Hackthebox — Trick Walkthrough

Atalay Samet Ergen

7 min readOct 29, 2022

Run a nmap scan to see which ports are open and which services are running on those ports.

-sC: run default nmap scripts
-sV: detect service versions

The result shows that three ports are open.

Port 22 running SSH
Port 25 running SMTP
Port 53 running DNS
Port 80 running HTTP

Let’s first visit the HTTP service.

We make basic enumeration on the web service but did not find useful info.

Run a ffuf scan.

Nothing is interesting from the scan.

There is DNS service so to enumerate the service let’s first add the domain into the host file.

We use dig tool for DNS enumeration.

Dig output with parameter “any” reveals a subdomain. Take a note that to add into our hosts file.

and we got another one which is preprod-payroll.trick.htb.

Add them into the file.

First visit the root.trick.htb. However, it shows us the same page.

The other subdomain that we fond is give us a login panel.

Use some SQL injection payloads. The one below worked well!

We logged in as Administrator.

We get an user and click to the Action button.

There is the password of user Enemigosss. We need to unmask it.

After inspecting the page, we are able to see the password clearly.

We tried to ssh with the credentials we got but it failed every time. That means we need to enumerate more.

So far, we got preprod-payroll.trick.htb which means that prod-payroll and payroll subdomains might work. Makes sense right?

Add them to the file.

Visit the both pages but did not work.

Time to get some help from wfuzz.

Add a filter in order to get results properly.

Nah, nothing interesting.

How about fuzzing the FUZZ-payroll.trick.htb? Let’s do it!

Well, the output reveals something that we have already known it.

We use wfuzz for two different condition at same time.

PS: Attention please, the wordlist has been changed.

Did not get anything.

We know that enumeration is the key. Let’s use another wordlist.

Did not get anything, again.

There is one more thing to do. How about fuzzing preprod-FUZZ.trick.htb? Let’s try it!

Yes! We got something.

Add it to the file.

Visit the page.

The page shows the organisation and we have a password that might belong someone here.

We create a user wordlist and start to password spraying attack.

Interesting. The password looks like belonging no one.

That means we need to dig in more.

Run directory scan for both.

There is PHP running on the web server so we create another scan.

The scans did not give us an interesting directory.

Let’s try local file inclusion methods on the URL.

The first try is interesting.

Identified a LFI vulnerability within the web application.

User michael might have access to the server via SSH.

Let’s figure it out if there is a key.

We successfully got the key of user michael.

Copy and paste the key into the file called id_rsa. Give the right permissions onto it and try sshing.

Voila! We are in as user michael.

Successfully capture the first flag.

The command below reveals that Michael has a privilege to restart fail2ban service as root without password.

A useful post for abusing Fail2ban service for privilege escalation. We will be referencing this post to escalate our privileges.

View /etc/fail2ban/jail.conf. We can see the default number of maximum retries before the ban occurs which means 6 times is needed for the ban to occur.

Prepare the reverse shell payload.

Netcat is listening on port 9999.

We need to add our reverse shell payload into the iptables-multiport conf. However, only root can have write permission.

It is the key point and important to note the file permissions on action.d directory.

Since Michael is in the security group, we can move and overwrite files on the directory.

Another command that reveals security group has permission to write on action.d directory.

Firstly, move the original iptables-multiport.conf file to iptables-multiport.conf.bak file and then overwrite the .bak file by using cp command. After overwriting the file, we are able to have write permission.

Add our reverse shell payload into the file.