User

#

sudo bash -c "echo '10.10.11.20 editorial.htb' >>  /etc/hosts "

Here i’m testing for ssrf

I’m getting all numbers from 1 - 65536 in a wordlist for the local ports

I saved the reqeust i got from burp into a .txt file to use with ffuf

I started running ffuf but I was getting a whole load of 200s so I added “-fs 61” which filters out any which the size is 61

I found that port 5000 had a diffrent response size

Sent “127.0.0.1:5000” to see what the response would be and i got back a static upload

I used the cover previewer to view this static upload and then opened it in a new tab which downloaded it

I cated it out and saw “Retrieve the welcome message sended to our new authors” “/api/latest/metadata/messages/authors”

I then went back and did the same thing for the new endpoint

In this new authors message I got credentials for dev

Your login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\n

Root

#

I seen there was a .git so did a “git log” and saw a commit where they downgraded prod to dev

prod
080217_Producti0n_2023!@

sudo -l

sudo usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c "CMD" '

and then since u couldnt directely see the results you needed to pipe it into a file

sudo usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c "CMD" >% /tmp/FILE'

First of all i ran ls in the /root/ folder and then put it in /tmp/ls and cated out ls to see it was the right place with root.txt

Then i ran cat /root/root.txt > /tmp/root.txt and cated it to get the flag

Thanks for reading