London Bridge

A journey through SSRF filter bypasses, SSH key extraction, and kernel exploits in the heart of London.

April 2025
Introduction

The London Bridge TryHackMe room presents a challenging journey through web application security vulnerabilities and privilege escalation techniques. What starts as a simple tourist website quickly reveals itself as a playground for Server-Side Request Forgery (SSRF) attacks.

You'll navigate through seemingly innocent image viewing functionality that, when exploited correctly, provides access to internal resources. Filter bypasses, SSH key extraction, and kernel exploits await as you make your way from tourist to system administrator.

This walkthrough provides a comprehensive guide to compromising the London Bridge machine, from initial reconnaissance to root access, demonstrating the dangers of improperly secured web applications and outdated kernel versions.

Medium
SSRF
Privilege Escalation
Web Exploitation
Overview

London Bridge is a challenging TryHackMe room that tests your skills in web application security, Server-Side Request Forgery (SSRF), filter bypass techniques, and Linux privilege escalation. This walkthrough details the methodical approach to compromising the machine and obtaining both user and root flags.

Vulnerability

Server-Side Request Forgery (SSRF) in image viewing functionality

Techniques

SSRF filter bypass, SSH key extraction, kernel exploit

Difficulty

Medium - Requires advanced SSRF bypass techniques

Initial Reconnaissance

Nmap Scan Results
Identifying open ports and services
$ nmap -sS -v -p- -Pn -A 10.10.156.95

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
8080/tcp open  http-proxy gunicorn
| http-title: Explore London
| http-methods:
|_  Supported Methods: HEAD GET OPTIONS
|_http-server-header: gunicorn

The scan reveals two open ports:

  • Port 22 (SSH): OpenSSH 7.6p1 on Ubuntu
  • Port 8080 (HTTP): Gunicorn web server hosting an "Explore London" website

Web Enumeration

Directory Discovery
Finding accessible endpoints
$ feroxbuster -u 'http://10.10.156.95:8080' -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt

The enumeration revealed several interesting endpoints:

  • /contact: A contact form with name, email, and message fields
  • /gallery: A page displaying London images with upload functionality
  • /upload: Endpoint for uploading files
  • /feedback: Page shown after contact form submission
  • /dejaview: A page allowing users to view images via URL
  • /view_image: Endpoint for displaying images

London Gallery Page:

London Gallery page showing various London landmarks and an upload form

The gallery page allows users to upload images

DejaView Image URL Input:

DejaView page with URL input field

The DejaView page allows users to view images by URL

Source Code Hint:

HTML source code showing a comment about adding images using links

A developer comment reveals the ability to add images using links

Vulnerability Discovery & Exploitation

Server-Side Request Forgery (SSRF)
Exploiting the DejaView functionality

Parameter Discovery

Using ffuf to fuzz for parameters, we discovered the "www" parameter that can be used for SSRF:

ffuf output showing parameter discovery

Initial SSRF Attempt

Attempting to access /etc/passwd resulted in a 403 Forbidden error, indicating filters are in place:

Failed SSRF attempt showing 403 Forbidden

SSRF Filter Bypass

After trying various bypass techniques, using "0" as the host worked successfully:

www=http://0:8080/ssh/id_rsa
Successful SSRF showing directory listing

SSH Private Key Extraction

Successfully accessed the SSH private key for user "beth":

SSH private key accessed via SSRF

With the private key, we can now establish an SSH connection to the server as user "beth".

Privilege Escalation

Kernel Exploit
Escalating privileges to root

After gaining access as beth, we checked the kernel version using uname -a and discovered it was vulnerable to a local privilege escalation exploit.

Exploit Compilation and Execution

gcc exploit.c -o exploit -lpthread
chmod +x exploit
./exploit ubuntu
Successful privilege escalation to root

Firefox Password Extraction

After gaining root access, we discovered Firefox profile data for user "charles" and extracted his credentials using firepwd.py:

Firefox password extraction showing credentials

The extracted credentials revealed:

  • Username: Charles
  • Password: thekingofengland
  • Website: https://www.buckinghampalace.com

Key Takeaways

  • SSRF Vulnerabilities: Always validate and sanitize user-provided URLs to prevent server-side request forgery.
  • Filter Bypasses: Implement comprehensive input validation that doesn't rely on simple blacklists.
  • Kernel Security: Keep systems updated to prevent exploitation of known kernel vulnerabilities.
  • Password Storage: Browser password managers can expose credentials if the system is compromised.
Conclusion

London Bridge demonstrates the dangers of SSRF vulnerabilities and the importance of proper input validation. The challenge showcases how a seemingly innocent feature like viewing images by URL can lead to complete system compromise when security controls are insufficient. By understanding these attack vectors, developers can better protect their applications from similar vulnerabilities.

This walkthrough is for educational purposes only. Always practice ethical hacking and obtain proper authorization before testing security measures.