# Esse Esse Erre Effe

## Approaching the app

![](https://630407063-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZD3WIm997ouoGhrdss%2F-MfU0--4ny8VFAhMEgRC%2F-MfU0bJzfxVW-d0vfneu%2Fimage.png?alt=media\&token=0160314f-b8c3-43a8-833b-a429a1114d73)

The application allows the user to input a url to a website and returns the response inside a json afterwards.

![](https://630407063-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZD3WIm997ouoGhrdss%2F-MfU0--4ny8VFAhMEgRC%2F-MfU0vfRAKycOUPgN79s%2Fimage.png?alt=media\&token=89f5b60c-1e0a-4e13-8c11-4caaa6331e19)

If we try to access the api ip directly the app denies to retrieve the data.

![](https://630407063-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZD3WIm997ouoGhrdss%2F-MfU0--4ny8VFAhMEgRC%2F-MfU2CB5Mm2f1BhJEQKu%2Fimage.png?alt=media\&token=c7b3dd95-665a-4ae4-9f16-5b2fe7653590)

## The exploit

We can try to retrieve data by making the server send us a request and then redirect it to cloud api via an http Location header.

![](https://630407063-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZD3WIm997ouoGhrdss%2F-MfU0--4ny8VFAhMEgRC%2F-MfU2jvuMOJ1m68A45qX%2Fimage.png?alt=media\&token=ccb2e09f-d40a-4a75-acf6-aca8d7bb6b7f)

One could simply server the following php code:

```php
<?php
header("Location: http://169.254.169.254/metadata/v1.json");
```

And point the ssrf request to the controled server, to retrieve the metadata.

![](https://630407063-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZD3WIm997ouoGhrdss%2F-MfU0--4ny8VFAhMEgRC%2F-MfU3A-YpvSZWy2cW9TP%2Fimage.png?alt=media\&token=5442c3f5-9645-464a-99b2-cca256d09569)

And the flag is retrieved among the metadata :0