~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Wonderland
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • THM Love Connect


    Reconnaissance:

    We enumerate with nmap

    PORT STATE SERVICE VERSION

    22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)

    ssh-hostkey:
      256 87:2b:70:dc:79:dc:14:01:67:14:6c:11:31:20:c2:47 (ECDSA)

    |_ 256 5e:1f:6e:a9:aa:eb:8e:e8:73:29:ad:63:dc:b3:d6:e3 (ED25519)

    5000/tcp open http Werkzeug httpd 3.1.5 (Python 3.10.12)

    |_http-title: LoveConnect - Speed Chatter

    |_http-server-header: Werkzeug/3.1.5 Python/3.10.12

    http-methods:

    |_ Supported Methods: HEAD OPTIONS GET

    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    We find a chat box no AI and we can upload a photo

    We could probably upload a malicious jpg

    The src for our previous image is stored in

    <img src=“/uploads/profile_e37c798a-e07f-40bb-b903-4227fb614efc.png” class=“profile-pic” alt=“Profile Picture” onerror=“this.src=‘data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22 width=%22150%22height=%22150%22%3E%3Ccircle cx=%2275%22 cy=%2275%22 r=%2275%22 fill=%22%23f48fb1%22/%3E%3Ctext x=%2250%25%22y=%2250%25%22 text-anchor=%22middle%22 dy=%22.3em%22 fill=%22white%22 font-size=%2250%22%3E❤️%3C/text%3E%3C/svg%3E’”>


    Exploitation:

    We tried a bunch of python rev shells and it wouldn’t work

    We tried a bash rev shell and we get a shell

    Next we cat the flag.txt

    THM{R3v3rs3_Sh3ll_L0v3_C0nn3ct10ns}


    Notes:

    Letting user upload arbitrary photos opens us to a full system compromise. All that is needed here is to take a Reverse shell from GTFObins and save it as a photo format and voilà.


    Tools: