top of page
BlueDolphin

Hack the Box - Trick

Enumeration


Summary

This machine initially required subdomain enumeration which opened the door for a new attack surface that was exploited with SQL injection using SQL Map. This provided user credentials from the user database which allowed for a login on the target web application. Further subdomain enumeration lead to a new web site and attack surface where we took advantage of directory traversal tailored to bypass a web application firewall.


This allowed for the extraction of a SSH key which was used to gain user level access to the Host. Performing initial enumeration uncovered the fail2ban application that had a group permissions that gave us folder access to the actions.d folder. This is an important folder called by fail2ban when taking restrictive action against an offender. We were able to modify a script that would fire when a user was unbanned and this allowed for RCE to root.


Tools used
  • WFUZZ

  • SQLMAP

  • Burpsuite

  • inpeas

  • Auto recon

  • Fail2ban

  • dig

  • whatweb

Processes/Techniques
  • Sub domain enumeration

  • SQL injection automation

  • Request proxying

  • Internal enumeration automation

  • External enumeration automation

  • Permissions abuse

  • DNS zone transfer


Enumeration

Starting off with Autorecon we notice five ports, TCP 22,25,53,80 and UPD 53.

We receive a DNS recon error when enumerating port 53 over UDP as we did not have the domain name. This again triggered on port 53 over TCP.


Auto Recon

Image - Autorecon


Basic Nmap Scan

Running our standard nmap scan reveals 4 ports.

Image - nmap results


Port 25 - SMTP enumeration login credentials found at 10.129.34.40:25/vrfy

Image - SMTP enumeration results


Port 53 - DNS recon

Image - Directory discovery


Port 80 - directory busting

Image - Directory discovery results


Port 80 - What web

└─$ cat tcp_80_http_whatweb.txt 
WhatWeb report for http://10.129.34.40:80
Status    : 200 OK
Title     : Coming Soon - Start Bootstrap Theme
IP        : 10.129.34.40
Country   : RESERVED, ZZ

Summary   : Bootstrap, HTML5, HTTPServer[nginx/1.14.2], nginx[1.14.2], Script

Detected Plugins:
[ Bootstrap ]
        Bootstrap is an open source toolkit for developing with
        HTML, CSS, and JS.

        Website     : https://getbootstrap.com/

[ HTML5 ]
        HTML version 5, detected by the doctype declaration


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        String       : nginx/1.14.2 (from server string)

[ Script ]
        This plugin detects instances of script HTML elements and
        returns the script language/type.


[ nginx ]
        Nginx (Engine-X) is a free, open-source, high-performance
        HTTP server and reverse proxy, as well as an IMAP/POP3
        proxy server.

        Version      : 1.14.2
        Website     : http://nginx.net/

HTTP Headers:
        HTTP/1.1 200 OK
        Server: nginx/1.14.2
        Date: Tue, 11 Oct 2022 23:00:36 GMT
        Content-Type: text/html
        Last-Modified: Wed, 23 Mar 2022 16:34:04 GMT
        Transfer-Encoding: chunked
        Connection: close
        ETag: W/"623b4bfc-1568"
        Content-Encoding: gzip

Re-Enumerate

We add trick.htb to our /etc/hosts folder and re-run auto recon.

Image - etc/hosts file


Reviewing the new results from Auto recon that have resulted from the DNS enumeration utilizing the DIG tool, across the FQDN name, yielded different results. We notice 2 new subdomains,.


preprod-payroll.trick.htb

root.trick.htb


Image - DNS DIG results


Web Enumeration

The website is totally empty and nothing stands out as a point of interest beyond an email address form, which offered nothing upon initial enumeration.

Image - Website landing page


Browsing to the root.tick.htb FQDN shows the same landing page and attack surface.

Image - root.trick.htb over http


We browse to the preprod-payroll.trick.htb FQDN and receive a new landing page with a new attack surface to enumerate. Trying default credentials lead nowhere, so I pivoted to SQLmap for further enumeration.

Image - preprod-payroll.trick.htb


SQLMAP

SQLmap has a fantastic function, where you can capture a web request and feed this to SQLMap. We were able to use burpsuite to intercept the login POST request, and save this locally feeding it to SQLMap. SQLMap was able to identify that the POST parameter for the login function was indeed vulnerable to SQL injection.

Image - SQLMap


From here we are able to pivot are initial SQLMap enumeration after learning the target is vulnerable to injection and hosts the mysql database management system. We change our function of SQLMap to reveal the specific database tables hosted on our target with the below command, The results reveal that our target is running 2 tables, an information_schema table which is standard by default, as well as a payroll_db table.


sqlmap -r request --dbms mysql --dbs
  • -r - calls a requests file with the URL and target parameter

  • --dbms - specifies a database management system

  • --dbs - calls the database enumeration function

Image - SQLMap



From here we are able to again pivot and target the specific tables within the payroll_db database. The results provide us with a dozen tables that we can start to dive in to with the intent to find sensitive information to help us establish a foothold on the target.


sqlmap -r request --dbms mysql -D payroll_db --tables
  • -r - calls a requests file with the URL and target parameter

  • --dbms - specifies a database management system

  • -D - Specifies a known database

  • --tables - calls the table enumeration function

Image - SQLMap


After enumerating the dozen tales, we find in the last table labled "users" there are credentials for a user.

sqlmap -r request --dbms mysql -D payroll_db -T users --dump
  • -r - calls a requests file with the URL and target parameter

  • --dbms - specifies a database management system

  • -D - Specifies a known database

  • -T - Specifies a known table


Image - Credentials found SuperGucciRainbowCake | Enemigosss


Initial foothold

We are able to login to the proprod webpage with those credentials found from our SQLMap enumeration of the users table in the payroll_db database.

Image - webapp login page


Web App Authenticated Enumeration

After looking around the web application it appears there is nothing clearly vulnerable. Pivoting into sub domain enumeration reveals there is a "marketing" subdomain.


wfuzz -c -w /usr/share/spiderfoot/spiderfoot/dicts/subdomains-10000.txt -u http://10.129.144.30 -H 'Host: preprod-FUZZ.trick.htb'

Image - Domain fuzzing


Browsing to preprod-marketing.trick.htb reveals a new landing web page.

Image - preprod-marketing.trick.htb



Inspecting the source code of the page reveals php queries from the index.php page. This is a potential target for directory traversal or command injection.

Image - page source code


Attempting to conduct directory traversal and command injection does not initially work. However when we take our directory traversal attempts to another layer by using payloads found on "all things payloads" we can use strings that are designed to bypass web application firewalls. Our desired payload is ..././ which tricks the WAF. The reason for this, the WAF looks for malicious patterns which are identified as ../ a natural part of a directory traversal. However, the vulnerability is in that the WAF removes the ../ pattern so when we pass the payload, the WAF removes the ..././ the characters highlighted in green leaving only the ../ characters behind which are passed to the backend.

Image - payload all things


Our target payload is successful in bypassing the WAF and we are able to confirm this be outputting the contents of the /etc/passwd file.

Image - contents of /etc/passwd


Looking around on the target host we eventually find in user Michaels directory, a ssh/id_rsa key.

Image - .ssh/id_rsa


From here we copy the RSA key and the formatting is off. So we leverage the curl command to download it in proper format. From here we

Image - Access as user Michael over SSH


Root

We start off our path to obtain elevated privileges with the linpeas script as usual.

Image - Linpeas results showing /etc/fail2ban/action.d


Reviewing our sudo permissions we learn that the user can run /etc/init.d/fail2bain restart as root.

Image - sudo permissions


Reviewing the fail2ban directory provides the additional files including our jail.conf file. This file stores standard configuration information for the fial2ban service. Reviewing the file permissions shows something out of place. This is the action.d folder which appears to have the root/security permission.


Image - fail2bain sub directory permissions


Reviewing the group permissions for Michael reveals that he is apart of the security group. From here we start to put the whole picture together.

Image - security groups for Michael


The jail config shows our ban actions for excessive connections.

image - jail.conf


The iptables-multiport.conf describes the actions for banning IP's that violate the connection rules. We can see at the bottom, we have something interesting.



image - iptables-multiport.conf


Lets attempt to fail a connection several times with pspy running.


image - pspy


We see this response upon failure

image - pspy


We can see our command executed, so let's target the flag as our shell is not working. We had to add out command to the actionban and actionunban,

image - pspy


Observed multiport running


image - pspy


It seems like we have to call /bin/bash


image - pspy


Finally I tired changing permissions on /bin/bash with

chmod +s /bin/bash


This then set the SUID permission on bash and we had access as root.



325 views0 comments

Recent Posts

See All

Comments


bottom of page