What is SSRF?

For those who are not familiar with Server-side request forgery or also known as SSRF, it’s a vulnerability that resides within web applications that allow the threat actors to make a request for an unintended location.

The threat actors will cause the server to make connections to internal-only services which reside inside the organization’s infrastructure.

Demonstration on the Server-Side Request Forgery

The Demonstration is been taken from the writeup here

SSRF attack method used in adminer

I found some python code on the internet, but we cannot use the code above as the machine has been patched.

After a while, I found another python code from over here

Disclaimer: I didn’t own the python code above

As you see from the screenshot above, the file cannot be executed where it required Sudo privileges to access

Therefore, we should inspect the subdomain with the burp suite

I notice that the website is using elastic

As a result, we should be changing the value on the driver and server as follows:

  • driver = elastic
  • server = your vpn ip

We got the status code 302 on our redirect.py response

However, the website interface shows the error just like on the screenshot above.

We need to clarify the type of metrics been used over here.

We need to check what is stored on the website interface for port 424

As i notice that the website interface is running OpenTSDB.

Let’s check what is the version of the website API and we got something such as above.

Gaining Privileges Access on Admirertoo machine

Sadly, we cannot see the output of “whoami

Therefore, let’s try something that surely will work like a charm which is the ping command

Finally, we managed to get the result of ping from the machine

We should be starting our nc listener to retrieve the reverse shell connection back to us.

For this purpose, I will be using the reverse shell that is related to nc mkfifo

At last, we managed to retrieve the reverse shell connection

Leave a Reply

Your email address will not be published. Required fields are marked *