Server-side attacks / Exploiting SSRF section about Gopherus

memphisp · August 2, 2024, 4:56pm

The instruction: Exploit the SSRF vulnerability to identify an additional endpoint. Access that endpoint to obtain the flag.

I’ve enumerated and found port 3306 running on 127.0.0.1
I tried to use Gopherus --exploit mysql and get gopher://xxxxxxx link.
But when put the link to Burp, I can only get 500 internal server.

Anyone still remember?

hkpeebles · August 11, 2024, 7:19pm

for this question try looking for directories within the http://dateserver.htb/ (this link is the one that is initially used in the post data) then accessing one of the pages you find, should yield the flag. I didn’t need to use gopher for this question. I did have an issue where using ffuf or zaps fuzz did DoS which was odd and honestly for that I just reset the server and manually tried the first few entries of the file used in the section for fuzzing.

paperthing · September 21, 2024, 8:01pm

any other clues you can give on this? have enumerated with this command but could not find any interesting directories:

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://10.129.211.9/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://dateserver.htb/FUZZ.php&date=2024-01-01"

Yielded /javascript from this though
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://10.129.211.9/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://dateserver.htb/FUZZ&date=2024-01-01"

hkpeebles · September 21, 2024, 10:43pm

I don’t recall exactly but try fuzzing the javascript directory you have found

paperthing · September 23, 2024, 2:27am

For others stuck on this, there is no need to venture out of port enumeration for this section. Find the correct port and “browse” it.

thor.elveneyes · October 15, 2024, 11:13pm

Hi Paperthing,
I have found the port, but who I can browse it? Metasploit?

With the Gopher I receive an error because use python2.

┌─[eu-academy-2]─[10.10.xx.yyy]─[htb-ac-xxx]@htb-lp]─[~/Gopherus]
└──╼ [★]$ python3 gopherus.py
  File "/home/htb-ac-xxx/Gopherus/gopherus.py", line 28
    print colors.green + """
    ^^^^^^^^^^^^^^^^^^^^^^^^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?

paperthing · October 16, 2024, 3:40am

Try to use Burpsuite Repeater with the port you found (assuming you are referring to the Question for “Identifying SSRF”)

thor.elveneyes · October 16, 2024, 5:35pm

I solved it but I didn’t follow the normal path. I used an LFI but reading the old message, I also managed to find the js files and the base64 encoded strings but not to assemble them correctly

Topic		Replies	Views
Server-side Attacks/Exploiting SSRF Gopherus Academy server-side-attack , academy	1	68	August 17, 2024
Help Needed with Identifying SSRF Flag Location Academy	3	41	October 30, 2024
HTB Academy - Server-side Attacks Blind SSRF Academy noob , server-side-attack , academy	3	93	October 9, 2024
Attacking web applications with ffuf Academy help	8	2286	April 6, 2024
Server-side Attacks Blind SSRF port scanning Academy	1	131	August 13, 2024

Server-side attacks / Exploiting SSRF section about Gopherus

Related topics