Day 8/100 Hack and Improvement

1 minute read

Day 8 comes with more recon and a brief analisis about SSRF capabilities. Rajesh Ranjan goes deep with subdomains linked to IP ranges, and Sam (CoffeeJunkie) explains SSRF capabilites.

Finding Subdomains Using IP Ranges

From Rajesh Ranjan, we will learn that, how can we extract the subdomains using the IP ranges of a company. For this we will use:

  1. to find the ASN of a company
  2. to find the IP ranges from the ASN number
  3. Nmap to enumerate subdomains from the IP ranges

To start:

  • Finding ASN number with

Here, replace with your own. In my case I used So I got the following results:

nmap scan

  • Now we have to extract the IP ranges, from the ASN number.

    Here, Replace the ASN number with your target ASN, and you’ll get the IP Ranges as follows

nmap scan

Now lets try to enumerate the subdomains from the first IP range we got, in my case it is You can try all the IP ranges one by one.

  • Enumerate subdomains from the IP ranges using nmap. We can use the following command
    nmap -sn | grep | awk '{print $5}'

and we got the following results:

nmap scan

Server Side Request Forgery (SSRF)

From Sam (CoffeeJunkie), This kind of vulnerability allows an attacker to perform unintended network requests, in this case abusing other system to perform malicious actions. In order demonstrate impact with the vulnerability, you have to understand the ability of the vulnerable server to make requests. This determines what the attacker can do with SSRF. Depending on the services and internal ports that the vulnerable server might have open, it depens the kind of attack that the server can have. As an example, the attacker might be able to access to databases, or perform unintended requests in order to control the responses of the webserver.

Write Up and Explanation


The attacker started doing recon with the following Google Dork in order to obtain extensions of the site with php in the end.

site: ext:php

The endpoint that the attacker found was the following.

So, looking at the file name media_preview the attacker realized that he was able to load pictures into the system, therefore the attacker tried the following.

Once the attacker realized the capabilities of the attack, he started looking on how limited it is by injecting XSS payloads, and reading internal files. The attacker tried to link the website with a AWS instance which worked perfectly good in his case where he was able to pull data such as secret keys.



There is a great chance to obtain great results by using internet tools and nmap scripting, SSRF has been covered in details in the past blogs, in this case there is the chance to see a capability scope.

Leave a comment