Sau - wook413

#hackthebox #linux #easy ![[Pasted image 20250806233851.png]] # Information Gathering - Nmap A TCP scan against all ports revealed 2 open ports: 22 and 55555 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 03:13 UTC Nmap scan report for 10.10.11.224 Host is up (0.053s latency). Not shown: 65531 closed tcp ports (reset), 2 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 55555/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 16.99 seconds ``` Another TCP scan was performed against the open ports to gather more information ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 22,55555 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 03:14 UTC Nmap scan report for 10.10.11.224 Host is up (0.047s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA) | 256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA) |_ 256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519) 55555/tcp open http Golang net/http server | http-title: Request Baskets |_Requested resource was /web | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 400 Bad Request | Content-Type: text/plain; charset=utf-8 | X-Content-Type-Options: nosniff | Date: Thu, 07 Aug 2025 03:15:09 GMT | Content-Length: 75 | invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$ | GenericLines, Help, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, Socks5: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 302 Found | Content-Type: text/html; charset=utf-8 | Location: /web | Date: Thu, 07 Aug 2025 03:14:53 GMT | Content-Length: 27 | href="/web">Found</a>. | HTTPOptions: | HTTP/1.0 200 OK | Allow: GET, OPTIONS | Date: Thu, 07 Aug 2025 03:14:53 GMT | Content-Length: 0 | OfficeScan: | HTTP/1.1 400 Bad Request: missing required Host header | Content-Type: text/plain; charset=utf-8 | Connection: close |_ Request: missing required Host header 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port55555-TCP:V=7.95%I=7%D=8/7%Time=68941A2D%P=x86_64-pc-linux-gnu%r(Ge SF:tRequest,A2,"HTTP/1\.0\x20302\x20Found\r\nContent-Type:\x20text/html;\x SF:20charset=utf-8\r\nLocation:\x20/web\r\nDate:\x20Thu,\x2007\x20Aug\x202 SF:025\x2003:14:53\x20GMT\r\nContent-Length:\x2027\r\n\r\n<a\x20href=\"/we SF:b\">Found</a>\.\n\n")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Req SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2 SF:0close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,60,"HTTP/1\.0\x2020 SF:0\x20OK\r\nAllow:\x20GET,\x20OPTIONS\r\nDate:\x20Thu,\x2007\x20Aug\x202 SF:025\x2003:14:53\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest, SF:67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\ SF:x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request") SF:%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text SF:/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20R SF:equest")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCont SF:ent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r SF:\n400\x20Bad\x20Request")%r(FourOhFourRequest,EA,"HTTP/1\.0\x20400\x20B SF:ad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nX-Con SF:tent-Type-Options:\x20nosniff\r\nDate:\x20Thu,\x2007\x20Aug\x202025\x20 SF:03:15:09\x20GMT\r\nContent-Length:\x2075\r\n\r\ninvalid\x20basket\x20na SF:me;\x20the\x20name\x20does\x20not\x20match\x20pattern:\x20\^\[\\w\\d\\- SF:_\\\.\]{1,250}\$\n")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request SF:\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20clo SF:se\r\n\r\n400\x20Bad\x20Request")%r(SIPOptions,67,"HTTP/1\.1\x20400\x20 SF:Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConn SF:ection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Socks5,67,"HTTP/1\.1\ SF:x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf SF:-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(OfficeScan, SF:A3,"HTTP/1\.1\x20400\x20Bad\x20Request:\x20missing\x20required\x20Host\ SF:x20header\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnectio SF:n:\x20close\r\n\r\n400\x20Bad\x20Request:\x20missing\x20required\x20Hos SF:t\x20header"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 29.90 seconds ``` Finally, a UDP scan ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 03:16 UTC Nmap scan report for 10.10.11.224 Host is up (0.047s latency). PORT STATE SERVICE 53/udp closed domain 67/udp open|filtered dhcps 123/udp closed ntp 135/udp closed msrpc 137/udp closed netbios-ns 138/udp closed netbios-dgm 161/udp closed snmp 445/udp closed microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds ``` --- # Enumeration ##### HTTP - TCP 55555 The webpage on port 55555 looks like this. ![[Pasted image 20250806221746.png]] I tried clicking on the `Create` button. ![[Pasted image 20250806221939.png]] It says basket is created and gave me token. ![[Pasted image 20250806221955.png]] `Open Basket` takes me to this page. ![[Pasted image 20250806222102.png]] I made a request to that given url using `curl` and my request info showed up in the page. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ curl http://10.10.11.224:55555/8if2pu0 ``` ![[Pasted image 20250806222209.png]] I intercepted the request of creating a basket with Burp and the header revealed it's making a POST request to `/api/baskets` ![[Pasted image 20250806223216.png]] I looked up `request-baskets 1.2.1 exploit` on Google as we saw this information at the footer of the page. It turns out this version is vulnerable to SSRF. `CVE-2023-27163`. The PoC I referred to is [this](https://github.com/entr0pie/CVE-2023-27163?tab=readme-ov-file) Github repo. To simply put, SSRF vulnerability is that I could control the server to make malicious requests on my behalf. In this case, I made the server to make a request to a server hosted on port 80 that's only accessible locally. ![[Pasted image 20250806225237.png]] Visiting `http://10.10.11.224:55555/nnvklr` shows me this webpage. ![[Pasted image 20250806225804.png]] Also at the very bottom it mentions what the page was made with: `Maltrail v0.53`. ![[Pasted image 20250806225826.png]] I looked up `Maltrail 0.53 exploit` and found this [PoC](https://github.com/spookier/Maltrail-v0.53-Exploit). I specified my listener information `http://10.10.11.224:55555/anzwxr` as the target address, which I populated from the earlier exploit. Got a shell as `puma` ![[Pasted image 20250806230608.png]] Found `user.txt` in `/home/puma` ```bash puma@sau:/home$ cd puma puma@sau:~$ ls -la total 32 drwxr-xr-x 4 puma puma 4096 Jun 19 2023 . drwxr-xr-x 3 root root 4096 Apr 15 2023 .. lrwxrwxrwx 1 root root 9 Apr 14 2023 .bash_history -> /dev/null -rw-r--r-- 1 puma puma 220 Feb 25 2020 .bash_logout -rw-r--r-- 1 puma puma 3771 Feb 25 2020 .bashrc drwx------ 2 puma puma 4096 Apr 15 2023 .cache drwx------ 3 puma puma 4096 Apr 15 2023 .gnupg -rw-r--r-- 1 puma puma 807 Feb 25 2020 .profile lrwxrwxrwx 1 puma puma 9 Apr 15 2023 .viminfo -> /dev/null lrwxrwxrwx 1 puma puma 9 Apr 15 2023 .wget-hsts -> /dev/null -rw-r----- 1 root puma 33 Aug 7 03:10 user.txt puma@sau:~$ cat user.txt cf1... ``` # Privilege Escalation - shell as `root` `sudo -l` revealed that user `puma` can run `systemctl status trail.service` as `sudo` without password. I learned that `status` option to `systemctl` shouldn't require root privileges because in many cases it invokes the pager which routes to `arbitrary code executuion`. `systemctl` is usually configured to open with a pager as default because the output is expected to display in length. Just like when you run a command with `man`. ```bash puma@sau:~$ sudo -l Matching Defaults entries for puma on sau: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User puma may run the following commands on sau: (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service ``` I ran `sudo systemctl status trail.service` and I noticed it's automatically opened with `less` pager. ![[Pasted image 20250806233204.png]] When `less` is hanging, you can simply type `!/bin/bash` and it will drop to a shell. Or you can also simply type `!sh`. ![[Pasted image 20250806233640.png]] Found `root.txt` ```bash root@sau:~# ls go root.txt root@sau:~# cat root.txt 119... ```