========================================
Click the Above Photo to View the Answers — — |
========================================

1. Scenario
2. Learning Objectives
3. Understanding Concept
4. Pre-Requisites
5. Challenge Tasks — Answers
6. Video Poc — https://youtu.be/CTu_YyfEqYw

As the elves try to recover the compromised servers, McSkidy’s SOC team identify abnormal activity and notice that a massive amount of data is being sent to an unknown server (already identified on Day 9). An insider has likely created a malicious backdoor. McSkidy has contacted Detective Frost-eau from law enforcement to help them. Can you assist Detective Frost-eau in taking down the command and control server?

• Understanding server-side request forgery (SSRF)
• Which different types of SSRF are used to exploit the vulnerability
• Prerequisites for exploiting the vulnerability
• How the attack works
• How to exploit the vulnerability
• Mitigation measures for protection

What Is SSRF?

SSRF, or server-side request forgery, is a security vulnerability that occurs when an attacker tricks a web application into making unauthorised requests to internal or external resources on the server’s behalf. This can allow an attacker to interact with internal systems, potentially leading to data exposure or unauthorised actions. Leaving web applications vulnerable to SSRF can have profound security implications, potentially leading to unauthorised access to internal systems, remote code execution (RCE), data breaches, or the application being further compromised.

Types of SSRF Attack

• Basic: In a basic SSRF attack, the attacker sends a crafted request from the vulnerable server to internal or external resources. For example, they might attempt to access files on the local file system, internal services, or databases that are not intended to be publicly accessible.
• Blind SSRF: In a blind SSRF attack, the attacker doesn’t directly see the response to the request. Instead, they may infer information about the internal network by measuring the time it takes for the server to respond or observing error message changes.
• Semi-blind SSRF: In semi-blind SSRF, again, the attacker does not receive direct responses in their browser or application. However, they rely on indirect clues, side-channel information, or observable effects within the application to determine the success or failure of their SSRF requests. This might involve monitoring changes in application behaviour, response times, error messages, and other signs.

Prerequisites for Exploitation

• Vulnerable input points: Web applications must have input fields susceptible to manipulation, such as URLs or file upload functionalities.
• Lack of input validation: The application should have adequate input validation or effective sanitisation mechanisms, allowing an attacker to craft malicious requests.

1. Start the TryHackMe’s VPN or Start AttackBox
2. Open Split Screen and Click View in Full Screen if Needed

1. Is SSRF the process in which the attacker tricks the server into loading only external resources (yea/nay)?

Ans: nay

2. What is the C2 version?

Navigate to Machine IP https://MACHINE-IP and see the bottom of screen

Ans: 1.1

3. What is the username for accessing the C2 panel?

http://MACHINE-IP/getClientData.php?url=file:////var/www/html/config.php

Ans: mcgreedy

4. What is the flag value after accessing the C2 panel?

Login using the credentials you got on the above question

Ans: THM{EXPLOITED_31001}

5. What is the flag value after stopping the data exfiltration from the McSkidy computer?

Remove the first service and you will get the Flag

======================================================
Ans: Use your Skills and try to find this answer,

If you are unable to do so,

use the video below to find the answer
=======================================================