nmap

The nmap scanning shows ports 22 and 55555 are open.

I checked the web page.

I found the version of request-baskets is 1.2.1 from the web page.

I googled if it has any vulnerabilities, then I found SSRF vulnerability: CVE-2023-27163

Exploitation

I downloaded a PoC of the vulnerability from this github page.

I proxied it to localhost.

Then it gives me a link.

When I accessed the link, I could see Maltrail powers it.

And it seems Maltrail v0.5.3 has vulnerability too.

I downloaded the exploit and executed it.

I got the shell as user puma!

user puma can run trail/service as root.

Before proceeding, let’s upgrade our shell.

$python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
ALT+Z
$stty raw -echo; fg
$export TERM=xterm

Then, I ran the command as root.

And one big thing here.

If we can execute systemctl status as root, then we can spawn a shell with root privileges.

!sh

In the less interface, type the command above and get the root shell.

If we have root permission on executing systemctl status, we can spawn a shell with root privileges.
Command to upgrade a shell.