Newsletter 08/01/2023
This machine has a webhook functionality that seems vulnerable to Server-Side Request Forgery. After trying some bypasses, we see that the SSRF attack can be performed using a redirection. Internally, there is an outdated Gogs version that is vulnerable to SQLi. Once found a payload to extract password hashes from the database, we can obtain and crack the hashes from the remote Gogs instance with SQLi through SSRF. Then, we can connect with SSH and find out that we can enter local paths in the database to read files from the server as root. This write-up uses a custom Python script to perform the SSRF attack and another Go program to crack Gogs hashes
ZIP compression. Password brute force
JavaScript deobfuscation. AES cipher. Brute force
64-bit binary. Buffer Overflow. Brute force. Stack Pivot. ret2libc
64-bit binary. Heap exploitation. Use After Free