{"id":23470935,"url":"https://github.com/benjitrapp/ssrf-playground","last_synced_at":"2025-04-14T17:22:14.274Z","repository":{"id":43740095,"uuid":"303136478","full_name":"BenjiTrapp/ssrf-playground","owner":"BenjiTrapp","description":null,"archived":false,"fork":false,"pushed_at":"2025-01-10T11:08:49.000Z","size":5547,"stargazers_count":8,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-06T22:11:22.920Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"CSS","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BenjiTrapp.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-10-11T14:16:08.000Z","updated_at":"2025-03-27T06:22:46.000Z","dependencies_parsed_at":"2023-01-22T06:46:20.507Z","dependency_job_id":null,"html_url":"https://github.com/BenjiTrapp/ssrf-playground","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BenjiTrapp%2Fssrf-playground","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BenjiTrapp%2Fssrf-playground/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BenjiTrapp%2Fssrf-playground/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BenjiTrapp%2Fssrf-playground/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BenjiTrapp","download_url":"https://codeload.github.com/BenjiTrapp/ssrf-playground/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248923888,"owners_count":21183989,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-24T16:18:08.294Z","updated_at":"2025-04-14T17:22:14.211Z","avatar_url":"https://github.com/BenjiTrapp.png","language":"CSS","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Docker](https://github.com/BenjiTrapp/ssrf-playground/actions/workflows/docker-publish.yml/badge.svg)](https://github.com/BenjiTrapp/ssrf-playground/actions/workflows/docker-publish.yml)\n\n![](www/static/tag.png)\n\n\u003cbr\u003e\u003cbr\u003e\n\n\u003cimg height=\"200\" align=\"left\" src=\"www/static/evilmonkey.png\" \u003e \u003cbr\u003eUse this tiny playground to get intouch with SSRF (Server Side Request Forgery) and learn some common ways to pwn things with such a vulnerability. This Challenge is thought to be used as a challenge in a CTF Event and works fine in combination with Frameworks like [CTFd](https://github.com/BenjiTrapp/CTFd-helm-chart) or Facebooks CTF Framework. During your campaign this [SSRF Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html) might help you. This Challenge contains three hidden flags. \n\u003cbr\u003e\u003cbr\u003e\n\u003cbr\u003e\u003cbr\u003e\n\u003cbr\u003e\u003cbr\u003e\n**Content:**\n* [Let's discuss your Mission](https://github.com/BenjiTrapp/ssrf-playground#lets-discuss-your-mission)\n* [Solution and lessons learned](https://github.com/BenjiTrapp/ssrf-playground#solution-and-lessons-learned)\n* [How to get started](https://github.com/BenjiTrapp/ssrf-playground#how-to-get-started)\n* [Now some words of warning and disclaimer](https://github.com/BenjiTrapp/ssrf-playground#now-some-words-of-warning-and-disclaimer)\n* [It's Dangerous to walk alone - take this!](https://github.com/BenjiTrapp/ssrf-playground#its-dangerous-to-walk-alone---take-this)\n\n---\n### Let's discuss your Mission\nDocker containers have a lot of pitfalls, depending on the environment the container runs. This Image is build as a jack of all trades so you have multiple opportunities to learn from common mistakes. Make things polyglot means triple the fun :goberserk:\n\n**You will learn how to**:\n1. Retrieve valueable which is stored in a file\n2. Access kubernetes ServiceAccountToken (startingpoint to takeover a running Pod in k8s)\n3. Hijack an AWS Account by raiding the EC2 metadata. The admin moved the regular IP `http://169.254.169.254` to `localhost:1338` - but there is no security by obscurity. \n\n### Solution and lessons learned\nIf you're done or just lame - take a look at my [Solution](https://github.com/BenjiTrapp/ssrf-playground/blob/main/exploit/SOLUTION.md). The most crucial part of this isn't the way on how to capute the flag, it's about the mitigation. Read it carefully and if I've missed something, please send me a Pull Request\n\n### How to get started\nThe easiest way is to use the prebuild Docker image and spin the docker container up like usual: \n\n```bash\n$ docker pull ghcr.io/benjitrapp/ssrf-playground:main\n$ docker run docker run --name ssrf-playground -p 8080:80 -d -t ssrf-playground\n```\n\nOtherwise you can also build and run the Dockerfile locally. To start this simply use the Makefile like this:\n\n```bash\n# Build and run in one step\n$ make all\n\n# For control freaks use this path:\n$ make run\n$ make build\n```\n\n**Note:** Dependeing on your OS you may required to add `sudo` infront of each statement \n\n\n### Now some words of warning and disclaimer: \n\u003e I'm not responsible for any harm caused by this CTF challenge. Do not deploy in productio and sandbox the Container since it's intentionally broken by design.\n\n### It's Dangerous to walk alone - take this!\n\n##### What is Server Side Request Forgery (SSRF)?\n\u003e Allows an attacker to send malicous requests to an arbitrary domain of the attacker‘s choosing by abusing a vulnerable web server\n\n\u003cp align=center\u003e\n\u003cimg width=\"600\" alt=\"image\" src=\"https://user-images.githubusercontent.com/8672357/160492625-2752e5ea-6d19-4d0b-b399-332d275395b4.png\"\u003e\n\u003c/p\u003e\n  \nThe visualization above shows, that a gibberish web server can be tricked to either access files, API etc which resides on the same location or access different other ressources somewhere in the background or surrounding environment\n\n##### SSRF is used for\nTargeting internal systems behind a WAF (Web Application Firewall)\n* Reach out for systems that are normally unreachable for an attacker from the external network \n* Access and interact with the Server if the Server is listening on the loopback interface address (127.0.0.1/localhost)\n* Bypassing Whitelisting, Host-based authentication services and WAFs =\u003e Who can be trusted?\n* Internal Scan for Server, other broken Server/Protocols \n* …and many more nasty things\n\n##### Did you heared already how Capital One got hacked?\n[Here](https://www.justice.gov/usao-wdwa/press-release/file/1188626/download) you can read the official investigations documents by the US Government about the breach. This story is quite worth to read.\n\n**Details of the breach**:  A Hacker downloaded 30 GB of Capital One credit application data from a rented cloud data Server\n\nThe incident affected:\n* 100 million US people\n* 6 million Canadian\n* 80.000 bank account numbers\n* 140.000 Social Security numbers\n* 1 million Social Insurance numbers for Canadian credit card customers\n\nThe Attacker: Paige A. Thompson, former Capital One and Amazon Inc employee (here is her [CV](https://gitlab.com/netcrave/Resume/blob/master/cv/experience.tex)) who doxed herself by bragging on Twitter. \n\nThe hack itself was performed hidden behind a VPN and from the TOR network. The attack was very sophisticated. She managed it, to bypass the WAF (Web Application Firewall) by absuing a SSRF weakness and accessed the IMDSv1 (EC2 Metadata Service) to get access to the AWS Account. \n\n\u003cp align=center\u003e\n\u003cimg width=\"600\" alt=\"image\" src=\"https://user-images.githubusercontent.com/8672357/160493361-c18c499a-5a42-4ee5-bec2-c0255291c80e.png\"\u003e\n\u003c/p\u003e\n\nSince this kind of attack really happened in the wild - this challenge should teach you how this attack was performed and enhance it by absuing Kubernetes/OpenShift the same way. Have fun and enjoy - by the way don't forget to take a look at the `/exploit/SOLUTION.md` to also learn about how to mitigate the things you learned.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbenjitrapp%2Fssrf-playground","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbenjitrapp%2Fssrf-playground","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbenjitrapp%2Fssrf-playground/lists"}