Official IClean Discussion

system · April 6, 2024, 3:00pm

Official discussion thread for IClean. Please do not post any spoilers or big hints.

lazytitan33 · April 6, 2024, 8:06pm

Roll up your sleeves and clean house on iClean! Ratings and reviews will help me get better and come back with trickier challenges.

cromiphi · April 7, 2024, 10:48am

Just rooted.
Not too difficult, Google will help you every step of the way.

FoxFromTheBox · April 7, 2024, 2:00pm

Just rooted.

User hint: First of all think about client-side web vulnerabilities.
Root hint: Do something with attachments.

xenx · April 8, 2024, 6:12am

Found a way to gain access but still unable to exploit it. Im trying to figure out how to obtain the shell. I tried several things on that attack vector.

theLast3.14PIDigits · April 8, 2024, 9:19am

Just rooted, I want to share a little nudge: for user to get revshell when you have found the s*** vulnerability be careful with encoding see some hexamples on google
For root just read what you cannot read.

saveTheCapyb · April 8, 2024, 3:16pm

After you generate one invoice you cant change the details for any other invoices you create after that, even if you enter new details… It only works if you reset the box… Is this a bug or is this supposed to be like this ?

samushi · April 8, 2024, 7:36pm

Spent a lot of time trying to troubleshoot “Match and replace” function in burp to add a header to every request and then found out I wasn’t seeing the proper response for the page because it wasn’t in fullscreen so there’s a tip I guess.

Great machine, I’m stupid.

nightwing001 · April 9, 2024, 4:38am

Stuck for most of the day today. If I may ask, does this have a subdomain? I can never get the subdomain right with the htb boxes.

theLast3.14PIDigits · April 9, 2024, 9:38am

dont enumerate, just try to understand the mechanism of how the app works, you already have almost anything you need

xenx · April 9, 2024, 10:12am

Finally pwned! @samushi gave a good tip. I wasted a lot of time testing and enumerating a lot of things.

You have to enumerate everything on this machine.

Learnt new cool things

Dedsec007 · April 9, 2024, 5:14pm

Does anyone have any hint to suggest for user?
I spent more time in enumeration but nothing useful found

shashank · April 9, 2024, 5:38pm

It can be a bug, but it’s should not come in your way to exploiting it

shashank · April 9, 2024, 5:40pm

Hint - Check if you see your reflection!

Dedsec007 · April 9, 2024, 6:27pm

I have reflection but the c***** value could not appear

Dedsec007 · April 10, 2024, 4:22pm

eugenethreat · April 11, 2024, 6:12am

Rooted - fun box! Feel myself getting better and better, thanks htb.

foothold - check all the inputs.
user - enumerate the application - think about best practices.
root - think about what you have and what you can do with it..

shashank · April 11, 2024, 3:09pm

Congratsss

SawyerOne · April 11, 2024, 9:07pm

I have been trying alot of different payloads, I would get reflection but no cookie. Any advice?

FoxFromTheBox · April 12, 2024, 9:37am

Try IMG payload with “onerror”