HTB - TRICK - JA Smith

# TAKEAWAYS - ALWAYS try simple SQLi, e.g., `username' or 1=1-- -` OR `password or 1=1-- -` - Copy HTTP POST request to file and use `sqlmap -r request.txt` - Once we note an sqli vector and dbms type, let's restart the scan to find our privs - Then try to read files ```bash sqlmap -r request.txt --dbms=mysql --technique=BEU--risk=3 --level=5 --privilege --batch sqlmap -r request.txt --dbms=mysql --technique=BEU--risk=3 --level=5 --file-read=/etc/passwd --batch ``` - Try different fuzzing techniques each with short and medium wordlists, i.e., directory, page, subdomain, vhost - ALWAYS look to leak the webserver config file and source for php files - These provide tremendous context, other enum leads, and filtering indicators - Resist the impulse to brute force until we either: (A) we have a valid username/password or (B) we are at a dead-end - When we see DNS on a non-DC, think zone transfer - When we see SMTP, think smtp-user-enum and sending an email to /var/spool/mail/account with a malicious payload (e.g., webshell for LFI) - LFI more useful when URL includes extension - Otherwise the webserver may be appending extension to all requests, which may limit our LFI capabilities - For improved presentation of `nma`p scans on the report use below ```bash nmap -p<commaa_separated_list> -sCV -oA nmap-detailed TARGET xlstproc input.xml -o output.html ``` --- # Discover Ports & Services - `nmap` scan - light![[images/Pasted image 20260311204628.png]] - `nmap` scan - detailed![[images/Pasted image 20260311205059.png]] # Port 80: Webserver - nginx 1.14.2 - visit website ![[images/Pasted image 20260311204820.png]] - page source ![[images/Pasted image 20260311205317.png]] - some indications of `bootstrap` version 5.1.3 - no useful vulns from a Google search - `nginx` version vulns ![[images/Pasted image 20260311213406.png]] - `whatweb` scan ![[images/Pasted image 20260311205409.png]] - `nikto` scan ![[images/Pasted image 20260311205804.png]] - directory fuzzing - raft-medium ![[images/Pasted image 20260311210035.png]] - 2.3-medium ![[images/Pasted image 20260311210435.png]] - getting nowhere fast - it's odd that port 53 is open on a non-DC, let's look at that # Port 53: DNS - even though we are not sure of the domain name yet, add `trick.htb` to `/etc/hosts` and test - that works - try to grab A record to `trick.htb`![[images/Pasted image 20260311211610.png]] - try to grab any for `trick.htb` ![[images/Pasted image 20260312181527.png]] - try to perform a zone transfer for `trick.htb`![[images/Pasted image 20260311211622.png]] - we have a leakage for `preprod-payroll.trick.htb` - run `dnsenum` ```bash dnsenum --enum trick.htb -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r ``` ![[images/Pasted image 20260312194002.png]] - visit `preprod-payroll.trick.htb` - we have what looks like an admin login ![[images/Pasted image 20260311211802.png]] - `whatweb` scan ![[images/Pasted image 20260312195019.png]] - `nikto` scan ![[images/Pasted image 20260312195242.png]] - we don't have user names yet - let's wait to brute this # Renewed Webserver Enum - after noticing `preprod-payroll.trick.htb` from the DNS zone transfer, let's do some more subdomain fuzzing on `FUZZ.trick.htb` - subdomains-top1million-5000 ![[images/Pasted image 20260311212402.png]] - subdomains-top1million-20000 ![[images/Pasted image 20260311212603.png]] - try again with `preprod-FUZZ.trick.htb` - subdomains-top1million-20000 ![[images/Pasted image 20260312180026.png]] - try vhost fuzzing against `preprod-FUZZ.trick.htb` - subdomains-top1million-20000 ![[images/Pasted image 20260312205229.png]] - new domain > `prod-markteting.trick.htb` ![[images/Pasted image 20260312205323.png]] - try with `preprod-payroll.trick.htb/FUZZ` - 2.3-medium ![[images/Pasted image 20260312180720.png]] - try with `preprod-payroll.trick.htb/FUZZ.php` - 2.3-medium ![[images/Pasted image 20260312180824.png]] - try with `preprod-payroll.trick.htb/FUZZ.txt` - 2.3-medium - visit `http://preprod-payroll.trick.htb/users.php` ![[images/Pasted image 20260312180935.png]] - visit `http://preprod-payroll.trick.htb/employee.php` ![[images/Pasted image 20260312180917.png]] - visit `root.trick.htb` ![[images/Pasted image 20260312180005.png]] - looks the same as `trick.htb` # Port 25: SMTP - connect with `telnet` ![[images/Pasted image 20260311212741.png]] - try `smtp-user-enum` ![[images/Pasted image 20260311213106.png]] - try a few VERFY attempts ![[images/Pasted image 20260311213126.png]] - try msf `smtp_enum` module - set options ![[images/Pasted image 20260312181633.png]] - run ![[images/Pasted image 20260312182408.png]] - try `smtp-user-enum` with newly created `jsmith_username.txt` - RCPT ![[images/Pasted image 20260312183125.png]] - VRFY ![[images/Pasted image 20260312183147.png]] - try `smtp-user-enum` with `Enemigosss` ![[images/Pasted image 20260312194442.png]] --- # Foothold > `preprod-payroll` ## Bruteforce attempts - Based on the above enum we have some leads for usernames to use on `preprod-payroll.trick.htb/login.php` - We have one employee name John C. Smith and username `Enemigosss` - Try a random login ![[images/Pasted image 20260312181950.png]] - try simple command injection > ;, &, and | don't work ![[images/Pasted image 20260312182200.png]] - Create a username list for John C Smith with `username-anarchy` ![[images/Pasted image 20260312182905.png]] - Try brute forcing with `hydra` - nothing ```bash sudo hydra preprod-payroll.trick.htb http-form-post "/login.php:username=^USER^&passwork=^PASS^:incorrect" -L jsmith_usernames.txt -P 2023-200_most_used_passwords.txt -V -f sudo hydra preprod-payroll.trick.htb http-form-post "/login.php:username=^USER^&passwork=^PASS^:incorrect" -l Enemigosss -P 2023-200_most_used_passwords.txt -V -f ``` ## SQLi - username = `test' or 1=1-- -` and password = `test` brings us to as to `Recruitment Management System` ![[images/Pasted image 20260313193222.png]] - clearly there is an SQLi vuln - Let's try to automate with `sqlmap` - copy POST request from `burp` into a text file ![[images/Pasted image 20260313193322.png]] ```txt POST /ajax.php?action=login HTTP/1.1 Host: preprod-payroll.trick.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 41 Origin: http://preprod-payroll.trick.htb Connection: keep-alive Referer: http://preprod-payroll.trick.htb/login.php Cookie: PHPSESSID=tnkkbcnlmje660jfj957phk3sj Priority: u=0 username=test'+or+1%3D1--+-&password=test ``` - run `sqlmap` - potential time-based blind vuln ```bash sqlmap -r http.txt ``` ![[images/Pasted image 20260312202048.png]] - backend is MySQL: 5.0.12 (MariaDB fork) - 11 tables in `payroll_db` - check back later in `~/.local/share/sqlmap/output/preprod-payroll.trick.htb/dump` - we have a password for `Enemjgosss` ![[images/Pasted image 20260312205555.png]] - This time-based blind is too slow - Enumerate current db and user info with `--technique=BEU --risk=3 --level=5` ![[images/Pasted image 20260313193608.png]] - Enumerate tables in `payroll_db` ![[images/Pasted image 20260313194423.png]] - Dump `users` tables ![[images/Pasted image 20260313194511.png]] - Attempt to read `/etc/nginx/sites-enabled/default` ![[images/Pasted image 20260313193832.png]] - Output as HEX but the file was saved in plaintext to `/home/jacob/.local/share/sqlmap/output/preprod-payroll.trick.htb/files/_etc_nginx_sites-enabled_default` - Here we see `preprod-payroll` in `/var/www/payroll` and `preprod-markteting` in `/var/www/market` - Let's look at `/var/www/market/index.php`![[images/Pasted image 20260313194123.png]] - Here we see that `../` is replaced with a null character without recursion - Note --- # Foothold > `preprod-marketing` - `whatweb` scan ![[images/Pasted image 20260312210034.png]] - try a test submittal against `contact.html` ![[images/Pasted image 20260312205852.png]] - 405 error - we have some names on `about.html` ![[images/Pasted image 20260312210112.png]] - also notice that we are simply grabbing a new page using the `page parameter` - this could be a file inclusion vector - send to repeater and change to a POST request for ease of manipulation - getting a 200 response but no leakage ![[images/Pasted image 20260312210500.png]] - change back to a GET request > BINGO! ![[images/Pasted image 20260312211209.png]] - I see a user `michael` with a bash login shell - let's take a stab in the dark and try to read his `id_rsa` > BOOM! ![[images/Pasted image 20260312211516.png]] - crap the key is password protected ![[images/Pasted image 20260312211826.png]] - after running in verbose mode, I see that we are falling back to password authentication and the key is not password protected - some issue with formatting the key when copy+pasting from `burp` maybe? - instead run a `curl` command and pipe to a file ```bash curl http://preprod-marketing.trick.htb/index.php\?page\=....//....//....//....//....//....//home/michael/.ssh/id_rsa > id_rsa ``` --- # Privesc - Initial internal enum ![[images/Pasted image 20260313194814.png]]![[images/Pasted image 20260313195030.png]] - We can restart `fail2ban` with `sudo`, which is a DoS protection mechanism for logins - Let's google how to find abuse this services - We need to find the associate config file an see if we can write to it ![[images/Pasted image 20260313195340.png]] - Confirmed since we are in the `security` group, which is a non-standard group - Lots of config files in `/etc/fail2ban/action.d` - Modify the `actionban` directive within `iptables-multiport.conf` to allow us to open a root shell ![[images/Pasted image 20260313195703.png]] - Since we have `nc` on the box lets copy `iptables-multiport.conf` to michael's home directory and include the following ![[images/Pasted image 20260313200148.png]] - Now let's open a listener, overwrite current config file with our modified version, restart the service, and get ourselves banned - Listener ![[images/Pasted image 20260313200242.png]] - Overwrite ![[images/Pasted image 20260313200540.png]] - Restart `fail2ban` using `init.d` ![[images/Pasted image 20260313200611.png]] - Get banned with `hydra` ![[images/Pasted image 20260313200829.png]] - We have a shell as root! ![[images/Pasted image 20260313200844.png]]