Enumeration

Nmap

Initial Nmap scan revealed SSH and port 55555 open.

000 - nmap

Web Enumeration

The target website is request-baskets v1.2.1 which is vulnerable to CVE-2023-27163 (SSRF).

001 - target

Searching through the Website revealed a public exploit on github.

002 - SSRF

Exploiting the target website revealed a internal website which is Maltrail v0.53

003 - internal website

Exploitation

RCE

The internal website is Maltrail v0.53 which is vulnerable to Remote Code Execution. Some research revealed this post which includes a PoC.

004 - PoC

Running the exploit got me reverse shell.

005 - run

006 - user

Privilege Escalation

sudo -l

Initially I did some enumeration to escalate my privileges. The “sudo -l” command revealed I can run systemctl status for trail.service .

007 - sudo l

Luckily there was a GTFOBins page for systemctl. There were 3 ways to exploit systemctl for privilege escalation. Mine was the third one. The status command opens a less page, so I can simply type !sh to get a root shell.

008 - root

Pwned

The machine was fully compromised.

009 - pwned

<
Previous Post
UpDown - Hack The Box
>
Next Post
Broker - Hack The Box