top of page
Writer's picturebikupothen1615
Jul 9, 20222 min read

#Trick


SCANNING


Initial Recon:

Through nmap scan we found port 22, 25, 80 and 53 are open. Since port 80 was open we connect through it and found the default webpage. We didn’t get much out of the page so we gone for a DNS zone transfer since port 53 was open.

Through zone transfer we found another domain name running named “preprod-payroll.trick.htb”.

We got a login pafge through port 80, while going through the javascript code we found a function which returns a value foe every login attempts made. So using burp we mis-configures those value and change the error code from 302 to 200 and succefully get inside.










When we look through employee list we found a tabular coloume with some default data and a id button so we checked it through the burp and found that id conatains a value 9. Now we go for a sqlmap with the above mentioned data.

by runnind sqlmap we found a privilage named file so after lil n=bit research we come to know that file privileges allows to read internal files. Using that pricvilage we read out /etc/passwd and found out our user michael. Using the same metode we read another server file and found anoter domain running named “pre-prod-marketing.trick.htb”.









FOOTHHOLD


We capture the request in burp and try an lfi and we were able to read the /etc/passwd file.

So using the lfi we read id_rsa file a go for a ssh connection.



Using ssh key and ssh port we loged in as Michael andgot our first flag.



PRIVILEGE ESCALTION


When we run sudo-l we found that root user run fail2ban with out password and its our key for privilege escalation. While checking abt fail2ban I found a medium writing about exploiting fail2ban and gaining root access, here we follow the same method.

From /etc/fail2ban we have a file named ip-tables-multiport.conf, we copied the script and created another file named ip-tables.multiport.local which contains our netcat payload too. After saving our file we run sudo /etc/init.d/fail2ban restart along with bruteforcing the ssh key and opened out nectcat listner.




We got a hit on our listener as ROOT.!!!

PWNED.!!!!SCANNING


8 views

Recent Posts

See All

Soccer

Mentor

Comments

bottom of page