Hackthebox - Late

Web

From the website we get a link to https://images.lazy.htb

images.lazy.htb

Intresting in the looks like it is running on flask

PS: https://medium.com/@amanzishan.az/building-a-flask-web-application-to-extract-text-from-images-3f761f4880d9

So I tried Template Injection payload as an image

And I got the payload working and executed

Created a command injection image as

Create a revershell payload with

https://reverse-shell.sh/10.10.14.139:9001

svc_account

Enumerating we see root is running some sendmail

Checking the extra attributes lsattr we see we have append permission

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/late/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.