TryHackMe: Advent of Cyber 2023 (Day 22) Jingle Your SSRF Bells: A Merry Command & Control Hackventure

Samantha
3 min readDec 29, 2023

“As the elves try to recover the compromised servers, McSkidy’s SOC team identify abnormal activity and notice that a massive amount of data is being sent to an unknown server (already identified on Day 9). An insider has likely created a malicious backdoor. McSkidy has contacted Detective Frost-eau from law enforcement to help them. Can you assist Detective Frost-eau in taking down the command and control server?”

Before you start you have to add the secret C2 server to the hosts file. I just used nano:

This is used to map IPs to host names to bypass the DNS process.

Here is what is located at that URL if you pull it up. A login panel for the C2 server which the elves have been trying to get into.

Q1: Is SSRF the process in which the attacker tricks the server into loading only external resources (yea/nay)?

You’ll notice at the bottom of the login panel there is a little link for accessing through API. If you click that you will get some helpful instructions for doing so.

So Basically, you can exploit this and craft a URL to gain access to the file system on the server. For example, here I grabbed the etc/passwd file:

So the answer to this question is nay, because I am tricking the server into loading private INTERNAL information.

Q2: What is the C2 version?

After you get into the system in the next couple questions, you can answer this one. At the bottom right of the home page for the C2 server, you can see the version.

But you will have to move the browser window around because if you open it in full screen it’s blocked and not easy to see.

Q3: What is the username for accessing the C2 panel?

I accessed the config.php file to get the username:password combo for accessing the C2 panel.

Q4: What is the flag value after accessing the C2 panel?

After this, you can easily login with the credentials and will see the flag up top.

Q5: What is the flag value after stopping the data exfiltration from the McSkidy computer?

At the bottom, I removed the McSkidy user and the flag popped up.

--

--

Samantha

CTF writeups to facilitate cyber education and help me earn CPEs