HackTheBox - Clicker
ฝัง
- เผยแพร่เมื่อ 26 มิ.ย. 2024
- 00:00 - Introduction
01:02 - Start of nmap and discovering NFS, which is hosting source code to the webserver
05:50 - Showing off the NFSClient Golang binary by Mubix, does not work here because NFS is Read-only
07:40 - Viewing the website for the first time, so we have an idea of what source code we are looking at
09:00 - Looking at the source code, Snyk doesn't give us anything
11:45 - Looking at database queries and finding a Mass Assignment Vulnerability
13:30 - Discovering we need to assign ourselves to Admin
14:45 - Using a line break, to bypass the check against the Key, allowing us to pass in the Role
17:48 - Showing another way to set our Role To Admin through SQL Injection in the Value
21:52 - Viewing the Administration page, discovering how the export function works
25:00 - We can place PHP Code in NICKNAME for our user, which then the export function writes to a php file which then executes
30:12 - Running LinPEAS, discovering a SetUID Binary (execute_query)
36:00 - Examining execute_query in Ghidra, discovering a File Disclosure Vulnerability
42:00 - Grabbing the SSH Key for Jack
44:27 - Jack can sudo run /opt/monitor.sh, and set the environment. We can use LD_PRELOAD to hijack dynamically compiled binaries.
50:15 - Showing the intended way by setting a proxy to CURL, allowing us to change the data the server sends and trigger an XXE
If I remembrer correctly (I did this box a few weeks back), the reason why you can't read the file at 41:00 is that the buffer for the command is fairly small. So the path your are giving is trunckated which result in an error. It works for /etc/passwd and ./ssh/id_rsa because the full path are small enough for this vuln.
That’s awesome, I bypassed the role filter by using &/**/role=Admin
nice upload ippsec we love ya
Love these videos!!
Very good video, thank you ❤
You should've picked Mercy, Ipp
🎉🎉🎉
What do you use for screen recording?
I missed the filter bypass! I though I could just change the admin's password in save game since it allows you to modify any field in players but that didn't work.
role param is useless for normal user i'm curious is it passes as intended param when admin authenticates
Push!
First
Can you go into more detail about what you meant regarding private temp in systemd at 39:41?
Services ran under systemd have a jailed temp folder generally. So Apache’s /tmp/ is different from MySQL’s /tmp/
Is this OSCP level?
Not quite, this is easier than some of the mediums currently active this season which I would say are OSCP level
I got root in a third way, with PERL5OPT and PERL5DB. You put -d in OPT and with DB you can then run arbitrary perl code.
This is what happens when you don't use the line unsetenv("LD_PRELOAD");:
bash: syntax error near unexpected token `)'
root@clicker:/tmp# pwd
/tmp
root@clicker:/tmp# free -h
bash: fork: retry: Resource temporarily unavailable
bash: fork: retry: Resource temporarily unavailable
bash: fork: retry: Resource temporarily unavailable
bash: fork: retry: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
root@clicker:/tmp#
root@clicker:/tmp# free -h
bash: fork: retry: Resource temporarily unavailable
bash: fork: retry: Resource temporarily unavailable