The machine exposes a simple web application with an upload feature and an API endpoint vulnerable to SSRF. Internal enumeration reveals a development API running on port 5000. Credentials are extracted from the API, leading to SSH access. Privilege escalation is achieved through a vulnerable GitPython installation.
Target: editorial.htb Initial vector: SSRF → internal API enumeration Privilege escalation: GitPython RCE
The web application exposes:
/upload-cover /upload /about
Usernames appear in the interface: john, stephen, jose.
The upload endpoint accepts URLs, and the server fetches them. This allows SSRF.
Test internal ports by pointing the upload URL to http://127.0.0.1:PORT.
Port enumeration identifies an internal service on port 5000.
The browser cannot display the API responses, but wget works:
$ wget http://editorial.htb/(RESPONSE_BODY)
Enumerating API endpoints reveals developer credentials:
dev : dev080217_devAPI!@
SSH access:
$ ssh dev@editorial.htb
Inside the home directory:
/home/dev/apps/.git
Inspect commit history:
$ git log $ git show-> prod : 080217_Producti0n_2023!@
This provides access to the production user.
Check sudo permissions:
$ sudo -l
The system uses GitPython:
$ pip3 list | grep -i git -> GitPython 3.1.29
This version is vulnerable to RCE:
https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
Abusing the vulnerability allows arbitrary command execution as the user running the GitPython‑based script (often root, depending on the service configuration).
Triggering the exploit yields a root shell and access to /root/root.txt.
The machine relies on SSRF to expose an internal development API. Credentials recovered from the API and Git history provide SSH access. Privilege escalation is achieved by exploiting a vulnerable GitPython version, leading to full system compromise.