Home Surfer
Post
Cancel

Surfer

Posted Sep 14, 2023 Updated Sep 14, 2023
By Hernán Castillo
2 min read

Introduction: Server-Side Request Forgery (SSRF) is a potent web application vulnerability that allows attackers to send crafted requests from the server to internal resources. In this write-up, we explore a real-world SSRF scenario, detailing the steps taken to exploit it successfully.

Initial Recon: Our journey begins with an initial Nmap port scan of the target server, revealing two open ports: SSH (22/tcp) and HTTP (80/tcp).

1
2
3
4

nmap -p- --open -n -v 10.10.89.36
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Web Enumeration: Upon accessing the HTTP service, we find a login webpage. After some trial and error, we gain access using the default credentials “admin/admin.” However, our path forward remains uncertain, so I decide to enumerate further.

Gobuster Enumeration: We deploy Gobuster to explore potential hidden directories:

1
2
3
4
5
6
7

/assets               (Status: 301) [Size: 311] [--> http://10.10.89.36/assets/]
/backup               (Status: 301) [Size: 311] [--> http://10.10.89.36/backup/]
/index.php            (Status: 302) [Size: 0] [--> /login.php]
/internal             (Status: 301) [Size: 313] [--> http://10.10.89.36/internal/]
/robots.txt           (Status: 200) [Size: 40]
/server-status        (Status: 403) [Size: 276]
/vendor               (Status: 301) [Size: 311] [--> http://10.10.89.36/vendor/]

Despite not gaining access to most directories, we discover a crucial hint within the robots.txt file:

1
2

User-Agent: *
Disallow: /backup/chat.txt

Password Hint: Upon investigating /backup/chat.txt, we find a conversation hinting at the need to change credentials and revealing the existence of an internal server:

1
2
3
4
5
6
7

Admin: I have finished setting up the new export2pdf tool.
Kate: Thanks, we will require daily system reports in pdf format.
Admin: Yes, I am updated about that.
Kate: Have you finished adding the internal server.
Admin: Yes, it should be serving the flag from now.
Kate: Also Don't forget to change the creds, plz stop using your username as password.
Kate: Hello.. ?

Exploiting SSRF: We discover an internal service, /internal/admin.php, restricted to local access only. Additionally, we identify an export2pdf tool that redirects to a specified URL, encoded within the request. Using Burp Suite, we intercept and modify the URL from http%3A%2F%2F127.0.0.1%2Fserver-info.php to /internal/admin.php (you can do this on the inspector side of burpsuit and it’ll encode it for you), effectively targeting the internal admin page.

Success: This manipulation of the URL allows us to access the internal admin page, ultimately leading to the discovery of the flag.

This post is licensed under CC BY 4.0 by the author.
Recently Updated
Trending Tags
bruteforce hash kaliapp suid
Trending Tags
bruteforce hash kaliapp suid