THM Love Connect
Reconnaissance:
We enumerate with nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
ssh-hostkey:
256 87:2b:70:dc:79:dc:14:01:67:14:6c:11:31:20:c2:47 (ECDSA)
|_ 256 5e:1f:6e:a9:aa:eb:8e:e8:73:29:ad:63:dc:b3:d6:e3 (ED25519)
5000/tcp open http Werkzeug httpd 3.1.5 (Python 3.10.12)
|_http-title: LoveConnect - Speed Chatter
|_http-server-header: Werkzeug/3.1.5 Python/3.10.12
http-methods:
|_ Supported Methods: HEAD OPTIONS GET
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We find a chat box no AI and we can upload a photo
We could probably upload a malicious jpg
The src for our previous image is stored in
<img src=“/uploads/profile_e37c798a-e07f-40bb-b903-4227fb614efc.png” class=“profile-pic” alt=“Profile Picture” onerror=“this.src=‘data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22 width=%22150%22height=%22150%22%3E%3Ccircle cx=%2275%22 cy=%2275%22 r=%2275%22 fill=%22%23f48fb1%22/%3E%3Ctext x=%2250%25%22y=%2250%25%22 text-anchor=%22middle%22 dy=%22.3em%22 fill=%22white%22 font-size=%2250%22%3E❤️%3C/text%3E%3C/svg%3E’”>
Exploitation:
We tried a bunch of python rev shells and it wouldn’t work
We tried a bash rev shell and we get a shell
Next we cat the flag.txt
THM{R3v3rs3_Sh3ll_L0v3_C0nn3ct10ns}
Notes:
Letting user upload arbitrary photos opens us to a full system compromise. All that is needed here is to take a Reverse shell from GTFObins and save it as a photo format and voilà.