Sau writeup by evyatar9

Read my writeup to Sau machine on:


To solve this machine, we start by using nmap to enumerate open services and find ports 22, and 55555.

User: Discovered request-baskets running on port 55555. Leveraging CVE-2023-27163, a new basket was created with forwarding to local port 80 for Maltrail. Exploiting unauthenticated OS Command Injection on Maltrail, a reverse shell was successfully obtained as user puma.

Root: After executing sudo -l, we discovered that we have the ability to run the systemctl status command as root. By utilizing the !sh command within the less pager, we successfully obtained a root shell.