TryHackMe Intro to SSRF Walkthrough – Step-by-Step Guide

calender-iconPublished: 1 Jan 2026

clock-icon5-min read

printer-icon whatsapp-icon share-icon



Table of Contents

INTRODUCTION



Task 1: What is an SSRF?

Q. What does SSRF stand for?
A. Server-Side Request Forgery


Q. As opposed to a regular SSRF, what is the other type?
A. Blind



Explanation
Imagine an office where only the assistant can enter restricted rooms like the finance vault.
Employees can send a note saying: “Please bring a file from Room 204.”
The assistant goes, collects it, and returns.

Now a malicious employee writes: “Please bring documents from the Finance Vault.”
The assistant has access — so they go and bring back confidential files.

The employee was never allowed inside. They simply tricked someone who had access. That’s SSRF. The attacker can’t access internal systems directly, so they trick the server into doing it for them.

With SSRF, attackers can:

  • Access internal services
  • Read cloud metadata (AWS, GCP, Azure)
  • Bypass firewalls
  • Pivot to internal attacks


Types of SSRF

1. Basic SSRF (Classic SSRF)
The server fetches a user-supplied URL and returns the response directly. Attackers can access internal services like localhost or internal IP addresses.
Example
http://127.0.0.1/admin

2. Blind SSRF
The server makes the request, but no response is shown to the attacker. Detection is done using out-of-band techniques like DNS or HTTP callbacks.
Example:
http://attacker-dns.com



Task 2: SSRF Examples

Q. What is the flag from the SSRF Examples site?
A. THM{SSRF_MASTER}


Explanation
Start by clicking on the visit site button.
The example shows how an attacker can alter a request and force the application to send a request of the attacker’s choosing.

In the end Change this URL https://website.thm/item/2?server=api to https://website.thm/item/2?server=server.website.thm/flag?id=9&x=

Note: the &x= at the end of a URL which is simply a query parameter with an empty value.


Task 3: Finding an SSRF

Q. Based on simple observation, which of the following URLs is more likely to be vulnerable to SSRF?

  • https://website.thm/index.php
  • https://website.thm/list-products.php?categoryId=5325
  • https://website.thm/fetch-file.php?fname=242533.pdf&srv=filestorage.cloud.thm&port=8001
  • https://website.thm/buy-item.php?itemId=213&price=100&q=2

A. 3

Explanation

Potential SSRF vulnerabilities can be found wherever a web application accepts user input that is later used to make a server-side request. Common places include parameters that accept a full URL, hidden form fields, inputs that allow only a hostname, or fields that accept just the URL path. Some of these are easy to exploit, while others require careful testing and trial and error to discover a successful SSRF payload.

Based on simple observation, the URL most likely to be vulnerable to SSRF is: Option 3

Why this one stands out

  • It contains parameters like srv (server/host) and port
  • This strongly suggests the backend is connecting to another server to fetch a file
  • User-controlled host and port values are classic SSRF indicators

Why the others are less likely

  • index.php → no parameters, nothing to manipulate
  • list-products.php?categoryId=5325 → numeric ID, typical database lookup
  • buy-item.php?itemId=213&price=100&q=2 → business logic parameters, not network-related


Task 4: Defeating Common SSRF Defenses

Q. What method can be used to bypass strict rules?
A. Open Redirect



Q. What IP address may contain sensitive data in a cloud environment?
A. 169.254.169.254



Q. What type of list is used to permit only certain input?
A. Allow List



Q. What type of list is used to stop certain input?
A. Deny List



Explanation

open redirect
An open redirect is an endpoint that automatically forwards users to another URL based on a parameter. While often used for tracking or marketing, it can be abused to bypass strict SSRF protections. If an application only allows requests to its own domain, an attacker can supply a trusted URL that points to an open redirect, causing the server to follow the redirect and send the internal request to an attacker-controlled destination.



Security-aware developers often try to reduce SSRF risk by validating the resources a server is allowed to access, usually through deny lists or allow lists. Allow list and deny list are access control mechanisms used to decide what is permitted or blocked.

Allow list:

An allow list explicitly specifies which resources, inputs, or actions are permitted, and blocks everything else by default. Only items that match the approved list or defined rules are allowed, making this approach more restrictive and generally more secure.

  • Fixed Trusted Domains
    • https://api.company.com
    • https://storage.company.com
    • https://cdn.company.com

  • Domain Suffix Rules
    • *.company.com
    • *.trusted-service.com

  • Protocol Restrictions
    • Only http:// and https://
    • Often HTTPS only

  • Port Restrictions
    • 80
    • 443

Deny list:

A deny list specifies which resources, inputs, or actions are forbidden, while allowing everything else by default. This approach is easier to implement but less secure, since attackers can often bypass it using values or techniques that are not covered by the blocked list.

  • Common Deny List Targets (Blocked Destinations)
    • localhost
    • 127.0.0.1
    • 0.0.0.0
    • ::1 (IPv6 localhost)

  • Private / Internal IP Ranges
    • 10.0.0.0/8
    • 172.16.0.0/12
    • 192.168.0.0/16

  • Cloud Metadata Services
    • 169.254.169.254 (AWS, Azure, GCP)
    • metadata.google.internal

  • Internal Hostnames
    • internal
    • intranet
    • admin
    • private

  • Dangerous Protocols
    • file://
    • gopher://
    • ftp://
    • dict://


Task 5: SSRF Practical

Q. What is the flag from the /private directory?
A. THM{YOU_WORKED_OUT_THE_SSRF}



Process

Begin by visiting the 1st url (https://10-49-188-195.reverse-proxy.cell-prod-ap-south-1b.vm.tryhackme.com/) and create an account. We had created an account named Vicky

Visit the 2nd URL (https://10-49-188-195.reverse-proxy.cell-prod-ap-south-1b.vm.tryhackme.com/customers/new-account-page) for selecting Avatar. Select an avatar and click update avatar button.

Again select avatar and right click, select inspect. Try changing the value attribute to /private. You will get an error.
Try again, this time set the value attribute to "x/../private". On updation, you will see Current Avatar, empty. Inspect the current avatar label, where you will see an base64 encoded string.

ssrf

Decode this using base64decode website and you will get the flag.