Post

HTB Linux Easy: Sau

Sau is an Easy rated Linux machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Linux Easy: Sau

Nmap

Pasted image 20240715100501.png

Foothold

Website enumeration

Enumerating the website on port 55555 reveals a forward url configuration option, we can use this to check out the content of port 80 (cant be accessed yet since the port is filtered). Pasted image 20240715100456.png

Set the forward url to the localhost interface (127.0.0.1). Pasted image 20240715100452.png

We can now visit the bucket location. Pasted image 20240715100447.png

Mailtrail v0.53 is vulnerable to RCE if we have access to the login page, change forward url to login page. Pasted image 20240715100444.png

Now we can run the exploit and setup a nc listener to establish a shell connection. Pasted image 20240715100439.png Pasted image 20240715100434.png

PrivEsc

Checking what commands we can run with sudo. Pasted image 20240715100430.png

In GTFObins we see that we can spawn a shell after entering systemctl as the root user with: !sh. Pasted image 20240715100425.png Pasted image 20240715100420.png

User.txt

Pasted image 20240715100415.png

Root.txt

Pasted image 20240715100409.png

Pwned

Pasted image 20240715100403.png

Sources

CTF, HTB
Linux Easy
This post is licensed under CC BY 4.0 by the author.