Trick

Trick is a Tricky Linux Machine, the name was a right choice, I fell into a deep rabbit hole and wasted a lot of time getting my bearing. Privilege escalation was also time-based so I had to be quick or it won't work, it's an interesting box and I'm sure you'll find it fun too.

Enumeration

With Nmap we found four open ports

port 22 SSH

port 25 SMTP (mail)

port 53 DNS

port 80 HTTP

There is no vulnerability in the version of the running services so we have to enumerate further.

Doing a reverse DNS lookup with nslookup we found a domain name trick.htb and added it to the /etc/hosts file.

Heading to the website hosted at the domain, nothing to see, just a single page with deadlinks, typical.

And so, our enumeration continues.

...Wait a sec, we have a DNS port open, why not try zone transfer with dig.

Zone transfer is the process of copying the contents of the zone file on a primary DNS server to a secondary DNS server. Read more here

Zone transfer is possible and we found a subdomain preprod-payroll.trick.htb and that, ladies and gentlemen is the rabbit that took hours off my existence LOL.

The rabbit hole actually contains an admin login page and I had to try different methods to get the admin username and password.

To save us time I'll just post screenshots of the rabbit role and continue on the right track..

And that is the long sad journey of the rabbit hole. I thought I could exploit the XXS to retrieve data or get RCE but not a chance.

Now back on the right track, the subdomain we found earlier was "preprod-payroll" why not try fuzzing, who knows what other preprod stuff these guys have.

Lo and behold, with FFUF fuzzer there is another subdomain preprod-marketing.trick.htb. Note the ffuf syntax.

Adding the subdomain to our hosts file and opening the address in our browser we found this...

Clicking on the navigation buttons below the image, you'll notice the HTML file name parameter as seen below. this parameter is actually vulnerable to LFI and that is what we are going to attack.

Using a simple LFI payload as seen below we were able to exploit the vulnerabilty and grab the user michael ssh private key.

Wondering how to know who an actual user is from the /etc/passwd file? just look at their home directory and the /bin/bash at the end of it.

User

Exploiting same LFI, we navigate to the user's private ssh key and grab it. copy the key and save as anything but remember to change the file permission to 600 with the command "chmod 600 filename"

In my own case I saved the file as id_rsa_mike and with the key I was able to login to michael account via ssh and grab the user flag.

Privilege Escalation

Privilege escalation is pretty straight-forward but tricky, with sudo -l we can see that we can restart fail2ban service as sudo without entering password. fail2ban is a program that detects invalid login after several attempts and blocks the IP which the login originated from for a specific period of time depending on the set time.

We upload PSPY to the victim machine to spy on running processes/scripts and as seen below, a number of things are observed:

  • Fail2ban files are being deleted from the /etc/fail2ban/* directory

  • A bash shell located at /root/f2b.sh that we can guess repopulates the deleted files

  • A chown command that changes the owner and group of the directory "/etc/fail2banaction.d" to root and security respectively after it's been populated

Note that we are also a member of security group.


Using Google, we found a fail2ban exploit posted on medium .

So, how does the exploit work?

A fail2ban file named iptables-multiport.conf located in the /etc/fail2ban/action.d contains the action to ban IP after several invalid login attempts.

To exploit this we will be creating a copy of this file in a location where it won't be deleted and add our exploit command to the actionban and actionunban variables.

Now we create a payload that set SUID to /bin/bash for our current user. what is SUID, SUID (Set owner User ID up on execution) is a special type of file permission given to a file. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged-in user. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it. see here.

In order to trigger the IP ban We'll use hydra to send invalid ssh logins to the machine.

First I removed the current iptables-multiport.conf file then replace it with the copy that contains the payload, after that I restart the service and simultaneuosly start using hydra to trigger an IP ban.

The payload grants us permission to run /bin/bash as admin using SUID if you recall. to confirm the exploit worked, you can do ls on the file binary file and note the color change as well as "S" in the file permission.

Just run /bin/bash -p and we are root.


Hope you enjoyed rooting this box as I did.