Identifying SSRF

Exploit a SSRF vulnerability to identify an internal web application. Access the internal application to obtain the flag.

The first step to confirm a SSRF vulnerability is to find a POST Request and locate a parameter that might indicate the data is being sent to another web server.

The vulnerable has a functionallity to check the dates available. Let's click on the button and intercept the request on Burp Suite.

As we can see the application is sending data to the dateserver.htb, lets modify it ot 127.0.0.1 to see if we get a Response from the server.

After modifying the URL the request is successfully sent.

The next step would be enumerate the server ports to see if we can find something interesting.

First we create a wordlist of the ports we want to scan:

seq 1 10000 > ports.txt

Then we can use the following ffuf command to do it:

ffuf -w ./ports.txt -u http://SERVER_IP/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://127.0.0.1:FUZZ/&date=2024-01-01" -fr "Failed to connect to"

From the ffuf output above we can see that we have three ports open.

And with trial and error we manage to get the flag on the port 8000!