Trick

Enumeration

Ports and Services

Software Installed:

Nmap Scan Results:

Gobuster preprod-payrol.trick.htb:

preprod-marketing.trick.htb

Port 80

URL: http://10.129.110.66

URL: http://preprod-payroll.trick.htb/login.php

URL: http://preprod-marketing.trick.htb/index.php?page=home.html

Main Page has some hidden urls:

WFUZZ /index.php?page=

Visited /index.php?page=users

URL: http://preprod-payroll.trick.htb/manage_user.php?id=password

Port 53
CMD: dig -x 10.129.110.66 @10.129.110.66
Reverse Lookup

Zone transfer

Initial Foothold

The third domain preprod-marketing.trick.htb has an LFI
http://preprod- marketing.trick.htb/index.php?page=….//….//….//….//etc/passwd

/home/michael/.ssh/id_rsa:

User.txt Proof Screenshot

User.txt Contents

Privilege Escalation

https://youssef-ichioui.medium.com/abusing-fail2ban-misconfiguration-to- escalate-privileges-on-linux-826ad0cdafb7
Michael is part of security group

Security group has read/write on /etc/fail2ban/action.d/ folder
There is some timing and no shortcuts.
Deleted original /etc/fail2ban/action.d/iptables-multiport.conf and replaced it with my own version where the ban action is a nc shell and restarted the service
There is a root cron script deleting all of the fail2ban configs apparent every minute or so.

Gave my replacement script +r permissions
CMD:

rm -rf /etc/fail2ban/action.d/iptables-multiport.conf && cp /home/michael/.tmp/iptables-multipleport.conf /etc/fail2ban/action.d/iptables-multiport.conf && sudo /etc/init.d/fail2ban restar

After a few attempts I got a root shell:

Found ssh private key in root’s folder