In this post, we walk through the hacking steps of a HackTheBox machine “Trick”. This machine is UNIX based machine and according to HTB users hardness is easy. We considered that the step-by-step solution of this machine is helpful for pen-testers. So let’s start…

NMAP

Nmap results are shown below. Four ports are open 22 ssh, 25 SMTP, 53 DNS, and 80 HTTP.

• 22/TCP open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
• 25/TCP open SMTP Postfix smtpd
• 53/TCP open domain (DNS)80/TCP open HTTP Nginx 1.14.2

ENUMERATION

Looks like we have 4 ports SSH, SMTP, DNS, and HTTP. As there is nothing really interesting on the web, port 53 is open we can use dig and get a host through an axfr attack.

DNS – Enumeration

After adding the hosts to the /etc/hosts,

Navigating to the web page, we find a login form for admin. After getting a post request with BurpSuite, we can use this request for an SQL injection attack.

Now we have the password but we don’t have a username. Try this password with admin but it does not work. And also try to brute-force with the hydra tool, but it does not work either. Thus, try fuzzing vhosts with ffuf tool.

We found “marketing” vhost, and add this address to the /etc/hosts, too. After adding this address to the hosts file, we visit the new page:

I decided to visit the web page and look for something in the source code, but there isn’t anything. After clicking the links on the page, I realized that the page “services.html” get the “page=” parameter. So, I decided to try the “LFI” attack, and use “lfitester” tool which you can find the tool via google search.

The tool gives us two LFI payloads that are working. And also we can use ffuf tool for getting “response status: 200” from the web page.

So the LFI attack works. First, try it on the browser and get the usernames from /etc/passwd:

We get the username. So try the username with the password that we got from the SQL injection attack, on the admin login page, but it didn’t work either. I decided to look for getting Michael’s ssh key with lfi attack, and it was successful.

With this information, we can connect the machine through ssh. After successful login, we get the “user.txt”, and use the “id” and “sudo –l” commands for getting the information you can see the results in the below image.

The user is a member of the “security” group, and we have the privilege to restart the fail2ban service as root without a password. We have vertical privilege escalation. After some Google research, I found a page which is about “Privilege Escalation with fail2ban nopasswd”

“https://systemweakness.com/privilege-escalation-with-fail2ban-nopasswd-d3a6ee69db49”

PRIVILEGE ESCALATION

You can escalate your privileges if you discover misconfigured Fail2ban on the server. Run following command : “find /etc -writable -ls 2>/dev/null”

Here we found Directories, where we have to write access inside of /etc, and we have to get write access to /etc/fail2ban/action.d. We found the configuration file of fail2ban, but we can not modify the configuration file. As we found earlier, Michael is a part of the security group, so he can have rights like delete, create and write. So I decided to create a bash file to make this action automatic and easier.

This bash script first removes the “iptables-multiport.conf” file and replaces the configuration codes which is prepared for the reverse shell, then runs the fail2ban restart command to get the reverse shell. By default when a user is banned, the “iptables-multiport.conf” is run.

So we start the Netcat listener, run the bash script, and to be banned by “iptables-multiport.conf” start brüte-force the ssh login with the hydra tool, then get the reverse shell as root.

Omer Faruk Kerman