Wednesday is here and it THM time again!
We now move on to the Intro to SSRF room on THM!
This room covers What is an SSRF?, SSRF Examples, Finding an SSRF, Defeating Common SSRF Defenses and a SSRF Practical at the end of the module!
In this first section of the room we are tasked with editing the URL path as it is susceptible to SSRF.
We amend the URL with the required attacker URL –https://server.website.thm/flag?id=9 at the “https://website.thm/item/2?server=” section of the URL request and then append the URL with &x= to ignore the previous URL to execute out own and get the flag “THM{SSRF_MASTER}”.
Locations of where SSRF can be found include –
We access the next section of the room and we are met with two pages, the /new-accounts-page.
https://10-10-20-180.p.thmlabs.com/customers/new-account-page
The /private page which we cannot access from out current IP.
https://10-10-20-180.p.thmlabs.com/private
We update the avatar section.
https://10-10-20-180.p.thmlabs.com/customers/new-account-page?success=avatar
And check the source code of the page and find that each avatar has the URL parameter present.
We see once it change is it Base64 encodes that parameter.
We try to change our avatar again but this time edit the code.
We try to change the value of the avatar we are changing to private.
This did not work so we now try directory traversal.
This now does work as we can see no avatar has been selected meaning it has kept the value that we have entered.
We find the Base64 encoded value for the value that we entered and get the final flag!
THM{YOU_WORKED_OUT_THE_SSRF}
Overall, a good introductory room to SSRF with some good hints on how to find SSRF and how to exploit this, even mixed in with some DT!
Until next time & don’t sleepwalk through life!
Nägemist