SSRF Internal resource accessing & Bypassing Filter (CTF)
Hello Everyone, Hope you are doing well.
Today I am gonna show how an Server side request forgery vulnerability allows to access internal resources .
Before starting I will share some resources which I use often while testing for SSRF and best for learning SSRF ,
intext:”server side request forgery” site:hackerone.com
intext:”server side request forgery” site:medium.com
intext:”server side request forgery” site:github.com
(Here you can see cool SSRF writeups)
Still there are many useful resources but you can find those all online
Lets start, This CTF held by metactf and the challenge is still live.
here you can access the challenge challenge
Now I used my burp collaborator URL and click on browse and it showed me content of that URL & made http request to my burp collaborator URL
By Using SSRF you can able to escalate it to RCE also(For newbies), Now here I tried by injecting a command in burp URL but didn’t worked
Used file protocol and many more but everything is blocked
Now I have to use http or https because in challenge description they have clearly mentioned they are using webserver to hide flag, Now here I tried accessing http://localhost or http://127.0.0.1 and tried by using https also but response is blocked.
Now we have successfully bypassed filter, Now the next step is to find another webserver running on internal and there we can find the flag, Now I just changed port number 80 to 79 I didn’t get any response (It seems port is closed), Now I captured the request and sent it to intruder and brute forced the ports from 1- 10000 I Got one port open i.e 7349
And here we got the flag by that open port
And also this challenge is hosted on AWS ec2, due to that we can able to extract AWS keys also I don’t know it may be mistake of ctf devs they have not enabled any filters for that.
Thank you all ….
Instagram : https://www.instagram.com/basu_banakar
website : https://basubanakar.com/