The box presented at Hack The Box in May 2023 by sau123 includes two open ports.
Port 50051 is an unknown service but rumoured to be gRPC, which can be tested using Postman, and port 22 is open but uses a secure version of OpenSSH with no known vulnerabilities.
The Postman tests reveal an SQL injection vulnerability, which can be used to obtain the passwords of the two users “admin” and “sau” and log in via SSH.
No suitable SUID files are discovered for privilege escalation, so the port forwarding technique is used, setting up a Chisel server on the attacker machine and a Chisel client on the victim machine.
This enables port 8000 to be forwarded to the attacker machine, which is found to be running pyLoad, a Python-based file downloading utility.
A search reveals a vulnerability in pyLoad (CVE-2023-0297) which can be exploited using a Python script, allowing root access to be gained.