<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Request-Baskets on appl3b0y</title>
    <link>https://appl3b0y.com/tags/request-baskets/</link>
    <description>Recent content in Request-Baskets on appl3b0y</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Tue, 02 Jun 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://appl3b0y.com/tags/request-baskets/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Sau</title>
      <link>https://appl3b0y.com/writeups/sau/</link>
      <pubDate>Tue, 02 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/sau/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Sau&lt;/strong&gt; is an easy Linux box, and it is a very clean example of chaining three small, well-scoped bugs into root. Nothing here needs a custom exploit or memory corruption; each stage is &amp;ldquo;known software at a known vulnerable version&amp;rdquo;.&lt;/p&gt;&#xA;&lt;p&gt;The chain: the only web app we can reach is &lt;strong&gt;Request Baskets 1.2.1&lt;/strong&gt;, which has an &lt;strong&gt;SSRF&lt;/strong&gt; (CVE-2023-27163). We use that SSRF to punch through the firewall and reach a port that nmap reported as &lt;code&gt;filtered&lt;/code&gt;. Behind that port sits &lt;strong&gt;Maltrail v0.53&lt;/strong&gt;, which has a trivial &lt;strong&gt;unauthenticated command injection&lt;/strong&gt; in its login page, giving us a shell as &lt;code&gt;puma&lt;/code&gt;. Finally, &lt;code&gt;puma&lt;/code&gt; is allowed to run &lt;code&gt;systemctl status&lt;/code&gt; under &lt;code&gt;sudo&lt;/code&gt;, and because &lt;code&gt;systemctl&lt;/code&gt; pipes long output through the &lt;code&gt;less&lt;/code&gt; pager, we drop into a root shell with a single &lt;code&gt;!sh&lt;/code&gt;.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
