Скачать или смотреть Clicker | Hack the Box | Malayalam | Walkthrough | HTB | Ethical hacking

Clicker is a Medium Linux box featuring a Web Application hosting a clicking game. Enumerating the box, an attacker is able to mount a public NFS share and retrieve the source code of the application, revealing an endpoint susceptible to SQL Injection. Exploiting this vulnerability, an
attacker can elevate the privileges of their account and change the username to include malicious PHP code. Accessing the admin panel, an export feature is abused to create a PHP file including the modified username, leading to arbitrary code execution on the machine as www-data .
Enumeration reveals an SUID binary that can access files under the home folder of the user jack . By performing a path traversal attack on the binary, the attacker is able to get the SSH key of jack , who is allowed to run a monitoring script with arbitrary environment variables with sudo . The monitoring script expects a response to a curl request in XML format. The attacker, by setting the http_proxy variable, is able to intercept and alter the response to the script, in order to include an XXE payload to read the SSH key of the root user. Finally, the attacker is able to use the SSH key and get access as the root user on the remote machine.


Link for Hack the box
https://affiliate.hackthebox.com/29ic...

Disclaimer :

All video’s and tutorials are for informational and educational purposes only. The tutorials and videos provided there is only for those who are interested to learn about Cyber security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it.

All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

1. Information provided on this Channel are for educational purposes only. This channel is no way responsible for any misuse of the information.
2. This Channel is all about ethical hacking.
3. This Channel is totally meant for providing information on “Computer Security”, “Computer Programming” and other related computer tricks and tweaks topics and is no way related towards the terms “CRACKING” or “HACKING” (Unethical).
4. I’ll include few blogs which may contain the information related to ‘Hacking Password’ or ‘Hacking email accounts’ or similar terms. You shall not misuse the information the information to gain unauthorised access. Also be aware, performing hack attempts without permission on computers that you do not own is illegal.
5. I’ll not be responsible for any direct or indirect damage caused due to the usage of the information provided on this site.
6. I reserve the right to modify the Disclaimer at any time without notice.


#parrotos
#kalilinux
#cybersecurity
#ethicalhackingmalayalam
#cybersecuritymalayalam
#ssrf
#sqlinjection
#suid