😬
Golgothus' Lab
  • 🥃Welcome!
  • 🏴‍☠️CTF
    • TryHackMe Write-ups
      • Mr Robot
      • Burp Suite
      • Web Fundamentals
      • TMUX
      • Linux Fundamentals - Part 1
      • Linux Fundamentals - Part 2
      • Linux Priv Escalation
      • OWASP JuiceShop
      • OWASP Top 10
    • HackTheBox
      • Pilgrimage
      • Codify
      • CozyHosting
      • Sau
      • Analytics
      • Tracks - Beginner
        • Lame
  • ☁️Azure
    • AZ-104 Review
      • AZ-104 Notes
      • AZ-104: Prerequisites for Azure administrators
      • Windows virtual machine in Azure
      • Protect your virtual machine settings with Azure Automation State Configuration
      • Manage virtual machines with the Azure CLI
      • web application in the Azure App Service
      • Control access to Azure Storage with shared access signatures
      • Configure Azure Kubernetes Service
  • ❔Other Research
    • Research & Misc. Write-Ups
      • Registry Key Info
      • Windows Event Logging
      • Sysmon
      • Google Dorking
      • DPS Challenge
      • Discord Payload Recon
      • Kasm Install
Powered by GitBook
On this page
  1. CTF
  2. HackTheBox

Sau

PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown

Filtered generally means that the port may be unresponsive, or might be inaccessible due to a firewall.

Performing service discovery to verify that there are not other known services being operated on these ports.

sudo nmap $target -sV -p 22,80,8338,55555 -Pn -oA scans/sV_scans

There is a web server hosted on port 55555.

Digging around on the web server, it's hosting an application called Request Baskets. Searching on Google, there is a Github repo which hosts the source code for this application:

  • https://github.com/darklynx/request-baskets

Immediately following the Github repository, there's an article for Exploit-DB,:

  • https://www.exploit-db.com/exploits/51675

The exploit uses SSRF (Server-side request forgery) to exploit the web-site to allow the attacker to gain access to the hosting Flask server:

  • https://medium.com/@li_allouche/request-baskets-1-2-1-server-side-request-forgery-cve-2023-27163-2bab94f201f7

https://www.exploit-db.com/exploits/51675

./exploit.sh <victim_ip>:55555 http://127.0.0.1:80

Getting root

  • Reviewed asset for privesc opportunities

  • https://medium.com/@balathebug/linux-privilege-escalation-by-using-suid-19d37821ed12

sudo -l

We see we can run:

sudo systemctl status trail.service

https://gtfobins.github.io/gtfobins/systemctl/?source=post_page-----19d37821ed12--------------------------------

PreviousCozyHostingNextAnalytics
🏴‍☠️