webPromedium

Lab 282 — StreamForge — SSRF via Webhook Test Bypasses Proxy Auth

hackadvisor

Task: StreamForge monitoring dashboard has nginx proxy blocking /admin/* endpoints, but a webhook test feature allows full-read SSRF with response body returned. Solution: use SSRF to scan localhost ports, discover gunicorn backend on port 3001 behind nginx (port 8080), hit /admin/system-config directly on backend bypassing proxy auth to retrieve the flag from master_key field.

$ ls tags/ techniques/

flask ssrf information_disclosure nginx robots_txt gunicorn internal_service webhook admin_bypass proxy_bypass http2 honeypot_flag

honeypot_flag_detectionssrf_via_webhook_testnginx_proxy_bypass_direct_backendinternal_port_scanning_via_ssrf

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 205 — DockForge — SSRF in Webhook Test Endpoint— hackadvisor
[web][Pro]Lab 315 — PulseMetrics — SSRF Chain to SSTI via Internal Services— hackadvisor
[web][Pro]Lab 273 — AuthForge — SSRF via OAuth Dynamic Client Registration— hackadvisor
[web][Pro]WebhookForge— hackadvisor
[web][Pro]Lab 340 — PingRelay — Blind SSRF via Webhook Test— hackadvisor