Nmap scan:
We can add the trick.htb domain as per usual HTB practice.
All the ports yield nothing of interest and port 80 was just a corporate website with nothing to interact with. However, when attempting a zone transfer, we would get another domain here:
The preprod-payroll subdomain was new, and I headed there.
The page revealed some kind of application used to manage employee salary tracking.
Initially, I assumed that there would be some kind of public exploit for this Employee Record system, and found quite a few.
However, none of the exploits worked here and I was stuck.
The whole payroll bit was a rabbit hole, and I could not make anything work. As such, I started to fuzz subdomains again, but found nothing from it.
I then tried to fuzz with the preprod- bit prefixed, and found a new domain:
The new page contained a load of rubbish information, and when clicking on the different tabs, we can see this page parameter pop up.
We can test this for a simple directory traversal exploit. Using the standard ../../../ did not work, but ....//....//....// worked instead.
With this, I attempted to read the private SSH keys of the user michael.
Afterwards, we can simply SSH in as michael using this key.
When enumerating the user's permissions, we can see that he's part of the security group.
Additionally, we are allowed to run fail2ban restart as root using sudo.
Fail2ban is a service that would block an IP address after many failed attempts to connect. The conf file for this is within the /etc/fail2ban/action.d/iptables-multiport.conf file. Upon detecting a bannable action, a script would run to block the IP address.
We are given permissions to edit the configuration files for this service in this machine. As such, we can edit the script that is run to gain a reverse shell or create a SUID binary after getting 'banned'. We can force our malicious script to execute after using hydra to brute force SSH many times.
This repo made is easy to exploit:
Rooted.
