# Sau

## Enumeration

nmap:

```
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS
```

**Webpage1:**

<figure><img src="https://746814813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe1HXVppEt3OHWIFqtAXT%2Fuploads%2FixoNGiYca7wiHhzhQZza%2Fimage.png?alt=media&#x26;token=12e200a6-1b7f-4a64-9183-af47e047a1bb" alt=""><figcaption></figcaption></figure>

```
http://10.10.11.224:55555/web
nen1g1c
eWqHShIl5K4-X5-ML75QVaxMSzL7Mm9K6mtWca5AkMgD
```

You can create a basket and get a token. It then seems to log requests to the directory you created.

<figure><img src="https://746814813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe1HXVppEt3OHWIFqtAXT%2Fuploads%2FunHxHNeol6QSAJBcRx7E%2Fimage.png?alt=media&#x26;token=8a5d6f74-4071-4f13-8fa9-31801a36f57f" alt=""><figcaption></figcaption></figure>

## SSRF in Basket

This Basket service seems to have an issue that allows forwarding to other local pages.

Since there are two firewalled local ports, I will try to use this PoC to get to them:

{% embed url="<https://github.com/entr0pie/CVE-2023-27163>" %}

`./CVE-2023-27163.sh` [`http://10.10.11.224:55555/`](http://10.10.11.224:55555/) [`http://10.10.11.224:80/`](http://10.10.11.224/)

Alright, lets see

<figure><img src="https://746814813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe1HXVppEt3OHWIFqtAXT%2Fuploads%2Fj6LcQ6zjjtEA4zgl26r8%2Fimage.png?alt=media&#x26;token=28b11584-5e48-4535-b881-c099b5eeb6e1" alt=""><figcaption></figcaption></figure>

<figure><img src="https://746814813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe1HXVppEt3OHWIFqtAXT%2Fuploads%2F3F7mWGQVn5D4nBHN96Nv%2Fimage.png?alt=media&#x26;token=cd75b66f-3154-45c6-a406-82270d4eb234" alt=""><figcaption></figcaption></figure>

Doing the same for port 8228 shows the same page. It seems broken, but revealed Maltrail as backend service.

## Maltrail RCE

The page seems to be vulnerable to an RCE, which there is a PoC for here <https://github.com/spookier/Maltrail-v0.53-Exploit>

The vulnerability abuses an OS command injection in the login parameter of username.

Although the page seems broken, the vulnerable directory exists.

<figure><img src="https://746814813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe1HXVppEt3OHWIFqtAXT%2Fuploads%2Fp3ZSfmpM8EtGUVIEdS65%2Fimage.png?alt=media&#x26;token=480e8f0d-994b-4cae-a0ee-5e8ff8d1f99d" alt=""><figcaption></figcaption></figure>

The PoC worked immediately.

<figure><img src="https://746814813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe1HXVppEt3OHWIFqtAXT%2Fuploads%2F2jJbIX1TY4RqfeTd8yqC%2Fimage.png?alt=media&#x26;token=942e41ab-cfe7-4423-b4ec-282284287518" alt=""><figcaption></figcaption></figure>

I could extract the ssh private key for the puma user, which is generally great for persistence.

## Privilege Escalation

I generated an ssh key, but a password is still required. There are no other users on the box. The user is not part of interesting groups.

`sudo -l` reveals that the user can run a command as sudo without password:

`sudo /usr/bin/systemctl status trail.service`

This might be the way

{% embed url="<https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-systemctl-privilege-escalation/>" %}

I cannot edit the trail service: `-rwxr-xr-x 1 root root 461 Apr 15 2023 trail.service`

It was even easier than that, I could run the status command and just execute !sh in the pager to get a root shell.