webPromedium

Lab 322 — NetPulse — IP Spoofing to RCE via Polling Agent API

hackadvisor

Task: NetPulse monitoring platform with internal Agent API protected by IP-based authentication behind nginx; script-type data sources execute shell commands with unsanitized parameters. Solution: spoof source IP via X-Forwarded-For: 127.0.0.1 to access agent API, then inject OS commands through poller_id parameter in script data source execution to read /root/flag.txt.

$ ls tags/ techniques/

command_injection rce nodejs shell_injection x_forwarded_for ip_spoofing nginx express internal_api honeypot_flag polling_agent ip_based_auth_bypass

internal_api_abusehoneypot_flag_detectionip_spoofing_via_x_forwarded_for_headerip_based_authentication_bypasscommand_injection_via_unsanitized_parameterscript_data_source_exploitation

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 59 — NetPulse — RCE via Command Injection in Network Diagnostics— hackadvisor
[web][Pro]Lab 97 — UptimePulse — SSRF Chain to RCE via Cloud Metadata— hackadvisor
[web][Pro]Lab 120 — InfraPulse— hackadvisor
[web][Pro]Lab 384 — DevPulse — RCE via AI Log Assistant Prompt Injection— hackadvisor
[web][Pro]Lab 275 — GatewayPulse — Proxy ACL Bypass via Path Case Normalization— hackadvisor