[Exploit Host header–based SSRF](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-routing-based-ssrf) to pivot into an **internal network** (`192.168.0.0/24`), locate the admin panel, and delete `carlos`. 1. **Confirm SSRF capability** * `GET /` in Burp Repeater → replace `Host:` with **Burp Collaborator domain**. * Poll Collaborator → HTTP hit confirms outbound request capability. 2. **Enumerate internal hosts** * Send request to Burp Intruder. * Disable **Update Host header to match target**. * Set Host to: ``` Host: 192.168.0.§0§ ``` * Payload type: Numbers `0 → 255`. * Start attack, sort by Status → one host returns **302 → /admin**. ![[CleanShot 2025-08-12 at [email protected]]] 3. **Access admin panel** * In Repeater: ``` GET /admin HTTP/1.1 Host: 192.168.0.X # X = discovered octet ``` * Response shows admin UI. 4. **Craft delete request** * Extract `csrf` token from admin HTML. * Extract session cookie from `Set-Cookie` header. * Build request: ``` POST /admin/delete HTTP/1.1 Host: 192.168.0.X Cookie: session=YOUR_SESSION Content-Type: application/x-www-form-urlencoded csrf=CSRF_TOKEN&username=carlos ``` * Send → user deleted → lab solved. In my case normal solution doesn't worked and I just send GET request: ![[CleanShot 2025-08-12 at [email protected]]] Try it on your own. --- ## Real-World Tricks * **Speed enumeration:** * Use `Cluster Bomb` with both internal IP ranges and common admin hostnames (`admin`, `intranet`, `backend`). * **Bypass blocked IPs:** * Test alternative notations: * Decimal: `3232235521` for `192.168.0.1` * Octal: `0300.0250.00.01` * Mixed formats. * **Chaining:** * Combine with **header smuggling** (`X-Forwarded-Host`, `Forwarded`) if Host validation is patched. * **Lateral move:** * Once inside intranet, scan for other services (Jenkins, GitLab, Redis) via Host header fuzzing.