F7IfUukZjCYO0y4HtDP3DUqE18CgYBgI5EeRt4lrMFMx4io9V3y
3yIzxDCXP2AdYiKdvCuafEv4pRFB97RqzVux+hyKMthjnkpOqTcetysbHL8k/1pQ
GUwuG2FQYrDMu41rnnc5IGccTElGnVV1kLURtqkBCFs+9lXSsJVYHi4fb4tZvV8F
ry6CZuM0ZXqdCijdvtxNPQKBgQC7F1oPEAGvP/INltncJPRlfkj2MpvHJfUXGhMb
Vh7UKcUaEwP3rEar270YaIxHMeA9OlMH+KERW7UoFFF0jE+B5kX5PKu4agsGkIfr
kr9wto1mp58wuhjdntid59qH+8edIUo4ffeVxRM7tSsFokHAvzpdTH8Xl1864CI+
Fc1NRQKBgQDNiTT446GIijU7XiJEwhOec2m4ykdnrSVb45Y6HKD9VS6vGeOF1oAL
K6+2ZlpmytN3RiR9UDJ4kjMjhJAiC7RBetZOor6CBKg20XA1oXS7o1eOdyc/jSk0
kxruFUgLHh7nEx/5/0r8gmcoCvFn98wvUPSNrgDJ25mnwYI0zzDrEw==
-----END RSA PRIVATE KEY-----

================================================================

/etc/shadow ::

root:$6$a6J2kmTW$cHVk8PYFcAiRyUOA38Cs1Eatrz48yp395Cmi7Fxszl/aqQooB.6qFmhMG1LYuHJpGvvaE1cxubWIdIc1znRJi.:19089:0:99999:7:::
svc_acc:$6$/WRA.GuP$fusYGh.OucHDQzn5.9XdFMO6hcVw7ayD1B9/MVrxKFyv0PDd51.3JUA9qgQMU1Mnvlfjw9xSDb98B1xMwdtZH.:19008:0:99999:7:::

.
Reply
BreachForums User
MVP
Posts: 2
Threads: 0
Joined: N/A
Reputation: 5

#8
April 25, 2022 at 9:07 AM
(April 24, 2022, 02:54 AM)Polypopy Wrote: i am stuck at image upload part any nudges


You can SSTI, just put the text on the image. Take care of the font you use, it does have an impact.

If you want to understand better I recommend: https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee for RCE
Reply
BreachForums User
VIP
Posts: 213
Threads: 0
Joined: N/A
Reputation: 56

#9
April 25, 2022 at 9:27 AM
(April 25, 2022, 09:07 AM)ghent Wrote:
(April 24, 2022, 02:54 AM)Polypopy Wrote: i am stuck at image upload part any nudges


You can SSTI, just put the text on the image. Take care of the font you use, it does have an impact.

If you want to understand better I recommend: https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee for RCE


Yes, getting the font right is tricky. I ended up installing LibreOffice and trying out various monospaced fonts.
Reply
Member
Member
Posts: 40
Threads: 0
Joined: N/A
Reputation: 1

#10
April 25, 2022 at 2:40 PM
(April 25, 2022, 09:27 AM)Exa Wrote:
(April 25, 2022, 09:07 AM)ghent Wrote:
(April 24, 2022, 02:54 AM)Polypopy Wrote: i am stuck at image upload part any nudges


You can SSTI, just put the text on the image. Take care of the font you use, it does have an impact.

If you want to understand better I recommend: https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee for RCE


Yes, getting the font right is tricky. I ended up installing LibreOffice and trying out various monospaced fonts.


Yea, figuring out which font type works best for hours. In my opinion, the best is 'Lucida Console'.  :D
Reply


 Users viewing this thread: HTB Late [Discussion]: No users currently viewing.