Introduction

We covered SSRF vulnerability as part of TryHackMe SSRF room from the Junior Penetration Tester pathway.

OSCP Certificate Notes

Web Hacking & Pentesting Study Notes

Overview of SSRF

The post walks through the SSRF TryHackMe room, which is part of the Junior Penetration Tester Pathway. SSRF is a vulnerability where attackers manipulate a server’s URL parameters to make it perform unintended actions or access sensitive data. The instructor recommends attempting the more detailed standalone SSRF room before tackling the one in the pathway.

The video starts with an overview of the five tasks in the room, noting that only the final task involves practical application while the first four focus on theory and examples.

SSRF Explained:

  • URL Manipulation: SSRF attacks usually involve altering URL parameters to access unauthorized information or bypass authentication. The instructor explains how, by changing the values of URL parameters, attackers can manipulate server requests.
  • Directory Traversal: SSRF attacks often use directory traversal to access restricted directories or files on the server. The video explains how attackers replace certain parts of the URL with paths to sensitive information (e.g., user directories).
  • Conditional Requests: The video demonstrates the difference between conditional and non-conditional parameters in URLs. Non-conditional parameters allow more flexibility in modifying URLs, while conditional ones may require the attacker to insert additional parameters (e.g., an “x” parameter) to bypass constraints.

Example of SSRF:

  • The instructor shows a few practical examples, manipulating URL parameters to perform attacks. For instance, in one example, the attacker replaces part of the URL with their own value to retrieve unauthorized data from the server. Another example includes inserting an additional parameter to bypass a condition.
  • A key method for SSRF attacks involves monitoring request URLs using tools like cURL or Burp Suite to see how URL parameters are handled by the server.

Final Task:

The instructor starts a virtual machine to showcase a practical SSRF exploit. The goal is to reveal a flag by accessing a restricted directory (/private) using SSRF. They explain how directory traversal is used in this example to bypass permissions and access sensitive directories on the server. The vulnerability lies in the avatar upload feature, and the instructor guides the viewer through updating and inspecting the avatar, showcasing how to exploit the vulnerability.

This video provides a step-by-step breakdown of both theory and practice for understanding and exploiting SSRF vulnerabilities in the context of the Junior Penetration Tester Pathway on TryHackMe.

If you need more information on a particular section, feel free to ask!

Room Answers | TryHackMe SSRF

What does SSRF stand for?
 

As opposed to a regular SSRF, what is the other type?

 
 
What is the flag from the SSRF Examples site?
 
What website can be used to catch HTTP requests from a server?
 
What method can be used to bypass strict rules?
 

What IP address may contain sensitive data in a cloud environment?

 

What type of list is used to permit only certain input?

 

What type of list is used to stop certain input?

 
What is the flag from the /private directory?
 

Video Walk-through

 

 

, ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles