Enumeration
Last updated
Last updated
Now to use Gobuster to see what vulnerabilities could be available
returned "/css", "/index.php" and "/index.html"
Port 8080 shows a login portal with a link to the reset password page. Unlike the home page, the pages are not PHP and the HTTP Header shows X-Forwarded-Server: Golang. Sending the payload {{ will return an HTTP 502.
Even though I plan to learn about Golang, I have never used it before and had to google why Go SSTI was so important.
it recommended trying {{.}}
Before that I was trying random admin admin password and email combinations. This is just a random one I saved from those searches.
Now trying forgot password
Now sending the information I proxy'ed from forgot password through repeater and response. I am able to then try the golang ssti i picked up and I am presented with the email and password dumped within response.
After logging in with the credentials, I am greeted with Golang sorce code.
This confused me for a while so I had to get some help.
I was shown if I put "{{DebugCmd "id" }}" to replace the original email address, I would be given a reverse shell with root access!
This is a docker container without ping, curl, wget, nc, etc which makes getting custom binaries on the box difficult. Further testing also shows that this docker container cannot access the internet so all commands need to be sent through the web requests
with hostname I can see that this is a AWS service
Its never this easy... tried to get credentials to the service. That was unavailabe but I can still use my burpsuite webshell to explore the aws box
