Use this tiny playground to get intouch with SSRF (Server Side Request Forgery) and learn some common ways to pwn things with such a vulnerability. This Challenge is thought to be used as a challenge in a CTF Event and works fine in combination with Frameworks like CTFd or Facebooks CTF Framework. During your campaign this SSRF Cheatsheet might help you. This Challenge contains three hidden flags.
Content:
- Let's discuss your Mission
- Solution and lessons learned
- How to get started
- Now some words of warning and disclaimer
- It's Dangerous to walk alone - take this!
Docker containers have a lot of pitfalls, depending on the environment the container runs. This Image is build as a jack of all trades so you have multiple opportunities to learn from common mistakes. Make things polyglot means triple the fun
You will learn how to:
- Retrieve valueable which is stored in a file
- Access kubernetes ServiceAccountToken (startingpoint to takeover a running Pod in k8s)
- Hijack an AWS Account by raiding the EC2 metadata. The admin moved the regular IP
http://169.254.169.254
tolocalhost:1338
- but there is no security by obscurity.
If you're done or just lame - take a look at my Solution. The most crucial part of this isn't the way on how to capute the flag, it's about the mitigation. Read it carefully and if I've missed something, please send me a Pull Request
The easiest way is to use the prebuild Docker image and spin the docker container up like usual:
$ docker pull ghcr.io/benjitrapp/ssrf-playground:main
$ docker run docker run --name ssrf-playground -p 8080:80 -d -t ssrf-playground
Otherwise you can also build and run the Dockerfile locally. To start this simply use the Makefile like this:
# Build and run in one step
$ make all
# For control freaks use this path:
$ make run
$ make build
Note: Dependeing on your OS you may required to add sudo
infront of each statement
I'm not responsible for any harm caused by this CTF challenge. Do not deploy in productio and sandbox the Container since it's intentionally broken by design.
Allows an attacker to send malicous requests to an arbitrary domain of the attacker‘s choosing by abusing a vulnerable web server
The visualization above shows, that a gibberish web server can be tricked to either access files, API etc which resides on the same location or access different other ressources somewhere in the background or surrounding environment
Targeting internal systems behind a WAF (Web Application Firewall)
- Reach out for systems that are normally unreachable for an attacker from the external network
- Access and interact with the Server if the Server is listening on the loopback interface address (127.0.0.1/localhost)
- Bypassing Whitelisting, Host-based authentication services and WAFs => Who can be trusted?
- Internal Scan for Server, other broken Server/Protocols
- …and many more nasty things
Here you can read the official investigations documents by the US Government about the breach. This story is quite worth to read.
Details of the breach: A Hacker downloaded 30 GB of Capital One credit application data from a rented cloud data Server
The incident affected:
- 100 million US people
- 6 million Canadian
- 80.000 bank account numbers
- 140.000 Social Security numbers
- 1 million Social Insurance numbers for Canadian credit card customers
The Attacker: Paige A. Thompson, former Capital One and Amazon Inc employee (here is her CV) who doxed herself by bragging on Twitter.
The hack itself was performed hidden behind a VPN and from the TOR network. The attack was very sophisticated. She managed it, to bypass the WAF (Web Application Firewall) by absuing a SSRF weakness and accessed the IMDSv1 (EC2 Metadata Service) to get access to the AWS Account.
Since this kind of attack really happened in the wild - this challenge should teach you how this attack was performed and enhance it by absuing Kubernetes/OpenShift the same way. Have fun and enjoy - by the way don't forget to take a look at the /exploit/SOLUTION.md
to also learn about how to mitigate the things you learned.