systemctl

Machine Name: Sau
IP: 10.10.11.224
Difficulty: Easy

Summary

Sau is an easy machine that starts with discovering a port that runs Request Basket. The application is vulnerable to an SSRF which led to discovering the Mailtrail application running on port 8338 was being forwarded. The Mailtrail application was vulnerable to an unauthenticated command injection. The RCE was obtained by chaining the SSRF to redirect us to the vulnerable “/login” page where the payload was injected. Privilege Escalation involved abusing sudo right to run systemctl as root.