Possibly Related Threads…

legacyuser00001 · Jan 18, 2025, 08:57 PM

(Jan 18, 2025, 08:55 PM)StingEm Wrote: Has anyone had any luck combing the two exploits ? - Not sure if its just me going down rabbit hole?

I'm noob so I don't know how you'd chain them.

I am able to get the SSRF to work against the box, and I can get the RCE to work locally, but no idea how to chain the two.

ZenMunk3y · Jan 18, 2025, 08:58 PM

I've not had any luck. I'm trying to understand what the first CVE is doing and how we can leverage that. If it is SSRF then we should be able to leverage it in some way! I'm just not that great with SSRF lol

bedtimexv · Jan 18, 2025, 09:04 PM

This was referenced earlier by someone: https://blog.chebuya.com/posts/server-si...-havoc-c2/

The author is same as box designer

a44857437 · Jan 18, 2025, 09:08 PM

(Jan 18, 2025, 08:57 PM)LostGem Wrote:
(Jan 18, 2025, 08:55 PM)StingEm Wrote: Has anyone had any luck combing the two exploits ? - Not sure if its just me going down rabbit hole?

I feel it was just a rabbit hole!!!

I agree, this is indeed a rabbit hole

thedubb1313 · Jan 18, 2025, 09:11 PM

has anybody actually tried or are we just coping and saying its a rabbit hole? I'm trying to combine the 2 exploits but this is hard af

pfapostol · Jan 18, 2025, 09:14 PM

I was trying send RCE exploits directly over SSRF. Then i tried to send it as a post body to the /havoc/ endpoint. It didn't work.

maggi · (This post was last modified: Jan 18, 2025, 09:19 PM by maggi.)

https://github.com/IncludeSecurity/c2-vu...voc_rce.py

I have ben using this and keep getting

$ python script.py
{'Head': {'Event': 1, 'User': '', 'Time': '18/01/2025 16:17:00', 'OneTime': ''}, 'Body': {'SubEvent': 2, 'Info': {'Message': "User doesn't exits"}}}
$

with this at the top
HOSTNAME = "127.0.0.1"
PORT = 40056
USER = "sergej"
PASSWORD = "1w4nt2sw1tch2h4rdh4tc2"

pfapostol · Jan 18, 2025, 09:21 PM

(Jan 18, 2025, 09:19 PM)bedtimexv Wrote: It works! The poc i referenced above and edit request data to ../../../etc/passwd and file is returned!

Are you sure that it is not your's /etc/passwd?

v3701 · Jan 18, 2025, 09:21 PM

(Jan 18, 2025, 09:19 PM)bedtimexv Wrote: It works! The poc i referenced above and edit request data to ../../../etc/passwd and file is returned!

can you elaborate ?

thedubb1313 · Jan 18, 2025, 09:25 PM

(Jan 18, 2025, 09:17 PM)maggi Wrote: https://github.com/IncludeSecurity/c2-vu...voc_rce.py

I have ben using this and keep getting

$ python script.py
{'Head': {'Event': 1, 'User': '', 'Time': '18/01/2025 16:17:00', 'OneTime': ''}, 'Body': {'SubEvent': 2, 'Info': {'Message': "User doesn't exits"}}}
$

with this at the top
HOSTNAME = "127.0.0.1"
PORT = 40056
USER = "sergej"
PASSWORD = "1w4nt2sw1tch2h4rdh4tc2"

i think you're hitting yourself

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] CPTS 12 FLAGS	pulsebreaker	88	3,422	1 hour ago Last Post: exdream
	[FREE] HackTheBox All Cheatsheets	Tamarisk	17	1,103	2 hours ago Last Post: imaferrari
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	386	96,486	9 hours ago Last Post: Sulk4685
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	49	3,951	Yesterday, 06:58 PM Last Post: opium0221
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	98	9,224	May 07, 2026, 08:05 PM Last Post: Zacker90