Escape HTB
#

DirSearch against the URL returns a couple of intersting hits:

[01:35:40] 200 -  140B  - /api/version                                      
[01:36:37] 301 -   39B  - /web/  ->  /web                                   
[01:36:37] 301 -   47B  - /web/bundles/  ->  /web/bundles                   
[01:36:37] 301 -   50B  - /web/phpMyAdmin/  ->  /web/phpMyAdmin
[01:36:37] 301 -   50B  - /web/phpmyadmin/  ->  /web/phpmyadmin
[01:36:37] 301 -   47B  - /web/uploads/  ->  /web/uploads                   
[01:36:37] 200 -   29KB - /web/adminer.php

The /api/version page confirms that v1.2.1 of request-basket is running on the machine. After some quick Googling, I found that v1.2.1 is vulnerable to a SSRF vulnerability (CVE-2023–27163)

Escape HTB #

Escape HTB
#