original_task

miptctf

Task: Web app with notes, two Flask backends (DEV/PROD) behind nginx, flag only on PROD via localhost, bot restricted to ports 443/4443. Solution: DNS HTTPS/SVCB record attack (RFC 9460) to redirect browser TCP connection to port 1337 while URL shows port 443, bypassing bot port check.

flask ssrf firefox playwright nginx dns_https_record svcb rfc9460 port_bypass dns_manipulation http2 self_signed_cert browser_ssrf

dns_https_svcb_port_redirectionbrowser_ssrf_via_dnsform_autosubmit_posturl_tcp_port_mismatch

$ ls tags/ techniques/

flask ssrf firefox playwright nginx dns_https_record svcb rfc9460 port_bypass dns_manipulation http2 self_signed_cert browser_ssrf

dns_https_svcb_port_redirectionbrowser_ssrf_via_dnsform_autosubmit_posturl_tcp_port_mismatch

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][free]DoxPit— hackthebox
[web][Pro]Board of Secrets Revenge— miptctf
[web][Pro]Simple Web (d5c47306-5d4f-4ad4-958f-5414a0b85b9b)— hackerlab
[web][free]Six-Seven— alfactf
[web][Pro]board_of_secrets— miptctf