Sau
Personal Rating: Medium
Enumeration
nmap:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7
80/tcp filtered http
8338/tcp filtered unknown
55555/tcp open unknown
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: GET, OPTIONS
Webpage1:

http://10.10.11.224:55555/web
nen1g1c
eWqHShIl5K4-X5-ML75QVaxMSzL7Mm9K6mtWca5AkMgD
You can create a basket and get a token. It then seems to log requests to the directory you created.

SSRF in Basket
This Basket service seems to have an issue that allows forwarding to other local pages.
Since there are two firewalled local ports, I will try to use this PoC to get to them:
./CVE-2023-27163.sh
http://10.10.11.224:55555/
http://10.10.11.224:80/
Alright, lets see


Doing the same for port 8228 shows the same page. It seems broken, but revealed Maltrail as backend service.
Maltrail RCE
The page seems to be vulnerable to an RCE, which there is a PoC for here https://github.com/spookier/Maltrail-v0.53-Exploit
The vulnerability abuses an OS command injection in the login parameter of username.
Although the page seems broken, the vulnerable directory exists.

The PoC worked immediately.

I could extract the ssh private key for the puma user, which is generally great for persistence.
Privilege Escalation
I generated an ssh key, but a password is still required. There are no other users on the box. The user is not part of interesting groups.
sudo -l
reveals that the user can run a command as sudo without password:
sudo /usr/bin/systemctl status trail.service
This might be the way
I cannot edit the trail service: -rwxr-xr-x 1 root root 461 Apr 15 2023 trail.service
It was even easier than that, I could run the status command and just execute !sh in the pager to get a root shell.
Last updated