Nmap scan

nmap -sV -sC -T4 -p- -oA Sau 10.10.11.224 -v

PORT      STATE    SERVICE      VERSION

22/tcp    open    ssh          OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|  3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)

|  256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)

|_  256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)

80/tcp    filtered http

2392/tcp  filtered tacticalauth

8338/tcp  filtered unknown

10962/tcp filtered unknown

24943/tcp filtered unknown

30535/tcp filtered unknown

50030/tcp filtered unknown

55555/tcp open    unknown

Site is very basic, just allows you to send web requests to it and thats about it.
 

The site is using a vulnerable web baskets version which we can find by googling and we find a CVE.
 

Using /CVE-2023-27163.sh we can forward requests to port 80 so we can access a restricted site(really cool exploit that I didnt know existed) This tricks the webpage into thinking we are local host allowing us to access the website on port 80 which is a closed port.
 

Site is running Maltrail (v0.53) which has unauth RCE

https://www.exploit-db.com/exploits/51676

TF=$(mktemp)

echo /bin/sh >$TF

chmod +x $TF

sudo /usr/bin/systemctl edit system.slice

We can run sudo /usr/bin/systemctl status trail.service with no password.

In order for this exploit to work we need to downgrade our shell to a non tty

Then when we run the command it would typically open a VIM window, in non tty it does not. We can then enter commands as root and drop into a shell with !/bin/sh. The ! is to enter a command, we could also use this to cat root.txt