webmedium

Offlinea

hackthebox

Task: Access a Flask backend protected by localhost-only restrictions behind a PHP frontend. Solution: Bypass SSRF protection via HTTP Parameter Pollution (PHP uses last param, Flask uses first), exploit Python .format() string injection on stored URLs to leak SECRET_KEY from app config, forge admin JWT, and access the protected /bartender endpoint via SSRF.

$ ls tags/ techniques/
flaskssrfphpjwtpythonformat_stringhttp_parameter_pollution
jwt_forgeryhpp_ssrf_bypasspython_format_string_injectionsecret_key_leak
🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]