search

Sau

hashtag
Gaining Access

Nmap scan:

$ nmap -p- --min-rate 4000 10.129.22.88       
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-10 13:15 +08
Nmap scan report for 10.129.22.88
Host is up (0.24s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown

Port 80 is being filtered, while port 55555 is open.

hashtag
Request Baskets SSRF -> Mailtrail RCE

Port 55555 hosted an application that is able to collect and inspect HTTP requests:

We can create one by clicking on create:

Tihs acts similar to a webhook, and is able to retrieve requests sent to that unique URL.

We are able to set the Responses from the website. as well as where the traffic is being forwarded to, just like we can with Webhooks. Setting the Forward URL to our own HTTP server results in requests being sent there from the machine.

Since port 80 was being filtered, we can set it to http://localhost and try setting all the options to True. Afterwards, sending GET requests to our bucket would result in HTML being returned:

At the bottom, we can see that port 80 has Mailtrail v0.53 running, which is vulnerable to an unauthenticated RCE exploit.

Logohuntr - The world’s first bug bounty platform for AI/MLhuntr.devchevron-right

To exploit this, we just need to change the forward URL to http://127.0.0.1/login and send a POST request via curl with a payload like this:

We would get a reverse shell as puma:

hashtag
Privilege Escalation

hashtag
Sudo Systemctl -> Root

The user is able to run a command using sudo:

This is easily exploitable to get a root shell:

Rooted!

PreviousSandwormNextZipping

Last updated