Sau is an Easy Difficulty Linux machine that features a Request Baskets instance that is vulnerable to Server-Side Request Forgery (SSRF) via [CVE-2023-27163](https://nvd.nist.gov/vuln/detail/CVE-2023-27163). Leveraging the vulnerability we are to gain access to a Maltrail instance that is vulnerable to Unauthenticated OS Command Injection, which allows us to gain a reverse shell on the machine as puma. A sudo misconfiguration is then exploited to gain a root shell.
Area of Interest
Web Application Injections
Technology
Request Baskets Maltrail
Vulnerabilities
OS Command Injection Server Side Request Forgery (SSRF)
Security Tools
Netcat Nmap
Languages
Bash
Techniques
Reconnaissance SUDO Exploitation
CVE
CVE-2023-26604 CVE-2023-27163
Task 0 - Deploy machine
🎯 Target IP: 10.129.229.26
Create a directory on the Desktop with the machine's name, and inside this directory, create another directory to store the materials and outputs needed to run the machine, including the scans made with nmap.
Task 1 - Reconnaissance
su
echo "10.129.229.26 sau.htb" >> /etc/hosts
mkdir -p htb/sau.htb
cd htb/sau.htb
mkdir {nmap,content,exploits,scripts}
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 sau.htb
PING sau.htb (10.129.229.26) 56(84) bytes of data.
64 bytes from sau.htb (10.129.229.26): icmp_seq=1 ttl=63 time=61.0 ms
64 bytes from sau.htb (10.129.229.26): icmp_seq=2 ttl=63 time=59.5 ms
64 bytes from sau.htb (10.129.229.26): icmp_seq=3 ttl=63 time=60.0 ms
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target should be a *nix system, while Windows systems usually have a TTL of 128 secs.
1.1 - Which is the highest open TCP port on the target machine?
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp filtered http no-response
8338/tcp filtered unknown no-response
55555/tcp open unknown syn-ack ttl 63
command
result
sS
SynScan
sC
run default scripts
sV
enumerate versions
A
aggressive mode
T4
run a bit faster
oN
output to file with nmap formatting
It looks like there are 2 open TCP ports on the machine: 22, 55555 and 2 filtered TCP ports: 80, 8338.
55555
1.2 - What is the name of the open source software that the application on 55555 is "powered by"?
Then, we can proceed to analyze services active on open ports:
2.2 - There is an unauthenticated command injection vulnerability in MailTrail v0.53. What is the relative path targeted by this exploit?
Googling 'MailTrail v0.53' we discover that's vulnerable to an unauthenticated OS Command Injection (RCE)
the username parameter of the login page doesn't properly sanitize the input, allowing an attacker to inject OS commands.
The exploit creates a reverse shell payload encoded in Base64 to bypass potential protections like WAF, IPS or IDS and delivers it to the target URL using a curl command The payload is then executed on the target system, establishing a reverse shell connection back to the attacker's specified IP and port.