Lab 95 — CloudCrate — SSRF in File Import Feature

hackadvisor

Task: CloudCrate upload page includes an Import from URL feature that performs server-side fetches on attacker-supplied URLs. Solution: exploit SSRF to enumerate localhost services, query the internal metadata API on port 3001, and read the flag from /flag.

ssrf internal_service file_import localhost_access metadata_service url_fetching

ssrf_reconnaissancelocalhost_enumerationinternal_api_abusealternate_loopback_notation

$ ls tags/ techniques/

ssrf internal_service file_import localhost_access metadata_service url_fetching

ssrf_reconnaissancelocalhost_enumerationinternal_api_abusealternate_loopback_notation

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]CloudPulse— hackadvisor
[web][Pro]Lab 104 — CloudOps Copilot — AI SSRF via Infrastructure Tool Abuse— hackadvisor
[web][Pro]Lab 91 — PingRadar — SSRF Filter Bypass via Open Redirect Chain— hackadvisor
[web][Pro]Lab 205 — DockForge — SSRF in Webhook Test Endpoint— hackadvisor
[web][free]Prison Pipeline— hackthebox_business_ctf_2024