Setup
mkdir -p ~/ctf/HackTheBox/sau/scans && cd ~/ctf/HackTheBox/sau
IP Address: 10.10.11.224
Add to /etc/hosts (requires sudo):
echo "10.10.11.224 sau.htb" | sudo tee -a /etc/hosts
10.10.11.224 sau.htb
Enumeration
Fast sweep variant:
nmap -sC -sV -p- -T4 --min-rate 2000 -vv sau.htb -oN ~/ctf/HackTheBox/sau/scans/nmap_fast_20250814-001308.txt
# nmap findings
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
55555/tcp open http syn-ack ttl 63 Golang net/http server
| http-methods:
|_ Supported Methods: GET OPTIONS
| http-title: Request Baskets
|_Requested resource was /web
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Thu, 14 Aug 2025 01:28:55 GMT
| Content-Length: 75
| invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
| GenericLines, Help, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, Socks5:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Content-Type: text/html; charset=utf-8
| Location: /web
| Date: Thu, 14 Aug 2025 01:28:36 GMT
| Content-Length: 27
| href="/web">Found</a>.
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: GET, OPTIONS
| Date: Thu, 14 Aug 2025 01:28:37 GMT
| Content-Length: 0
| OfficeScan:
| HTTP/1.1 400 Bad Request: missing required Host header
| Content-Type: text/plain; charset=utf-8
| Connection: close
|_ Request: missing required Host header
When visiting port 55555 on browser we see Request Baskets v1.21
![[IMG-20250814073758470.png]](/images/post/IMG-20250814073758470.png)
When searching using the version we get ti know that this version is vulnerable to CVE-2023-27163
We see the endpoints /api/baskets/{name} & /baskets/{name} are vulnerable to unauthenticated SSRF which allows attacker to access network resources and sensitive information.
When using the exploit we use the below command to forward our request to forward our request to 127.0.0.1:80 which is the internally hosted on Port 80.
![[IMG-20250814081535580.png]](/images/post/IMG-20250814081535580.png)
On this page we see Maltrail (v0.53) is hosted, when we search for any exploits/cve on this running software, We find this exploit which exploits an unsanitized input in username on /login for Command execution in username
![[IMG-20250814083831178.png]](/images/post/IMG-20250814083831178.png)
![[IMG-20250814083841931.png]](/images/post/IMG-20250814083841931.png)
User Flag
Location: /home/puma/user.txt | Flag: 5478150e289db926c53eba765a0bf71b
Privilege Escalation
After getting the shell, we use sudo -l & find / -perm -u=s -type f 2>/dev/null to find Sudo access and SUID bit set binaries. In the Sudo access we find we have access to run /usr/bin/systemctl status trail.service as sudo. When we run this we see it is utilising less to display the output so we go to GTFObins for less and find we can execute in !/bin/sh in the prompt section below where line numbers are showed.
![[IMG-20250814090142041.png]](/images/post/IMG-20250814090142041.png)
when we execute !/bin/sh we get shell as root:
![[IMG-20250814090319493.png]](/images/post/IMG-20250814090319493.png)
Root Flag
Location: /root/root.txt | Flag: 5b63e2f86a614bb58cd3c835337420ed