SSRF to Server Takeover PoC (Bug Bounty Writeup)

Hi, there! In this post, I’ll explain how I discovered a critical vulnerability that allowed me to take over a server with root access, without any restrictions!

What is SSRF Attack?

Server-Side Request Forgery (SSRF) is a type of attack that allows an attacker to manipulate a server into making requests on their behalf. By performing an SSRF attack, attackers can send requests from the server to internal systems, and accessing sensitive informations.

Proof of Concept

During the analysis, I noticed that the web app provides a radio streaming feature.

radio streaming feature

At this point, I open the Network tab to view the details of the request when I pressed the play button. I found that the web app has a request parameter named source_file used to specify the URL of the MP3 file to be streamed.

mp3 file GET request

I simply modify the value to http://169.254.169.254/computeMetadata/v1. In this case, the URL corresponds to the Google Cloud Platform metadata endpoint. What do you think will happen?

sensitive files as response

Wow! the server fetches data from the specified URL. In this case, it returns metadata including SSH configuration details. Specifically, a file named user_data contains sensitive information such as SSH credentials (username & plain text password).

ssh credentials

Now I have a full control over the server, including the ability to manipulate server settings and access internal applications.

Recommended Mitigation

URL Whitelisting: Restrict the URLs that can be accessed by the server to only known, safe endpoints. Implement a whitelist of allowed domains and paths.Input Validation: Validate and sanitize user inputs to ensure that they do not contain malicious URLs or request patterns.Access Controls: Ensure that sensitive endpoints and internal resources are protected and not accessible from external requests.

I suggest you to learn more about SSRF:

PortSwigger: https://portswigger.net/web-security/ssrfDisclosed PoCs in HackerOne

I hope you find this post useful. If you have any questions or feedback, feel free to reach out. Happy hacking!