Hack the Box SSRF Exploitation Guide

Oct 29, 2024

Hack the Box Editorial Walkthrough

Overview

  • Presenter: Ipzeg
  • Platform: Hack the Box
  • Focus: Server-Side Request Forgery (SSRF) and exploiting vulnerabilities

Key Steps and Techniques

Initial Enumeration

  • SSRF: Used to access ports listening on localhost.
  • API Server Discovery: Found through late enumeration.
  • SSH Access: Credentials found in a developer message allowed SSH access.

Exploration and Exploitation

Git Repository

  • Git Commit History: Revealed additional credentials for switching users.

Vulnerability Exploitation

  • Python Script: Used get Python library with a vulnerability.
  • Command Execution: Achieved by exploiting a URL with shell extension in the vulnerable Python script.

Detailed Walkthrough

Starting with nmap

  • Command: nmap -sc -sv -vv -oA editorial 10.10.11.20
  • Findings:
    • Port 22: SSH (Ubuntu)
    • Port 80: HTTP (Nginx, Ubuntu)
    • Redirect to editorial.http

Exploring the Website

  • Initial Observation: Simple bootstrap page, nothing revealing from source or headers.
  • Identification: 404 pages indicated a Flask application.
  • Attempts: Interaction with newsletter subscription and book publishing page.

SSRF Exploitation

  • Testing SSRF: Sent requests to localhost using various ports.
  • IPv6 Exploration: Attempted to discover open ports via IPv6, found only SSH port open.
  • Port Fuzzing: Utilized port fuzzing to discover open ports on localhost, identifying port 5000 as significant.

API Interaction

  • JSON Data: Retrieved from port 5000, contained potential endpoints.
  • Sensitive Information: Discovered login credentials for SSH access.

SSH Access as dev

  • Initial Enumeration: Checked directories like /opt, found .git revealing more information.
  • Git Log Analysis: Used git log -G to search for sensitive data in commits.

User Privilege Escalation

  • Switch to prod: Found credentials in git commit history.
  • Directory Exploration: Gained access to new directories, notably /opt/internal/apps.

Exploiting Vulnerable Python Script

  • Script Analysis: Identified vulnerability in script with enabled Git extensions.
  • Command Injection: Achieved by manipulating URL input to execute commands as root.
    • Reverse Shell: Initially challenging due to special characters, but successful with correct syntax.
    • Alternative Method: Used set UID bit on a copied bash for root shell.

Conclusion

  • Successful exploitation of vulnerabilities through SSRF, git history analysis, and command injection.
  • Emphasized the importance of strategic enumeration and vulnerability identification.

Full transcript