This is the write up for the room SSRF on Tryhackme and it is part of the Web Fundamentals Path
Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment
TASKS SSRF
Task 1
Read all that is in the task, start the attached machine and press complete
Task 2
Read al that is in the task and press complete
Task 3
Follow along with this task. It explains it all very well
Task 4
So now for the fun part.
Look at all the hints and press complete when done
4.1 How many ports are open?
This is a tricky one and the solution given
When we visit the port 8000 we see a simple input field. Now if you try all the basic payloads you’ll get the malicious code error.
If you try the IPv6 format you would get a similar error.
At this point, it looks like the system might not be vulnerable to SSRF at all; but before we give up, we should try using the decimal/hexadecimal conversion method.
We will use the script (i.e ip2dh.py) to convert the IP 127.0.0.1 to decimal which would give us, 2130706433. Now if you want you can use this IP and port 3306 to test if it works or not.
That being said we can’t check every port by ourselves. Instead we will make a small bash script which will do the work for us.
Note: If you are not interested in writing a bash script then you could instead use Burpsuite’s Intruder module, but in this explanation, I am going to show you how to use bash for smaller tasks like these.
for x in {1..65535}; do cmd=$(curl -so /dev/null http://10.10.252.31:8000/attack?url=http://2130706433:${x} \
-w '%{size_download}'); if [ $cmd != 1045 ]; then echo "Open port: $x" fidone
The main thing to understand here is the curl command. If you were to run this curl command by itself with a port like 3306, it would give you the size in bytes of the response, which, for a valid response, in this case is 1042. However, if we run it with some random port, say 54321, it would show a return size of 1046 bytes, as the response from the website will be slightly different. This means that for ports that are not reachable we get size 1045 and for a port that is open we get size 1042. On that basis, we are able to write a script to scan every port and tell us when the size is not 1045 bytes. This script will tell you that 5 ports (22, 3306, 5000, 8000, 6783) are open..
4.2 How many users are there on the system?
Try the payload
file:///etc/passwd
From 1000 and up are users. I count 3 users
Answer: 3
