Clicker - HackMD

Clicker ``` ┌──(kali㉿kali)-[~/Desktop] └─$ nc -zvn 10.10.11.232 1-65535 (UNKNOWN) [10.10.11.232] 53863 (?) open (UNKNOWN) [10.10.11.232] 51483 (?) open (UNKNOWN) [10.10.11.232] 33521 (?) open (UNKNOWN) [10.10.11.232] 33501 (?) open (UNKNOWN) [10.10.11.232] 33347 (?) open (UNKNOWN) [10.10.11.232] 2049 (nfs) open (UNKNOWN) [10.10.11.232] 111 (sunrpc) open (UNKNOWN) [10.10.11.232] 80 (http) open (UNKNOWN) [10.10.11.232] 22 (ssh) open ┌──(root㉿kali)-[/home/kali/Desktop] └─# nmap -sV -sC -T5 -p22,80,111,2049,33347,33501,33521,51483,53863 10.10.11.232 Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-29 02:16 EDT Nmap scan report for clicker.htb (10.10.11.232) Host is up (0.12s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 89:d7:39:34:58:a0:ea:a1:db:c1:3d:14:ec:5d:5a:92 (ECDSA) |_ 256 b4:da:8d:af:65:9c:bb:f0:71:d5:13:50:ed:d8:11:30 (ED25519) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) |_http-server-header: Apache/2.4.52 (Ubuntu) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Clicker - The Game 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100005 1,2,3 33501/tcp mountd | 100005 1,2,3 38615/tcp6 mountd | 100005 1,2,3 42541/udp6 mountd | 100005 1,2,3 46653/udp mountd | 100021 1,3,4 33521/tcp nlockmgr | 100021 1,3,4 35481/udp6 nlockmgr | 100021 1,3,4 44637/tcp6 nlockmgr | 100021 1,3,4 49853/udp nlockmgr | 100024 1 37455/tcp6 status | 100024 1 37786/udp status | 100024 1 51483/tcp status | 100024 1 55158/udp6 status | 100227 3 2049/tcp nfs_acl |_ 100227 3 2049/tcp6 nfs_acl 2049/tcp open nfs_acl 3 (RPC #100227) 33347/tcp open mountd 1-3 (RPC #100005) 33501/tcp open mountd 1-3 (RPC #100005) 33521/tcp open nlockmgr 1-4 (RPC #100021) 51483/tcp open status 1 (RPC #100024) 53863/tcp open mountd 1-3 (RPC #100005) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` 嘗試註冊用戶名為amdin,顯示已存在，註冊用戶為admin1:admin1 ![](https://hackmd.io/_uploads/rk9WC_jGp.png) ![](https://hackmd.io/_uploads/r1hTAuoM6.png) ![](https://hackmd.io/_uploads/SJ1JkYszp.png) ![](https://hackmd.io/_uploads/SyUz1YiGa.png) ![](https://hackmd.io/_uploads/rJ5optsfT.png) ![](https://hackmd.io/_uploads/Bk0hTFof6.png) ![](https://hackmd.io/_uploads/HJ7ATKjMp.png) 會攔截role 把role=0進行URL編碼 ![](https://hackmd.io/_uploads/rJbZQ9jfT.png) ![](https://hackmd.io/_uploads/BJiAHqoMT.png) 看起來需要使role=Admin CLRF injection也可以 ![](https://hackmd.io/_uploads/r1v539sM6.png) 成功修改後，重新登入會出現Administration ![](https://hackmd.io/_uploads/Hy_9lssfa.png) ![](https://hackmd.io/_uploads/SkY2xioMT.png) ![](https://hackmd.io/_uploads/BkZebsjGa.png) 改參數可export出php文件 ![](https://hackmd.io/_uploads/Bye4ICsza.png) 透過修改nickname寫入PHP代碼，並把後綴改成PHP然後通過`file_put_contents`函數把nickname寫入 ![](https://hackmd.io/_uploads/BJ8UsRsfT.png) ![](https://hackmd.io/_uploads/BkcZi0ofa.png) 需要讓自己出現在TOP players裡 ![](https://hackmd.io/_uploads/SkIvUJnGa.png) ![](https://hackmd.io/_uploads/Byg_8y3zT.png) ![](https://hackmd.io/_uploads/S119Uknzp.png) 反彈SHELL https://www.revshells.com/ ![](https://hackmd.io/_uploads/HJK0PJnMp.png) ![](https://hackmd.io/_uploads/HJfJdknfa.png) 穩定SHELL ``` python3 -c 'import pty;pty.spawn("/bin/bash")' export TERM=xterm ctrl + z stty raw -echo; fg ``` ![](https://hackmd.io/_uploads/r1HB_y3za.png) 進去後可以看到.php確實有一句話木馬 ![](https://hackmd.io/_uploads/Hks3Oknfa.png) 提權 -> 豆子 ![](https://hackmd.io/_uploads/rJ8ksynzT.png) ![](https://hackmd.io/_uploads/SJRZC1nzp.png) SCP不了，開http.server下載文件來分析 ![](https://hackmd.io/_uploads/BkRmA12Ga.png) 放進IDA ![](https://hackmd.io/_uploads/ryc4SznMT.png) ![](https://hackmd.io/_uploads/HkdWJghM6.png) binany ninja ->分析結果 ![](https://hackmd.io/_uploads/ryD8rZhM6.png) 目前路徑為:/home/jack/queries/ 讀取jack的id_rsa ![](https://hackmd.io/_uploads/SJFg9d3zp.png) 提權: ![](https://hackmd.io/_uploads/rkpGi_nzT.png) ![](https://hackmd.io/_uploads/r1_h2YnMa.png) ![](https://hackmd.io/_uploads/SyuiTKhfa.png) perl_startup」權限提升 ; CVE-2016-1531 以 root 權限執行腳本，在運行 Perl 時配置環境。