# Sau

## Enumeration

nmap:

```
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS
```

**Webpage1:**

<figure><img src="/files/UufwgLMFJeLcpkJauM7T" alt=""><figcaption></figcaption></figure>

```
http://10.10.11.224:55555/web
nen1g1c
eWqHShIl5K4-X5-ML75QVaxMSzL7Mm9K6mtWca5AkMgD
```

You can create a basket and get a token. It then seems to log requests to the directory you created.

<figure><img src="/files/xN1Z0OcPsVEUGsVvVuxA" alt=""><figcaption></figcaption></figure>

## SSRF in Basket

This Basket service seems to have an issue that allows forwarding to other local pages.

Since there are two firewalled local ports, I will try to use this PoC to get to them:

{% embed url="<https://github.com/entr0pie/CVE-2023-27163>" %}

`./CVE-2023-27163.sh` [`http://10.10.11.224:55555/`](http://10.10.11.224:55555/) [`http://10.10.11.224:80/`](http://10.10.11.224:80/)

Alright, lets see

<figure><img src="/files/6tzwY2yN87RIB1jm7foD" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/3UF61dNkuXX3W4thi93x" alt=""><figcaption></figcaption></figure>

Doing the same for port 8228 shows the same page. It seems broken, but revealed Maltrail as backend service.

## Maltrail RCE

The page seems to be vulnerable to an RCE, which there is a PoC for here <https://github.com/spookier/Maltrail-v0.53-Exploit>

The vulnerability abuses an OS command injection in the login parameter of username.

Although the page seems broken, the vulnerable directory exists.

<figure><img src="/files/6H7eqDkrLiyj2iOxP3Vn" alt=""><figcaption></figcaption></figure>

The PoC worked immediately.

<figure><img src="/files/UeeywIW2Wb9SHjB3RsRa" alt=""><figcaption></figcaption></figure>

I could extract the ssh private key for the puma user, which is generally great for persistence.

## Privilege Escalation

I generated an ssh key, but a password is still required. There are no other users on the box. The user is not part of interesting groups.

`sudo -l` reveals that the user can run a command as sudo without password:

`sudo /usr/bin/systemctl status trail.service`

This might be the way

{% embed url="<https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-systemctl-privilege-escalation/>" %}

I cannot edit the trail service: `-rwxr-xr-x 1 root root 461 Apr 15 2023 trail.service`

It was even easier than that, I could run the status command and just execute !sh in the pager to get a root shell.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shibudocs.gitbook.io/htb-writeups/boxes-easy/sau.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.