HackTheBox - Clicker

If I remembrer correctly (I did this box a few weeks back), the reason why you can't read the file at 41:00 is that the buffer for the command is fairly small. So the path your are giving is trunckated which result in an error. It works for /etc/passwd and ./ssh/id_rsa because the full path are small enough for this vuln.

nice upload ippsec we love ya

Very good video, thank you ❤

That’s awesome, I bypassed the role filter by using &/**/role=Admin

Love these videos!!

I missed the filter bypass! I though I could just change the admin's password in save game since it allows you to modify any field in players but that didn't work.

Can you go into more detail about what you meant regarding private temp in systemd at 39:41?

What do you use for screen recording?

role param is useless for normal user i'm curious is it passes as intended param when admin authenticates

love youuu

You should've picked Mercy, Ipp

🎉🎉🎉

Is this OSCP level?

Push!

First

I got root in a third way, with PERL5OPT and PERL5DB. You put -d in OPT and with DB you can then run arbitrary perl code.

This is what happens when you don't use the line unsetenv("LD_PRELOAD");:
bash: syntax error near unexpected token `)'
root@clicker:/tmp# pwd
/tmp
root@clicker:/tmp# free -h
bash: fork: retry: Resource temporarily unavailable
bash: fork: retry: Resource temporarily unavailable
bash: fork: retry: Resource temporarily unavailable
bash: fork: retry: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
root@clicker:/tmp#
root@clicker:/tmp# free -h
bash: fork: retry: Resource temporarily unavailable
bash: fork: retry: Resource temporarily unavailable