HackTheBox - Clicker

00:00 - Introduction 01:02 - Start of nmap and discovering NFS, which is hosting source code to the webserver 05:50 - Showing off the NFSClient Golang binary by Mubix, does not work here because NFS is Read-only 07:40 - Viewing the website for the first time, so we have an idea of what source code we are looking at 09:00 - Looking at the source code, Snyk doesn’t give us anything 11:45 - Looking at database queries and finding a Mass Assignment Vulnerability 13:30 - Discovering we need to assign ourselves to Admin 14:45 - Using a line break, to bypass the check against the Key, allowing us to pass in the Role 17:48 - Showing another way to set our Role To Admin through SQL Injection in the Value 21:52 - Viewing the Administration page, discovering how the export function works 25:00 - We can place PHP Code in NICKNAME for our user, which then the export function writes to a php file which then executes 30:12 - Running LinPEAS, discovering a SetUID Binary (execute_query)