InfoSec LAB

Editorial_Web

Created: 3 min read

Web

Nmap discovered a Web server on the target port 80 It responded with 301 to a domain at editorial.htb

It appears to be an online blog featuring books There is a search bar, but not functional

Wapplayzer identified technologies involved It’s built on PHP

The footer contains a sitemap, yet none of them are functional including the subscription form

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/editorial]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 200 -u 'http://editorial.htb/FUZZ' -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://editorial.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
about                   [Status: 200, Size: 2939, Words: 492, Lines: 72, Duration: 83ms]
upload                  [Status: 200, Size: 7140, Words: 1952, Lines: 210, Duration: 501ms]
                        [Status: 200, Size: 8577, Words: 1774, Lines: 177, Duration: 245ms]
:: Progress: [220547/220547] :: Job [1/1] :: 1047 req/sec :: Duration: [0:03:54] :: Errors: 0 ::

2 endpoints found

/about

The /about endpoint is a static page

/upload

The /upload endpoint appears to be a lot more interesting as it supports file upload

SSRF?

The input field takes a URL for book cover

The web app makes a POST request to the upload-cover endpoint

The web backend then makes a request. The backend is Python

It might be possible to achieve SSRF through this

Checking the localhost, 127.0.0.1, the web server responses to an image file

Port Scan

Doing a “port scan” via SSRF Scanning for the internal port 5000, shows something else; static/uploads/fa7e7526-0cfb-4939-a8b6-48b983ed4392

┌──(kali㉿kali)-[~/archive/htb/labs/editorial]
└─$ curl -i http://editorial.htb/static/uploads/fa7e7526-0cfb-4939-a8b6-48b983ed4392                                    
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 20 Jun 2024 14:01:35 GMT
Content-Type: application/octet-stream
Content-Length: 911
Connection: keep-alive
Content-Disposition: inline; filename=fa7e7526-0cfb-4939-a8b6-48b983ed4392
Last-Modified: Thu, 20 Jun 2024 14:01:05 GMT
Cache-Control: no-cache
ETag: "1718892065.9960847-911-4165933148"
 
{"messages":[{"promotions":{"description":"Retrieve a list of all the promotions in our library.","endpoint":"/api/latest/metadata/messages/promos","methods":"GET"}},{"coupons":{"description":"Retrieve the list of coupons to use in our library.","endpoint":"/api/latest/metadata/messages/coupons","methods":"GET"}},{"new_authors":{"description":"Retrieve the welcome message sended to our new authors.","endpoint":"/api/latest/metadata/messages/authors","methods":"GET"}},{"platform_use":{"description":"Retrieve examples of how to use the platform.","endpoint":"/api/latest/metadata/messages/how_to_use_platform","methods":"GET"}}],"version":[{"changelog":{"description":"Retrieve a list of all the versions and updates of the api.","endpoint":"/api/latest/metadata/changelog","methods":"GET"}},{"latest":{"description":"Retrieve the last version of api.","endpoint":"/api/latest/metadata","methods":"GET"}}]}

It turns out that 127.0.0.1:5000 hosts API endpoints and static/uploads/fa7e7526-0cfb-4939-a8b6-48b983ed4392 is the response from the API service

File Upload

File upload feature is for the book cover as well

Clicking into the Preview button sends out a POST request to the same upload-cover endpoint

Then the “book cover” is shown, which is uploaded to /static/uploads/f92df17e-0ee6-4d8c-a0e6-56337dc64a3a

Sub-domain / Virtual Host Discovery

┌──(kali㉿kali)-[~/archive/htb/labs/editorial]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 -u http://$IP/ -H 'Host: FUZZ.editorial.htb' -ic -mc all -fs 178
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.11.20/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.editorial.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: all
 :: Filter           : Response size: 178
________________________________________________
:: Progress: [114437/114437] :: Job [1/1] :: 206 req/sec :: Duration: [0:00:53] :: Errors: 0 ::

Nothing found

Interactive Graph View

Backlinks