Intro to SSRF

February 27, 2024

Task 1: What is an SSRF?

Task 2: SSRF Examples

# This is the original URL 
https://website.thm/item/2?server=api

# This URL is the one you need to access
https://server.website.thm/flag?id=9

# Thus this is the final payload
https://website.thm/item/2?server=server.website.thm/flag?id=9&x=

Task 3: Finding a SSRF

Task 4: Defeating Common SSRF Defenses

Task 5: SSRF Practical

When we try to access the /private directory in the website the web page actually displays that we cannot access the page from our IP address. So my thoughts is that we need to access the page by requesting the web page through their local ip / server

The task says that we have to create a account for us to access the page.

• username: kyou

• email: kyou@kyou.com

• pass: qwerty123

Then visit the new implemented site

https://10-10-179-32.p.thmlabs.com/customers/new-account-page

Then after we pick our own avatar we will see this data URI scheme, and the image content is base64

After that when we try to change the avatar again, we will first inspect the image content and then change the value from assets/avatars/6.png to /private then click the update avatar

The result will return this

For us to bypass the filter that the server set which is most likely a deny list since it allows everything and deny certain list. We need to do a directory traversal or dot-dot-slash attack

We can try to manipulate our payload from /private to x/../private

Then after we click the "Update Avatar". We will get this result from the web page that says "Avatar updated"

When we try to see the page source again we will see the avatar is encoded using base64

Just decode this using base64 then we can see our flag

echo "VEhNe1lPVV9XT1JLRURfT1VUX1RIRV9TU1JGfQ==" | base64 -d