Academy is an easy-rated Linux machine from HackTheBox, created by sau123. In the current post, my IP is 10.10.14.16, and the target IP is 10.10.11.224
This machine is quite linear. After the reconnaissance phase upon entering the website, you can see what it is and its version. After some investigation you find an easily executable SSRF (Server-Side Request Forgery) vulnerability, and then discover a different site within a filtered port, where you once again search for a specific exploit to gain entry into the system. The privilege escalation is straightforward, and the steps are part of a generic privilege escalation search.
Recon
The first steps are about getting basic information about the target, by using nmap and searching information from the website.
Local Terminal
$ ping -c 1 10.10.11.224
PING 10.10.11.224 (10.10.11.224) 56(84) bytes of data.
64 bytes from 10.10.11.224: icmp_seq=1 ttl=63 time=167 ms
--- 10.10.11.224 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 166.632/166.632/166.632/0.000 ms
By the TTL, we can assume that is a Linux Machine.
Local Terminal
$ nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn -oN Ports 10.10.11.224
Nmap scan report for 10.10.11.224
Host is up, received user-set (0.17s latency).
Scanned at 2023-07-17 11:09:07 -04 for 16s
Not shown: 65531 closed ports, 2 filtered ports
Reason: 65531 resets and 2 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 62
55555/tcp open unknown syn-ack ttl 62
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 16.01 seconds
Raw packets sent: 77813 (3.424MB) | Rcvd: 77038 (3.082MB)
Local Terminal
$ nmap -sCV -p 22,55555 10.10.11.224 -oN Target
Nmap scan report for 10.10.11.224
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
55555/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
<...>
From both scans there is nothing relevant, but if you go to "http://10.10.11.224:55555" you will find a request-baskets site with version 1.2.1
If you search for "request-baskets version 1.2.1 exploit" you will find an SSRF exploit.
From the exploit we need and specific configuration, follow the instructions.
Reverse Shell [Puma]
Now go with your browser, http://10.10.11.224:55555/4wjs085, it's using Mailtrail, if you search about it, you will find an exploit at the login page, so now we need to change the configuration and send a POST request with curl.
Now we need 3 terminals, one to prepare the http.server with a reverse shell, another one listening, and the third one to execute the exploit.
And now your local terminal C is the target "puma", remember to do a TTY Upgrade
Target Terminal [puma]
cat /home/puma/user.txt
Privileges Escalation
Target Terminal [puma]
puma@sau:/opt/maltrail$ id
id
uid=1001(puma) gid=1001(puma) groups=1001(puma)
puma@sau:/opt/maltrail$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User puma may run the following commands on sau:
(ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
NOPASSWD to trail.service, let's what we can do with it.
Target Terminal [puma]
$ sudo /usr/bin/systemctl status trail.service
$ !sh
