What is SSRF?
For those who are not familiar with Server-side request forgery or also known as SSRF, it’s a vulnerability that resides within web applications that allow the threat actors to make a request for an unintended location.
The threat actors will cause the server to make connections to internal-only services which reside inside the organization’s infrastructure.
Demonstration on the Server-Side Request Forgery
The Demonstration is been taken from the writeup here
SSRF attack method used in adminer
I found some python code on the internet, but we cannot use the code above as the machine has been patched.
After a while, I found another python code from over here
Disclaimer: I didn’t own the python code above
As you see from the screenshot above, the file cannot be executed where it required Sudo privileges to access
Therefore, we should inspect the subdomain with the burp suite
I notice that the website is using elastic
As a result, we should be changing the value on the driver and server as follows:
- driver = elastic
- server = your vpn ip
We got the status code 302 on our redirect.py response
However, the website interface shows the error just like on the screenshot above.
We need to clarify the type of metrics been used over here.
We need to check what is stored on the website interface for port 424
As i notice that the website interface is running OpenTSDB.
Let’s check what is the version of the website API and we got something such as above.
Gaining Privileges Access on Admirertoo machine
Sadly, we cannot see the output of “whoami“
Therefore, let’s try something that surely will work like a charm which is the ping command
Finally, we managed to get the result of ping from the machine
We should be starting our nc listener to retrieve the reverse shell connection back to us.
For this purpose, I will be using the reverse shell that is related to nc mkfifo
At last, we managed to retrieve the reverse shell connection
No responses yet