webPromedium

DeployVault — Path Confusion to SSRF Chain

hackadvisor

Task: DeployVault deployment platform with nginx reverse proxy blocking admin endpoints and webhook tester with SSRF filter. Solution: Path confusion (/api/docs/../admin/config) bypasses nginx ACL to leak internal service credentials, then IPv4-mapped IPv6 address bypasses SSRF filter to access internal secrets endpoint.

$ ls tags/ techniques/

ssrf path_traversal information_disclosure nginx express internal_service webhook reverse_proxy path_confusion honeypot_flag ssrf_filter_bypass ipv4_mapped_ipv6

ssrf_via_webhook_testpath_traversal_nginx_express_desyncipv4_mapped_ipv6_filter_bypassadmin_endpoint_bypass_via_path_confusioninternal_service_key_leak

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 352 — PipeForge — Content-Type Confusion to Admin JWT Forge to RCE— hackadvisor
[web][Pro]DeployPilot— hackadvisor
[web][Pro]Lab 393 — ShareVault — Stored XSS via File Browser innerHTML— hackadvisor
[web][Pro]Lab 347 — PushRelay — SSRF via URL Parsing Confusion in Webhook Tester— hackadvisor
[web][Pro]Lab 6 — HookRelay — SSRF via IPv6-Mapped-IPv4 Bypass— hackadvisor