In this post, I would like to share a walkthrough of the Late Machine from Hack the Box
This room will be considered an Easy machine on Hack The box
What will you gain from the Late machine?
For the user flag, you will need to abuse the flask application using a common attack which is the SSTI method
As for the root flag, you need to abuse the ssh file to get root ssh shell.
Information Gathering on Late Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
There’s nothing that we can see on the website interface.
As a result, let’s enumerate the website using gobuster
From the gobuster result, we didn’t find anything interesting. Therefore, let’s analyze more on the website interface in case we miss anything useful
I have noticed that there’s a link that we can click, and it directs us to a subdomain of the website
It will look something like the screenshot above
Flask Vulnerability
The first thing that came to my mind when see flask is SSTI attack method where i found the payload here
Let’s convert the ssti attack into text format and take a screenshot on our machine
It worked!
Let’s throw an SSTI payload that will read the file inside the machine
At last, we got the SSTI worked for us
Therefore, let’s change the payload and include the curl command so that it can retrieve the shell file on our machine
The shell file will look something as shown above
From the looking of it, it works!
Finally, we got a reverse shell connection back to us.
We can read the user flag by executing the command “cat user.txt”
Getting SSH private key
In order to get a proper connection on the machine, let’s retrieve the ssh private key
We can download easier by using pwncat tool
We are required to give permission to the id_rsa file
At last, we can access the machine using the ssh service.
Escalate to Root Privileges Access on Late Machine
We can run ps aux to see any interesting proceed that has been running in the background. Luckily for us, we managed to see a certain file been run as root such as /usr/local/sbin/ssh-alert.sh
Let’s execute the command above to get root access via the ssh service
Let’s access via ssh service again and surprise, we managed to get bash system
We need to execute the command bash -p to become a root user
We can read the root flag by executing the command “cat /root/root.txt”
Extra Information
