| Field | Value |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | SSRF — Internal Network Scanning + Admin Access |
| Difficulty | Apprentice |
| Objective | Find the admin interface on the internal 192.168.0.X:8080 range and delete the user carlos |
Basic SSRF Against Another Back-End System — Writeup¶
Initial Observation¶
Intercepting the stock check request reveals the stockApi parameter is already pointing at an internal IP:
stockApi=http://192.168.0.1:8080/product/stock/check?productId=1&storeId=1
The server is fetching from 192.168.0.x:8080 — a private range unreachable from outside but accessible from the application server. We need to find which host on that range is running the admin interface.
Attack Path¶
Internal Network Scan via Intruder¶
Sending the request to Burp Intruder and setting the payload position on the last octet of the IP address:
stockApi=http://192.168.0.§x§:8080/admin
Running a Sniper attack with a numbers payload from 0 to 255. One response comes back with a different status — that's the host with the admin panel:
192.168.0.154 is running the admin interface on port 8080.
Deleting Carlos¶
Sending the delete request directly from Repeater:
stockApi=http://192.168.0.154:8080/admin/delete?username=carlos
302 Found follow redirect and this will get the lab solved poor carlos