In this post, I would like to share a walkthrough of the Trick Machine from Hack the Box

This room will be considered an Easy machine on Hack The Box

What will you gain from the Trick machine?

For the user flag, you will need to exploit SQL Injection that allows bypassing some authentication which we can read files from the system. We can also obtain an SSH key by taking advantage LFI attack

As for the root flag, you need to abuse fail2ban

Information Gathering on Trick Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

Nothing that we can look into the website itself

The website still didn’t show anything that can be used even though we add the host on the /etc/hosts

Let’s enumerate the website directory by using gobuster

We didn’t manage to see any directory that had been analyzed into

At this moment, I’ve stuck and cannot see any method for further escalation.

Let’s try to gather information by using the command above. However, we can sight two new subdomains

  • root.trick.htb
  • preprod-payroll.trick.htb

When accessing the website URL Address, we have been redirected to a login page. Sadly, we dont have any credentials that we can use over here.

Let’s try to enumerate it by using sqlmap. Therefore, let’s incept the packet using burpsuite and save it as login.req

There are two databases when i try to run the sqlmap command

As a result, let’s enumerate more on the payroll_db and found the tables as shown above

We have to retrieve the credentials that we can use later.

Let’s execute the command such as sqlmap -r login.req –file-read=/var/www/market/index.php

Finally, we managed to see the source code of the file

We also can obtain the information by using the curl command such as show above

Therefore, let’s grab the ssh private key using this method

This is weird! By default, we should be able to login into the machine via ssh service

My mistake! I mistype the username of the machine

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

As usual, we need to find the binary SUID file to proceed to the next step.

Let’s see what file is been stored in the /etc/fail2ban/action.d directory

After a while, all the files inside the action.d went missing.

Let’s do some research on the fail2ban escalation method

We found some articles on the escalation method

Let’s execute the command above.

Next, we need to brute-force the ssh session by using hydra

After a while, we managed to get /bin/bash assigned to the SUID Binary

We can read the root flag by typing the “cat /root/root.txt” command

Extra Information

Leave a Reply

Your email address will not be published. Required fields are marked *