Trick writeup by evyatar9

Read my writeup to Trick machine on:


User: By enumerating the DNS using dig we found trick.htb and preprod-payroll.trick.htb sub-domains, According to the subdomain pattern we found another subdomain preprod-marketing.trick.htb with a page that vulnerable to LFI, Using that we read the SSH private key of michael user.

Root: By running sudo -l we can see that we can restart fail2ban service, We can see also we are on security group and we can edit /etc/fail2ban/action.d directory, Using that we edit the actionban and actiounban on the file iptables-multiport.conf, Trigger fail2ban by running brute force against SSH and we get the root SSH private key.