Read my writeup to Sau machine on:
TL;DR
To solve this machine, we start by using nmap to enumerate open services and find ports 22, and 55555.
User: Discovered request-baskets running on port 55555. Leveraging CVE-2023-27163, a new basket was created with forwarding to local port 80 for Maltrail. Exploiting unauthenticated OS Command Injection on Maltrail, a reverse shell was successfully obtained as user puma.
Root: After executing sudo -l, we discovered that we have the ability to run the systemctl status command as root. By utilizing the !sh command within the less pager, we successfully obtained a root shell.