SSRF
The discovered endpoint via HTTP Verb Tampering with the url parameter present a potential SSRF opportunity as there is an internal mail service running
However, attempting to access either localhost or 127.0.0.1 fails as they are being filtered through a blacklist
This means that I would need to find a way to access it
i tested a lot of them from the list dedicated to bypassing the URL format and 0.0.0.0 is one of them, which is to indicate every NICs including 127.0.0.1 or localhost
It does work
Now that I have confirmed accessing the internal network, I would need to find a way to access the internal SMTP server
i cannot just put :25 at the end because SMTP does not work over the HTTP protocol.
However, gopher does.
Gopher
The Gopher protocol is a predecessor of HTTP, designed for distributing, searching, and retrieving documents in Internet Protocol networks. The design of the Gopher protocol and user interface is menu-driven, and presented an alternative to the World Wide Web in its early stages
As the name of the target system implies, Gopher can be used to interact with other services through the proxy server; proxy.gofer.htb
There is also a section dedicated to it
Although the article suggests Gopherus, it failed to work with SMTP
The URL format is basically double-url encoding
As one can imagine, this is designed for phishing attack scenario
Another good resource to read here
Phishing
I first need to create a phising mail, impersonating the jdavis user.
Since the jhudson user has a previous history of falling into phishing attacks with a bad habit of clicking links, I will take advantage of that
┌──(kali㉿kali)-[~/archive/htb/labs/gofer]
└─$ hurl -D -f phising.mail
original file :: phising.mail
2xurl encoded :: HELO%2520localhost%250AMAIL%2520FROM%253A%253Cjdavis%2540gofer.htb%253E%250ARCPT%2520TO%253A%253Cjhudson%2540gofer.htb%253E%250ADATA%250AFrom%253A%2520%253Cjdavis%2540gofer.htb%253E%250ATo%253A%2520%253Chudson%2540gofer.htb%253E%250ADate%253A%2520Tue%252C%252015%2520Sep%25202023%252017%253A20%253A26%2520-0400%250ASubject%253A%2520Click%2520Me%250A%250Ahttp%253A%252F%252F10.10.14.20%253A80%252FSSRF_Gopher%250A.%250AQUITThen the mail itself need to be double-url encoded.
It initially fails due to localhost being a blacklisted word
So I switched to 127.0.0.1, and it worked.
Note that the blacklisted word is /127, not 127.0.0.1
A moment later, I get a hit on the Kali’s web server
Nothing happens here because I provided an arbitrary payload, SSRF_Gopher for PoC purpose
In order to get code execution, I would need to provide a proper payload and to get a proper payload, it is crucial to understand the target’s user environment.
There was another note in the mail regarding the use of a particular file extension,.odt, as it is well interpreted by LibreOffice as opposed to documents saved in Office Word.
.odt is OpenOffice document file used primarily by LibreOffice.
It is entirely possible that LibreOffice instance within the target system might be vulnerable
This appears to be the way in