Interstellar Challenge Scenario

Hack The Box

Task: a PHP/MySQL web app with a localhost-only profile edit feature and a server-side communication endpoint. Solution: abuse parser confusion for SSRF to 127.0.0.1, plant a second-order SQLi in the session name, write a PHP webshell with INTO OUTFILE, and read the randomized flag file.

sqli mysql union_select ssrf php localhost_bypass into_outfile parser_confusion stored_procedure

ssrf_localhost_bypassparser_confusion_abusesecond_order_sqliunion_into_outfilewebshell_drop

$ ls tags/ techniques/

sqli mysql union_select ssrf php localhost_bypass into_outfile parser_confusion stored_procedure

ssrf_localhost_bypassparser_confusion_abusesecond_order_sqliunion_into_outfilewebshell_drop

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Interstellar Challenge Scenario — Hack The Box

Description

Interstellar Challenge Scenario

Target used for the final solve: http://154.57.164.83:31171

The application allows registration, login, and a “communicate” feature that sends server-side requests. The goal is to reach an internal localhost-only edit function, turn that into SQL injection on the homepage, and use the database write primitive to recover the flag.

Analysis

Vulnerability 1: parser confusion in `communicate.php`

The communication endpoint validates a user-supplied URL with filter_var() and parse_url(), then checks the parsed host with:

preg_match('/motherland\.com$/', $parsedUrl['host'])

At first glance this looks like a domain allowlist. The bug is that cURL is not given the original URL. Instead, the request is sent to:

curl_setopt($ch, CURLOPT_URL, $parsedUrl['host']);

So the code validates one URL representation, but cURL later interprets a different string. That parser confusion is the key twist.

Vulnerability 2: localhost-only edit action

index.php?action=edit only allows requests from 127.0.0.1:

if ($_SERVER['REMOTE_ADDR'] != '127.0.0.1') {
    // blocked
}

This would normally prevent direct access from outside.

Vulnerability 3: SSRF localhost bypass with IPv4-mapped IPv6

The allowlist can be satisfied and the request still directed to localhost with:

0://[::ffff:127.0.0.1].motherland.com:80/

Why it works:

filter_var() accepts the URL.
parse_url() extracts a host ending in motherland.com, so the regex passes.
cURL receives only the host string, not the full validated URL.
The crafted host confuses resolution/parsing and reaches 127.0.0.1.

This is the intended parser-confusion / SSRF localhost bypass twist.

Vulnerability 4: unsanitized name update enables second-order SQLi

Registration sanitizes the initial name value:

$name = preg_replace('/[^a-zA-Z0-9]/', '', $name);

But the localhost-only edit action does not sanitize new_name. That lets us replace our session name with SQL injection payload text through SSRF.

...