┌──(kali㉿kali)-[~/HTB/Sau] └─$ sudo nmap -oA nmap/initial_scan 10.129.229.26 Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-22 14:20 EST Nmap scan report for 10.129.229.26 Host is up (0.23s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp filtered http 55555/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 13.68 seconds
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
┌──(kali㉿kali)-[~/HTB/Sau] └─$ sudo nmap -sC -sV -p 22,80,5555 -oA nmap/default_scan 10.129.229.26 Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-22 14:21 EST Nmap scan report for 10.129.229.26 Host is up (0.27s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA) | 256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA) |_ 256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519) 80/tcp filtered http 5555/tcp closed freeciv Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.54 seconds
Foothold
Visiting http://10.129.229.26:55555, I find its a web app running Request Baskets v1.2.1. Which is vulnerable to SSRF. (CVE-2023-27163) It appears we can change the Configuration Settings of our basket to the filtered port 80.