Home SSRF
Post
Cancel

SSRF

Learn how to exploit Server-Side Request Forgery (SSRF) vulnerabilities, allowing you to access internal server resources. THM Room https://tryhackme.com/room/ssrfqi

TASK 1 : What is an SSRF?

What does SSRF stand for?

Answer : Server Side Request Forgery

As opposed to a regular SSRF, what is the other type?

Answer : Blind

TASK 2 : SSRF Examples

What is the flag from the SSRF Examples site?

I tried :

1
https://website.thm/item/2?server=server.website.thm/flag?id=9

But it return a 404. We need to escape to rest of the remaining path with &x= ; The request is now :

1
https://website.thm/item/2?server=server.website.thm/flag?id=9&x=

Answer : THM{SSRF_MASTER}

TASK 3 : Finding an SSRF

What website can be used to catch HTTP requests from a server?

Answer : requestbin.com

TASK 4 : Defeating Common SSRF Defenses

What method can be used to bypass strict rules?

Answer : Open Redirect

What IP address may contain sensitive data in a cloud environment?

Answer : 169.254.169.254

What type of list is used to permit only certain input?

Answer : Allow List

What type of list is used to stop certain input?

Answer : Deny List

TASK 5 : SSRF Practical

What is the flag from the /private directory?

First, you need to create an account then set up an avatar.

Afterwards, you can edit the HMTL calue for the radio button to x/../private and update your avatar :

Setup Avatar Setup Avatar

Blank Avatar Blank Avatar

You normally have a blank avatar and when you inspect the source code you’ll see a base64 encode url for the avatar :

Base64 flag Base64 flag

Decoding from Base64 the string “VEhNe1lPVV9XT1JLRURfT1VUX1RIRV9TU1JGfQ==” give you the flag.

1
2
3
┌──(kaliuser㉿kali)-[~]
└─$ echo "VEhNe1lPVV9XT1JLRURfT1VUX1RIRV9TU1JGfQ==" | base64 -d 
THM{YOU_WORKED_OUT_THE_SSRF}

Answer : THM{YOU_WORKED_OUT_THE_SSRF}

This post is licensed under CC BY 4.0 by the author.