008#:HTB - Sau
Next on my hit list is Sau from Hack the Box. This one mentions we will be abusing A Server-Side Request Forgery vulnerability. Let’s dive right in with an nmap scan.
In addition to port 22 and 80, we also have 8338 and 55555. It says HTTP is running on 55555 so I pulled it up in my browser and was greeted with a page talking about creating baskets. I tested making a couple and then tried browsing to the new URL which resulted in a log being created.
In the source code for the page I can see that it is powered by DarkLynx’s Request Baskets. Jumping over to their GitHub I started looking at the Issues tab where I found one mentioning SSRF and CVE-2023-27163. I ended up trying the POC from this article. To do this, I pulled up Burpsuite to capture a basket creation request before sending it to repeater. I set up a netcat listener on my machine, sent the payload from Burpsuite, and loaded the URL to try to see if a connection is made. This worked, so now I just had to find a way to make this benefit me.
I played around a bit here. Looked at some other articles and tried various forms of the payload. One of the articles I read pointed out that this could be used to access internal resources and I recalled there was that HTTP service running on port 8338 that we can’t get to. Re-ran the payload to target this port and then loaded the basket URL to gain access to the internal site!
Looking around we find there isn’t much we can do with this site. There is virtually nothing to interact with besides some external links to Maltrail’s GitHub page. I noted that it is running Maltrail v0.53. Searching google for vulnerabilities related to it landed me on this exploit I wanted to try. I ran the payload against the basket URL we created to access the internal site on port 8338 and was able to catch a reverse shell! It looks like we are a user named puma.
Checking puma’s home folder gets us the first flag. I moved to stabilize my shell and then start looking to see what I have sudo access to.
I took this information to GTFOBins in search of a privilege escalation path. We may be in luck. I tried a few variations of what I saw there but couldn’t get it to work. I decided to just google what we had sudo rights to and I found this article. Further down the page they have the “Spawn Shell in the Pager” section that says
“If we can execute systemctl status as root, we can spawn another shell in the pager.”
I followed the steps which was simply running the command as sudo then running !sh after. This worked to get us root and our final flag.
