SSRF

THM Room https://tryhackme.com/room/ssrfqi

    • What does SSRF stand for?

    Answer : Server Side Request Forgery

    • As opposed to a regular SSRF, what is the other type?

    Answer : Blind

    • What is the flag from the SSRF Examples site?

    I tried :

    https://website.thm/item/2?server=server.website.thm/flag?id=9

    But it return a 404. We need to escape to rest of the remaining path with &x= ; The request is now : 

    https://website.thm/item/2?server=server.website.thm/flag?id=9&x=

    Answer : THM{SSRF_MASTER}

    • What website can be used to catch HTTP requests from a server?

    Answer : requestbin.com

    • What method can be used to bypass strict rules?

    Answer : Open Redirect

    • What IP address may contain sensitive data in a cloud environment?

    Answer : 169.254.169.254

    • What type of list is used to permit only certain input?

    Answer : Allow List

    • What type of list is used to stop certain input?

    Answer : Deny List

    TASK 5 : SSRF Practical  

    • What is the flag from the /private directory?

    First, you need to create an account then set up an avatar.

    Afterwards, you can edit the HMTL calue for the radio button to x/../private and update your avatar :



    You normally have a blank avatar and when you inspect the source code you'll see a base64 encode url for the avatar :


    Decoding from Base64 the string "VEhNe1lPVV9XT1JLRURfT1VUX1RIRV9TU1JGfQ==" give you the flag.

    Answer : THM{YOU_WORKED_OUT_THE_SSRF}