webPromedium

Lab 6 — HookRelay — SSRF via IPv6-Mapped-IPv4 Bypass

hackadvisor

Task: Webhook management platform with URL validation blocking internal IPv4 addresses (SSRF filter). Solution: Bypass the blocklist using IPv6-mapped IPv4 address [::ffff:127.0.0.1] to reach an internal metadata service on port 3001 and exfiltrate secrets via webhook delivery logs.

$ ls tags/ techniques/

ssrf nodejs express internal_service webhook ipv6 url_validation blocklist_bypass ipv6_mapped_ipv4 metadata_endpoint

ssrf_via_webhookipv6_mapped_ipv4_bypassurl_validation_bypassinternal_service_enumerationwebhook_delivery_log_exfiltration

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 347 — PushRelay — SSRF via URL Parsing Confusion in Webhook Tester— hackadvisor
[web][Pro]Lab 92 — EventPulse — SSRF via IPv6 Bypass in Webhook Verification— hackadvisor
[web][Pro]PingForge— hackadvisor
[web][Pro]Lab 340 — PingRelay — Blind SSRF via Webhook Test— hackadvisor
[web][Pro]Lab 91 — PingRadar — SSRF Filter Bypass via Open Redirect Chain— hackadvisor