• The VM needed for this challenge can be downloaded here.
• You’ll need Kali Linux as well.
• The final flag for this machine will be revealed by exploiting an SSRF condition.

First Steps:

• You will not have the login credentials to the machine.

• Before you power it on, go to the machine settings and give the network adapter a custom MAC address.

  • This way you will be able to locate it with the arp-scan utility within Kali.
  • Don’t use the MAC address I have below. Everyone in the class needs something different.
    • Manually randomize the MAC Address you give your machine!

  

Once you have started the CTF machine, launch a root shell in Kali and do the following:

• use the *arp-scan* utility to scan the entire subnet and report back on MAC addresses that are present.
  • Your Kali Linux machine must be on the same subnet as the CTF machine.
• Use grep to filter for the MAC address that you gave the CTF Machine.
• NOTE: I only grep for the OUI of the MAC address. You should grep for the entire MAC Address!

  • Use all 6 Hex characters in your grep

  • Not sure what this command is doing? —Ask ChatGPT? Slow down and ask questions. (No need to rush)

    

Start with an Nmap:

nmap -sC -sV IP_ADDRESS_OF_TARGET_VM

The webpage running on this machine (pictured below) is vulnerable to an SSRF (Server-Side Request Forgery) attack. Often, web servers require access to resources on internal IP addresses like the localhost address of 127.0.0.1 which shouldn't be exposed publicly.

A common example would be a MySQL database. While the web server should have the capability to query the database, it's crucial to prevent unauthorized individuals online from trying to directly access the database storing the website's data via the machine’s public IP Address.

Identify the IP Address of your Kali Linux machine first and start a Netcat listener on port 5555.

hostname -I
nc -lvnp 5555

Now fill out the web form (example below) and click ‘submit.’