webPromedium
Lab 97 — UptimePulse — SSRF Chain to RCE via Cloud Metadata
hackadvisor
Task: UptimePulse monitoring platform with URL health check feature protected by IP blocklist. Solution: Bypass IP blocklist using IPv6-mapped IPv4 address [::ffff:127.0.0.1], steal IAM credentials from cloud metadata service, then achieve RCE via internal management API.
$ ls tags/ techniques/
ssrfrcenodejsnginxexpressdecoy_flaginternal_service_discoveryipv6_mapped_ipv4cloud_metadataiam_credentialsawsimdsv1ip_blocklist_bypass
honeypot_flag_detectioninternal_port_scanningcloud_metadata_credential_theftssrf_ip_blocklist_bypassipv6_mapped_ipv4_address_bypassmanagement_api_rce
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 256 — UptimeRadar — SSRF via URL Health Check— hackadvisor
- [web][Pro]Lab 92 — EventPulse — SSRF via IPv6 Bypass in Webhook Verification— hackadvisor
- [web][Pro]Lab 322 — NetPulse — IP Spoofing to RCE via Polling Agent API— hackadvisor
- [web][Pro]CloudPulse— hackadvisor
- [web][Pro]Lab 120 — InfraPulse— hackadvisor