HTB Writeups
  • HTB Writeups
  • Boxes: Very Easy
    • Academy
    • Archetype
    • Arctic
    • Base
    • Bike
    • Blue
    • Explosion
    • Included
    • Markup
    • Oopsie
    • Redeemer
    • Responder
    • Shield
    • Unified
    • Vaccine
  • Boxes: Easy
    • Analytics
    • Armageddon
    • Bashed
    • Beep
    • Blocky
    • Bounty Hunter
    • Buff
    • Cap
    • CozyHosting
    • Devel
    • Explore
    • Forest
    • Grandpa
    • Granny
    • Horizontall
    • Jerry
    • Keeper
    • Knife
    • Lame
    • Late
    • Legacy
    • Mirai
    • Netmon
    • Nibbles
    • Optimum
    • Paper
    • Photobomb
    • Precious
    • RedPanda
    • Return
    • Sau
    • ScriptKiddie
    • Sense
    • Servmon
    • Shocker
    • Shoppy
    • Squashed
    • Trick
  • Boxes: Medium
    • Poison
  • Challenges
    • Behind the Scenes
    • Canvas
    • Debugging Interface
    • Digital Cube
    • Easy Phish
    • Find the Easy Pass
    • Forest
    • Infiltration
    • misDIRection
    • Pusheen Loves Graphs
    • Retro
    • Signals
    • The Secret of a Queen
    • Wrong Spooky Season
  • Fortresses
  • Cyber Apocalypse 2023: The Cursed Mission
    • The Cursed Mission
    • Alien Cradle
    • Critical Flight
    • Debug
    • Extraterrestrial Persistence
    • Getting Started
    • Needle in the Haystack
    • Orbital
    • Packet Cyclone
    • Passman
    • Perfect Sync
    • Persistence
    • Plaintext Tleasure
    • Questionnaire
    • Reconfiguration
    • Relic Maps
    • Roten
    • Secret Code
    • Shattered Tablet
    • Small StEps
  • Hack the Boo 2023
    • Hauntmart
    • Spellbrewery
    • Trick or Treat
    • Valhalloween
  • Cyber Apocalypse 2024: Hacker Royale
    • Hacker Royale
    • An Unusual Sighting
    • BoxCutter
    • BunnyPass
    • Character
    • Data Siege
    • Delulu
    • Dynastic
    • Fake Boost
    • Flag Command
    • Game Invitation
    • It has begun
    • KORP Terminal
    • Labyrinth Linguist
    • LockTalk
    • Lucky Faucet
    • Makeshift
    • Maze
    • Packed Away
    • Phreaky
    • Primary Knowledge
    • Pursue the Tracks
    • Rids
    • Russian Roulette
    • Stop Drop and Roll
    • Testimonial
    • TimeKORP
    • Unbreakable
    • Urgent
  • CYBER APOCALYPSE 2025: Tales from Eldoria
    • Tales from Eldoria
    • A New Hire
    • Cave Expedition
    • Echoes in Stone
    • Eldorion
    • Embassy
    • EncryptedScroll
    • HeliosDEX
    • Quack Quack
    • Silent Trap
    • Stealth Invasion
    • Tales for the Brave
    • The Ancient Citadel
    • The Hillside Haven
    • The Stone That Whispers
    • Thorins Amulet
    • ToolPie
    • Traces
    • Trial by Fire
    • Whispers of the Moonbeam
Powered by GitBook
On this page
  • Enumeration
  • SSRF in Basket
  • Maltrail RCE
  • Privilege Escalation
  1. Boxes: Easy

Sau

Personal Rating: Medium

PreviousReturnNextScriptKiddie

Last updated 1 year ago

Enumeration

nmap:

22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS

Webpage1:

http://10.10.11.224:55555/web
nen1g1c
eWqHShIl5K4-X5-ML75QVaxMSzL7Mm9K6mtWca5AkMgD

You can create a basket and get a token. It then seems to log requests to the directory you created.

SSRF in Basket

This Basket service seems to have an issue that allows forwarding to other local pages.

Since there are two firewalled local ports, I will try to use this PoC to get to them:

Alright, lets see

Doing the same for port 8228 shows the same page. It seems broken, but revealed Maltrail as backend service.

Maltrail RCE

The vulnerability abuses an OS command injection in the login parameter of username.

Although the page seems broken, the vulnerable directory exists.

The PoC worked immediately.

I could extract the ssh private key for the puma user, which is generally great for persistence.

Privilege Escalation

I generated an ssh key, but a password is still required. There are no other users on the box. The user is not part of interesting groups.

sudo -l reveals that the user can run a command as sudo without password:

sudo /usr/bin/systemctl status trail.service

This might be the way

I cannot edit the trail service: -rwxr-xr-x 1 root root 461 Apr 15 2023 trail.service

It was even easier than that, I could run the status command and just execute !sh in the pager to get a root shell.

./CVE-2023-27163.sh

The page seems to be vulnerable to an RCE, which there is a PoC for here

http://10.10.11.224:55555/
http://10.10.11.224:80/
https://github.com/spookier/Maltrail-v0.53-Exploit
GitHub - entr0pie/CVE-2023-27163: Proof-of-Concept for Server Side Request Forgery (SSRF) in request-baskets (<= v.1.2.1)GitHub
Sudo Systemctl Privilege Escalation | Exploit Noteshideckies
Logo
Logo