Sau

PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown

Filtered generally means that the port may be unresponsive, or might be inaccessible due to a firewall.

Performing service discovery to verify that there are not other known services being operated on these ports.

sudo nmap $target -sV -p 22,80,8338,55555 -Pn -oA scans/sV_scans

There is a web server hosted on port 55555.

Digging around on the web server, it's hosting an application called Request Baskets. Searching on Google, there is a Github repo which hosts the source code for this application:

  • https://github.com/darklynx/request-baskets

Immediately following the Github repository, there's an article for Exploit-DB,:

  • https://www.exploit-db.com/exploits/51675

The exploit uses SSRF (Server-side request forgery) to exploit the web-site to allow the attacker to gain access to the hosting Flask server:

  • https://medium.com/@li_allouche/request-baskets-1-2-1-server-side-request-forgery-cve-2023-27163-2bab94f201f7

https://www.exploit-db.com/exploits/51675

./exploit.sh <victim_ip>:55555 http://127.0.0.1:80

Getting root

  • Reviewed asset for privesc opportunities

  • https://medium.com/@balathebug/linux-privilege-escalation-by-using-suid-19d37821ed12

sudo -l

We see we can run:

sudo systemctl status trail.service

https://gtfobins.github.io/gtfobins/systemctl/?source=post_page-----19d37821ed12--------------------------------

PreviousCozyHostingNextAnalytics