{"id":214,"date":"2025-07-12T18:50:00","date_gmt":"2025-07-12T18:50:00","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=214"},"modified":"2025-12-28T19:35:41","modified_gmt":"2025-12-28T19:35:41","slug":"sau-hackthebox-lab","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=214","title":{"rendered":"Sau- Hackthebox lab"},"content":{"rendered":"\n

I started the assessment with Nmap port scans against all TCP and the top UDP ports.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

On TCP port 55555, I found this service called request-baskets. I found a public exploit with SSRF (Server side request forgery). I started enumerating the exploit and was able to use the web UI of the service to forward it to port 80 to enumerate the service open. I was not able to access port 80 without this flaw so this was helpful to move forward.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

I created a new basket and removed all security possible fording the request to 127.0.0.1:80 to interact with port 80 on the target box.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

I was able to load the web page by loading the basket URL successfully accessing port 80.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Now that I can see the Maltrail version 0.53, I was able to find a public exploit. https:\/\/github.com\/spookier\/Maltrail-v0.53-Exploit<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I was able to get a shell as the puma user with this exploit<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I ran sudo -l to see if the user has any sudo privileges.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Enumerating further, I found the version of systemd has a local privilege escalation vulnerability. https:\/\/ubuntu.com\/security\/CVE-2023-26604<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I found that I was able to run the “sudo systemctl status trail.service” command, then while inside the reading interface enter “!sh” and get a root shell!<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

I started the assessment with Nmap port scans against all TCP and the top UDP ports. On TCP port 55555, I found this service called request-baskets. I found a public exploit with SSRF (Server side request forgery). I started enumerating the exploit and was able to use the web UI […]<\/p>\n","protected":false},"author":1,"featured_media":215,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-214","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/214","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=214"}],"version-history":[{"count":2,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/214\/revisions"}],"predecessor-version":[{"id":452,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/214\/revisions\/452"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/215"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}