Room: Advent of Cyber 2023 Day 22

Server-Side Request Forgery is a type of security vulnerability where an attacker can manipulate a web application to make requests on behalf of the server. The attacker can typically force the server to perform requests to other resources or services, often internal to the network, that it wouldn’t normally have access to.

The tasks are a bit all over the place, so let’s first go step by step on how to do the actual SSRF exploitation.

First we’ll add the ip to the hosts file of our attackbox. This will allow us to use the domain name, instead of the IP address, in our browser.

sudo nano /etc/hosts

Be sure to fill in the IP address of your machine (Not your attackbox, the IP THM gave you)

If that all went well, you can go to the website. We see it is protected with a username and password.

To get in, we will use a SSRF exploit.

When pressing the green “Accessing through API” button, we are greeted with some API documentation.

This documentation provides us with some interesting information. To get messages you can simply make a call to a Word document.

http://10.10.10.20/getClientData.php?url=http://10.10.10.10/messages.docx

It also says that there is a file called config.php on the server. That contains the credentials to the dashboard. So now we know where to look.

So how do we exploit this?

The given URL has a URL as a parameter. Which is that last part, what if we try to fetch data from the host, instead of a client IP?

Since we know the website is running on PHP, we can take a look at the default directory that a PHP website’s index file is located.

As expected, it returned the index.php file in clear text. On line 3 we can see it includes the config.php file. To check the credentials that are entered.

Something else we can try is the /etc/passwd directory. Which includes usernames and passwords on the machine.

We can see a lot of users, but the passwords are displayed as an “X”