Sau
#Linux #SSRF #Sudo
Last updated
#Linux #SSRF #Sudo
Last updated
Academy is an easy-rated Linux machine from , created by sau123. In the current post, my IP is 10.10.14.16, and the target IP is 10.10.11.224
This machine is quite linear. After the reconnaissance phase upon entering the website, you can see what it is and its version. After some investigation you find an easily executable SSRF (Server-Side Request Forgery) vulnerability, and then discover a different site within a filtered port, where you once again search for a specific exploit to gain entry into the system. The privilege escalation is straightforward, and the steps are part of a generic privilege escalation search.
The first steps are about getting basic information about the target, by using nmap and searching information from the website.
By the TTL, we can assume that is a Linux Machine.
If you search for "request-baskets version 1.2.1 exploit" you will find an SSRF exploit.
Create and open a basket, remember it's name.
Now we need 3 terminals, one to prepare the http.server with a reverse shell, another one listening, and the third one to execute the exploit.
NOPASSWD to trail.service, let's what we can do with it.
Done!
From both scans there is nothing relevant, but if you go to "" you will find a request-baskets site with version 1.2.1
From the we need and specific configuration, follow the instructions.
Now go with your browser, , it's using Mailtrail, if you search about it, you will find an exploit at the login page, so now we need to change the configuration and send a POST request with curl.
And now your local terminal C is the target "puma", remember to do a