My Attempt
User.txt
Enumeration
The Nmap scan is shown below.
A bit odd to see port 80 to be in a filtered state. Also port 8338 also seems to be hosting some service but not accessible from outside the server. The only port left is 55555. Accessing the port through a web browser shows the following page.
On the bottom of the page it shows that the service hosted on port 55555 is "Request Basket" version 1.2.1. Based on the Github repository, this seems to be used to collect and analyse HTTP requests. It can also be configured to create a HTTP response for each request.
By googling "Request Basket 1.2.1", we can see that this version seems to be vulnerable to a SSRF exploit. This allows an attacker to use the server hosting Request Basket as a proxy server to access internal services. On Github I found this exploit to be useful in this situation.
Overview of the exploit code
After briefly going through the exploit source code, it seems that Request Basket can be configured to forward requests to a specific IP address and therefore acting as a proxy server. The following screenshot shows that a payload was created which seems to be creating the forwarding rule. Then a curl command is issued to send the payload to the API endpoint to create a basket with the specified forwarding rules. If the basket is created successfully, a Authorization code should be returned which is used to access the newly created basket by including it in the request header.
Exploit 1
Recall the Nmap scan, port 80 and 8338 seems to only be accessible locally, so the goal here is to use port 55555 as a proxy to access port 80 or 8338. To use the exploit, simply download the exploit shell script and run the following command.
This should create a basket that will allow us to send request to port 8338 on the same server.
The Authorization code should be included in the request header when sending a HTTP request to the basket endpoint. Here is an example using curl.
To view the web page on a browser, we can use Burp Suite to add the Authorization header for all request we send. While accessing the page through a browser is a bit ugly (missing image, weird indentation etc.), the important part is clearly shown at the bottom of the page, which is the service name and its version.
This seems to be a learning management platform. Again googling the service with the version specified, we can find another vulnerability for this service. This version of Mailtrail suffers from a command injection vulnerability which allowed attackers to execute arbitrary command without authentication. An exploit is available on exploitdb.
Overview of the exploit code
The vulnerability seems to be abused by creating a reverse shell payload using python3 to connect to a user specified IP address and port. The payload is base64 encoded and included in the curl request to <target_ip>/login.
Exploit 2
However, we will need to modify this exploit before using it. Recall that we are using a proxy basket to access port 8338, which requires an authorization key. To include the authorization key in the exploit, we can simply hardcode the key into the code. Here I decided to add an extra argument and provide the authorization key as the fourth argument. The following screenshot shows the parts that I have changed.
Now we can run the exploit as the following. The arguments provided in order are the listener IP address, listener port, URL to Mailtrail, and the authorization code.
With a listener on our machine, we should get a reverse shell connection running as puma.
The flag can be found under the directory /home/puma.
Root.txt
By running the sudo -l command, we can see that the user puma can run the specified systemctl command using sudo without password.
By checking on GTFOBins
Last updated