Back in 2016 I blogged about how to do simple HTTP or HTTPS servers with python. You need to use these if you want to temporarily host files, and to investigate SSRF issues properly.
There my skills sat until recently the user-agent that was making the SSRF request was actually verifying the certificate. How rude! So I needed to up my game and generate a proper certificate.
Here are some caveats to the guide which you need to be aware of before you proceed:
- My OS was Kali Linux (Good for standardisation for penetration testers but won’t be applicable to every one of you legends who are reading this).
- The server that I am using has it’s own DNS entry already configured. This is the biggest gotcha. You need to have a valid DNS record. Now is the time to buy a cheap domain! Or maybe investigate a domain allowing anyone to add an A record such as “.tk”.
If you can point a DNS entry at your Kali server then you are going to be able to do this.
In one terminal:
mkdir /tmp/safespace cd /tmp/safespace python -m SimpleHTTPServer 80
NOTE: I created a new directory in “/tmp” to make sure that there is nothing sensitive in the folder I am about to share. If you share your “/home” folder you are going to have a bad time. While the HTTP listener is running anyone scanning your IP address will be able to list the contents of the folders and download anything you have saved.
From another terminal you need to use “certbot”
apt-get install certbot certbot certonly .... pick option 2 set the domain to <your_domain> set the directory to /tmp/safespace
The “certbot certonly” command runs a wizard like interface that asks you how to proceed. I have given you the options above. What this does is create a file in your /tmp/safespace folder that letsencrypt can download on their end. This proves that you have write permissions to the web root of the server and allows them to trust the request is legit.
The output of the “certbot certonly” command will list the location of your new TLS certificates. They will be here:
You can go back to your first terminal and kill that HTTP listener. We will no longer be needing it! We have a proper TLS setup so lets go in a Rolls Royce baby, yeaaaah!
You can use python’s “twisted” HTTPs server as shown below
python -m twisted web --https=443 --path=. -c /etc/letsencrypt/live/<your_domain>/fullchain.pem -k /etc/letsencrypt/live/<your_domain>/privkey.pem
That was it. I was able to browse to my new HTTPS listener and I had a shiny trusted certificate.
Hope that helps