Description
A web challenge requiring a chain of Server-Side Request Forgery (SSRF) and injection to pivot from the public-facing application to internal services and ultimately exfiltrate the flag.
Setup
Open the challenge URL in your browser.
Use Burp Suite to intercept and replay HTTP requests.
# Navigate to http://<HOST>:<PORT_FROM_INSTANCE>Solution
Walk me through it- Step 1Identify the SSRF vectorFind an endpoint that fetches a URL or resource specified by user input. This is the SSRF entry point.
Learn more
Server-Side Request Forgery (SSRF) occurs when a server makes an HTTP (or other protocol) request to a URL controlled by the attacker. Attackers use SSRF to access internal services that are not exposed to the public internet: internal APIs, metadata services (e.g., AWS IMDSv1 at 169.254.169.254), and services bound to localhost.
Look for parameters with names like
url,endpoint,src,href,redirect, orfetch. Also look for features that fetch remote content: link previews, webhook validators, PDF generators, and image importers are classic SSRF surfaces.Test with a URL you control (e.g., a requestbin or webhook.site URL) to confirm the server is making outbound requests with your input.
- Step 2Pivot to internal services via SSRFUse the SSRF vector to probe internal addresses (127.0.0.1, 10.0.0.0/8) and find a running internal service that exposes sensitive data.bash
# Try internal endpoints:bashcurl 'http://<HOST>/fetch?url=http://127.0.0.1/'bashcurl 'http://<HOST>/fetch?url=http://127.0.0.1:8080/'bashcurl 'http://<HOST>/fetch?url=http://169.254.169.254/latest/meta-data/'Learn more
Once SSRF is confirmed, enumerate internal services by trying common ports (80, 8080, 8443, 3000, 5000, 6379 for Redis, 27017 for MongoDB, 9200 for Elasticsearch). The server's response body, status code, and response time reveal whether each port is open.
Many internal services have no authentication because they are assumed to be unreachable from outside. An internal admin panel, debug endpoint, or metadata service may immediately disclose sensitive data when accessed through SSRF.
SSRF filter bypasses include: using alternative IP representations (
0x7f000001,2130706433, or[::1]for 127.0.0.1), protocol switches (file://, dict://, gopher://), URL redirectors, and DNS rebinding. - Step 3Chain with injection to read the flagIf the internal service is vulnerable to injection (SQLi, command injection, path traversal), chain the SSRF with injection to read the flag file.bash
# Example: SSRF to internal API + path traversal:bashcurl 'http://<HOST>/fetch?url=http://127.0.0.1:8080/read?file=../../flag'bash# Example: SSRF to internal API + SQLi:bashcurl 'http://<HOST>/fetch?url=http://127.0.0.1:8080/users?id=1+UNION+SELECT+flag+FROM+flags--'Learn more
Chained vulnerabilities - using one bug to access a second, more impactful bug - are common in real-world attacks. SSRF is particularly useful as a pivot because internal services often have weaker input validation than internet-facing ones.
In this challenge, the SSRF lets you reach an internal service, and that service has a secondary vulnerability (injection, traversal, or a sensitive endpoint) that gives you the flag. Enumerate the internal service's routes and parameters carefully.
SSRF was included in the OWASP Top 10 in 2021 (A10:2021). High-profile real-world SSRF incidents include the Capital One breach (2019), which used SSRF against the AWS instance metadata service to steal IAM credentials.
- Step 4Exfiltrate the flagRead the flag from the internal response and submit it.
Learn more
The flag will appear in the server's response once the chain is successful. If the internal service returns the flag directly in its HTTP response, your SSRF fetch endpoint will relay it back to you. If the internal service only writes the flag to a file, use a secondary path traversal or file-read endpoint to fetch it.
When exfiltration through the same SSRF channel is blocked (e.g., response size limits or content filtering), consider out-of-band channels: cause the internal service to make a DNS lookup or HTTP request to a server you control, encoding the flag in the subdomain or URL path.
Flag
picoCTF{...}
Challenge unsolved during the competition; this writeup is a methodology template for SSRF + injection chains, not a verified step-by-step solution. Concrete endpoints and payloads will vary.