Exploiting SSRF

Exploit the SSRF vulnerability to identify an additional endpoint. Access that endpoint to obtain the flag.

In this exercise we have access to the same application, but this time we have to enumerate endpoints through the Request parameter.

First we capture the POST Request by clicking on the Check Availability button.

We then send the captured request to the Repeater and do a simple test by modifying the endpoint to a random page to see how the application will handle it. And as we can see from the output we get a generic Apache 404 response.

This message is a good indicator that we can conduct a directory brute-force attack to enumerate additional endpoints by using ffuf.

We can use this wordlist by SecLists and make sure to add the filter "Server at dateserver.htb Port 80" to make sure we only the the results that we want:

ffuf -w raft-small-words.txt -u http://10.129.201.127/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://dateserver.htb/FUZZ.php&date=2024-01-01" -fr "Server at dateserver.htb Port 80"

After running ffuf we get some interesting results. Lets explore the admin endpoint first.

And just by accessing the admin.php endpoint we retrieved our flag!