└─➜ nmap 10.10.11.224 -sCV -T5 | tee ports.scan [0]
StartingNmap7.94 ( https://nmap.org ) at 2023-12-30 17:56 ISTNmapscanreportforsau.htb (10.10.11.224)Hostisup (0.40s latency).PORTSTATESERVICEVERSION22/tcpopensshOpenSSH8.2p1Ubuntu4ubuntu0.7 (Ubuntu Linux; protocol2.0)|ssh-hostkey:|3072aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)|256ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)|_256b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)80/tcpfilteredhttp55555/tcpopenunknown|fingerprint-strings:|FourOhFourRequest:|HTTP/1.0400BadRequest|Content-Type:text/plain; charset=utf-8|X-Content-Type-Options:nosniff|Date:Sat,30Dec202312:27:17GMT|Content-Length:75|invalidbasketname; thenamedoesnotmatchpattern:^[wd-_\.]{1,250}$| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|HTTP/1.1400BadRequest|Content-Type:text/plain; charset=utf-8|Connection:close|Request|GetRequest:|HTTP/1.0302Found|Content-Type:text/html; charset=utf-8|Location:/web|Date:Sat,30Dec202312:26:36GMT|Content-Length:27| href="/web">Found</a>.|HTTPOptions:|HTTP/1.0200OK|Allow:GET,OPTIONS|Date:Sat,30Dec202312:26:38GMT|_Content-Length:01 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port55555-TCP:V=7.94%I=7%D=12/30%Time=65900C81%P=x86_64-pc-linux-gnu%r(SF:GetRequest,A2,"HTTP/1\.0\x20302\x20Found\r\nContent-Type:\x20text/html;<--SNIPPED-->SF:ose\r\n\r\n400\x20Bad\x20Request");ServiceInfo:OS:Linux; CPE:cpe:/o:linux:linux_kernelServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.Nmapdone:1IPaddress (1 hostup) scanned in 135.89 seconds
No need of directory bruteforcing for this machine.
Homepage
Upon visiting the homepage, we can see that the machine is using vulnerable version of Request Basket
Read more about this vuln:
https://github.com/entr0pie/CVE-2023-27163
Web Exploit
Request-baskets is a web application built to collect and register requests on a specific route, so called basket. When creating it, the user can specify another server to forward the request.
So basically, after creating a basket you can enable forward_url with malicious IP, so if someone visit your basket, request is forwarded to malicious IP.
An attacker can put localhost IP and can get information that are not meant to be public.
Since port 80 was open (filtered) we can ask for request basket to fetch data for us.
1. Create a new basket
After creating, it will prompt you with token, Click on Open basket
2. Forward Request
Click on settings
Configure with following settings
3. Info leak
We can see it's using Mailtrail
Upon google search, we can see it's vulnerable to RCE.