# Sau First, we scan the machine using `nmap`: ![](/files/7f2Sv0X3Z8OQqz2T3AKG) So there's three ports open; `22`, `80`,which is filtered, and `55555`, running a HTTP server. Port `80` is filtered, so we can't visit the website.\ For port `55555`, we find a HTTP page running `request baskets`: ![](/files/0091oDr31xz5tdB9Ecv2) At the bottom of the page, we can see the version is `1.2.1`, so let's look up some exploits. ![](/files/0GQl75A8c3jekqCcHh60) After a bit of googling, we find a reference to `CVE-2023-27163`, so we look that up: ![](/files/iHez9UTQCKjbTIDosD8e) And we find a GitHub page. ![](/files/MgSMcRoJ1RsKbBncv3H4) At the bottom of the GitHub page, we find some references:
{% embed url="" %} ![](/files/rn0f6jGi9nVKWp2ilWKy) In the GitHub page, a full report of how to exploit it is described.\ The way the author used to exploit the server by sending a `POST` request to the API, where a basket is created with the `forward-url` parameter set. This parameter is the vulnerable point.\ It will redirect traffic to another URL, setting the host as the machine. ![](/files/koHGBcwzfbTByMxbdtOm) We can use this to send a request to the internal server, bypassing the port `80` filter. For the exploitation itself, we don't have to do any manual POST-requests, as we can just set these parameters within the settings tab on the top-right (after having created a basket): First, we create a basket: ![](/files/B0CujgKymGw5pFN9iR4d) ![](/files/PwL6ZCN7GDix4pTneTY6) We change the `forward URL` parameter to the internal port `80`, and enable the `Proxy Response` and `Expand Forward Path`: ![](/files/kgsHHN3NlA9zi1MEjPnh) Then, when we visit `:5555/exploit`, it shows us the site running on port 80.
In the bottom, we can see `Maltrail (v.0.5.3)`, so let's see if it's vulnerable: ![](/files/ZfUfU5tlC3UptOy6VXnk) ![](/files/oje8cOyvuflNUzKtllLV) After a little bit of googling, we find an RCE vulnerability, with a PoC: ``` curl 'http://hostname/login' --data 'username=;`id > /tmp/bbq`' ``` So we send a request to the `/login` location, with a poisoned parameter. This should be executed by the server, giving us RCE. Because we have RCE, we will try to leverage it to get a reverse shell.\ First, we open a `netcat` listener: ![](/files/3Jc8CGWyCwtbNpERyZ4z) Then, we use revshells.com. Because the data we send will be to a URL, we URL encode it: ![](/files/1vUlde2os3eZqjFV6u46) For simplicity's sake, we open up Burp Suite, and send a `POST` request with the URL-encoded payload: ![](/files/QHSBWxI0CP9gXn8fSF65) And we have a connection: ![](/files/aLJ7l8E0TruHi6jQo8wr) First, we stabilize our shell: ``` // Control - Z stty raw -echo fg // Enter stty rows 52 cols 238 export TERM=xterm ``` ![](/files/rSKXtiQTjjuMhCMifx4o) After checking `sudo -l`, there's a command we can run as `sudo`.
To see if it's exploitable, we look it up on gtfobins: ![](/files/nxEwzaDZd01XYQh8V2v2) The exploit at the bottom looks most usable. Because the default pager (the text manager that shows up when you run `systemctl`) is `less`, we can exploit it by spawning a shell using `!sh`: ![](/files/4MUlSQ6Ges7BBZmLYsQW) And we have root. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eduw.gitbook.io/writeups/hackthebox/sau.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.