webeasy

Proxy: No Access... for You?

hackerlab

Task: a PHP proxy reader exposed a server-side URL fetcher while the real admin area was restricted from direct access. Solution: use SSRF with http://0.0.0.0 to browse internal admin pages, recover hinted credentials, and submit them through an encoded proxy request to obtain the flag.

$ ls tags/ techniques/

ssrf php localhost_bypass robots_txt server_side_request_forgery credential_disclosure proxy_reader internal_admin

ssrf_localhost_bypassrobots_txt_enumerationinternal_admin_enumerationquery_parameter_url_encoding

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub to get started.

$ssh [email protected]