> For the complete documentation index, see [llms.txt](https://docs.golgothus.tech/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.golgothus.tech/ctf/hackthebox/sau.md).

# Sau

```
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown
```

Filtered generally means that the port may be unresponsive, or might be inaccessible due to a firewall.

Performing service discovery to verify that there are not other known services being operated on these ports.

`sudo nmap $target -sV -p 22,80,8338,55555 -Pn -oA scans/sV_scans`

There is a web server hosted on port 55555.

Digging around on the web server, it's hosting an application called **Request Baskets**. Searching on Google, there is a Github repo which hosts the source code for this application:

* <https://github.com/darklynx/request-baskets>

Immediately following the Github repository, there's an article for Exploit-DB,:

* <https://www.exploit-db.com/exploits/51675>

The exploit uses SSRF (Server-side request forgery) to exploit the web-site to allow the attacker to gain access to the hosting Flask server:

* <https://medium.com/@li\\_allouche/request-baskets-1-2-1-server-side-request-forgery-cve-2023-27163-2bab94f201f7>

<https://www.exploit-db.com/exploits/51675>

```bash
./exploit.sh <victim_ip>:55555 http://127.0.0.1:80
```

#### Getting root

* Reviewed asset for privesc opportunities
* <https://medium.com/@balathebug/linux-privilege-escalation-by-using-suid-19d37821ed12>

```bash
sudo -l
```

We see we can run:

```bash
sudo systemctl status trail.service
```

<https://gtfobins.github.io/gtfobins/systemctl/?source=post\\_page-----19d37821ed12-------------------------------->


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.golgothus.tech/ctf/hackthebox/sau.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.