Sau

Enumeration

Ports and Services

Software Installed:

• request-baskets v1.2.1
  • https://github.com/darklynx/request-baskets

Nmap Scan Results:

Homepage:

https://www.exploit-db.com/exploits/51675

These baskets are like a reverse proxy.
Utilized exploit to pull web page from attacker machine

Visited http://10.129.91.121:55555/vkpvin

Did the same thing for localhost:
http://10.129.91.121:55555/ncexja

Maltrail has an RCE Vuln
https://www.exploit-db.com/exploits/51676
Ran exploit and received a shell

Created ssh keypair and ssh as puma

Initial Foothold

User.txt Proof Screenshot

Privilege Escalation

Sudo with systemctl
https://gtfobins.github.io/gtfobins/systemctl/#sudo

Shows that more than likely it is shown using less.
Ran sudo command and instead of hitting enter I entered !/bin/sh and recevied a root shell

RootScreenshot Here: