# Intro to SSRF

Task 1: What is an SSRF?

<figure><img src="/files/mM8aM5AQDVULQSGehou4" alt=""><figcaption></figcaption></figure>

Task 2: SSRF Examples

<pre><code># This is the original URL 
https://website.thm/item/2?server=api

# This URL is the one you need to access
https://server.website.thm/flag?id=9

<strong># Thus this is the final payload
</strong>https://website.thm/item/2?server=server.website.thm/flag?id=9&#x26;x=
</code></pre>

<figure><img src="/files/P8xl6u3PH7lh9PQChY5T" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/4jNATbajAJtCpsb8Ql52" alt=""><figcaption></figcaption></figure>

Task 3: Finding a SSRF

<figure><img src="/files/QlQHHg18qGERFBmDyVs1" alt=""><figcaption></figcaption></figure>

Task 4: Defeating Common SSRF Defenses

<figure><img src="/files/4cP0W3aqoJsRyekErl5T" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Q8sBATMDhDhmOoDD79N0" alt=""><figcaption></figcaption></figure>

Task 5: SSRF Practical

When we try to access the /private directory in the website the web page actually displays that we cannot access the page from our IP address. So my thoughts is that we need to access the page by requesting the web page through their local ip / server

<figure><img src="/files/vcre5WZiGdH54kJIFmWb" alt=""><figcaption></figcaption></figure>

The task says that we have to create a account for us to access the page.

* username: kyou
* email: <kyou@kyou.com>
* pass: qwerty123

<figure><img src="/files/2LezVOFr9np48Tj8rqdx" alt=""><figcaption></figcaption></figure>

Then visit the new implemented site

<https://10-10-179-32.p.thmlabs.com/customers/new-account-page>

<figure><img src="/files/6IGtzvYLMLmVQWNY5Y6f" alt=""><figcaption></figcaption></figure>

Then after we pick our own avatar we will see this data URI scheme, and the image content is base64

<figure><img src="/files/iqrnrTbK5hUVnc8m0J3W" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/YWIs3kqcG3UO2AqEJ0jv" alt=""><figcaption></figcaption></figure>

After that when we try to change the avatar again, we will first inspect the image content and then change the value from assets/avatars/6.png to /private then click the update avatar

<figure><img src="/files/dY1KU0Npu8PUMru7s0j0" alt=""><figcaption></figcaption></figure>

The result will return this&#x20;

<figure><img src="/files/ROFybhDRTbAroCLSw4Ne" alt=""><figcaption></figcaption></figure>

For us to bypass the filter that the server set which is most likely a deny list since it allows everything and deny certain list. We need to do a directory traversal or dot-dot-slash attack

We can try to manipulate our payload from /private to x/../private

<figure><img src="/files/F7fZPj3odswlQD3P7RWe" alt=""><figcaption></figcaption></figure>

Then after we click the "Update Avatar". We will get this result from the web page that says "Avatar updated"

<figure><img src="/files/AlNvd6MCccv5JUuXaFnO" alt=""><figcaption></figcaption></figure>

When we try to see the page source again we will see the avatar is encoded using base64

<figure><img src="/files/J48ugwGbMkzAIROSPlTV" alt=""><figcaption></figcaption></figure>

Just decode this using base64 then we can see our flag

```
echo "VEhNe1lPVV9XT1JLRURfT1VUX1RIRV9TU1JGfQ==" | base64 -d
```

<figure><img src="/files/LFsrVT4O4LukpzOdW7U2" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kyou00.gitbook.io/xyz/tryhackme/view/intro-to-ssrf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.