Sau

Personal Rating: Medium

Enumeration

nmap:

22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS

Webpage1:

http://10.10.11.224:55555/web
nen1g1c
eWqHShIl5K4-X5-ML75QVaxMSzL7Mm9K6mtWca5AkMgD

You can create a basket and get a token. It then seems to log requests to the directory you created.

SSRF in Basket

This Basket service seems to have an issue that allows forwarding to other local pages.

Since there are two firewalled local ports, I will try to use this PoC to get to them:

./CVE-2023-27163.sh http://10.10.11.224:55555/ http://10.10.11.224:80/

Alright, lets see

Doing the same for port 8228 shows the same page. It seems broken, but revealed Maltrail as backend service.

Maltrail RCE

The page seems to be vulnerable to an RCE, which there is a PoC for here https://github.com/spookier/Maltrail-v0.53-Exploit

The vulnerability abuses an OS command injection in the login parameter of username.

Although the page seems broken, the vulnerable directory exists.

The PoC worked immediately.

I could extract the ssh private key for the puma user, which is generally great for persistence.

Privilege Escalation

I generated an ssh key, but a password is still required. There are no other users on the box. The user is not part of interesting groups.

sudo -l reveals that the user can run a command as sudo without password:

sudo /usr/bin/systemctl status trail.service

This might be the way

I cannot edit the trail service: -rwxr-xr-x 1 root root 461 Apr 15 2023 trail.service

It was even easier than that, I could run the status command and just execute !sh in the pager to get a root shell.

Last updated