SSRF

2024

HTB Sau

10 January 2024·8 mins

HTB Linux htb-easy request-baskets SSRF proxy mailtrail command-injection systemctl less pager

Sau is an easy linux box that hosts an website on a non standard port. Exploiting an SSRF vulnerability on the site allowed for the exploitation of a command injection flaw within an internal Mailtrail application, leading to a shell as the user puma. Next, user puma has sudo privileges for systemctl, and the less pager is exploited to escalate privileges.

2023

Htb Gofer

29 October 2023·21 mins

HTB Linux htb-hard SMB cme wfuzz phishing macros LibreOffice SSRF gopher Gopherus smtp pspy Ghidra dangling-pointer use-after-free path-hijack

Gofer is a hard linux box, I discovered a HTTP proxy vulnerable to Server-Side Request Forgery. Utilizing this SSRF vulnerability, I sent a phishing email through the internal SMTP server via the gopher protocol, embedding a malicious macro that activates upon document opening. Next, I obtained user credentials from a background process linked to the proxy. Finally, I found a vulnerability in the ’notes’ binary, exploiting a use-after-free vulnerability associated with a dangling pointer.