22/tcp    open     ssh
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown

Filtered generally means that the port may be unresponsive, or might be inaccessible due to a firewall.

Performing service discovery to verify that there are not other known services being operated on these ports.

sudo nmap $target -sV -p 22,80,8338,55555 -Pn -oA scans/sV_scans

There is a web server hosted on port 55555.

Digging around on the web server, it's hosting an application called Request Baskets. Searching on Google, there is a Github repo which hosts the source code for this application:


Immediately following the Github repository, there's an article for Exploit-DB,:


The exploit uses SSRF (Server-side request forgery) to exploit the web-site to allow the attacker to gain access to the hosting Flask server:


./ <victim_ip>:55555

Getting root

  • Reviewed asset for privesc opportunities


sudo -l

We see we can run:

sudo systemctl status trail.service